Support Hive metastore impersonation

.travis.yml

@@ -30,6 +30,7 @@ matrix:
     - env: PRODUCT_TESTS_SUITE=suite-2
     - env: PRODUCT_TESTS_SUITE=suite-3
     - env: PRODUCT_TESTS_SUITE=suite-4
+    - env: PRODUCT_TESTS_SUITE=suite-5
     - env: HIVE_TESTS=true
     - env: KUDU_TESTS=true
 
@@ -44,6 +45,8 @@ matrix:
 #    - if: type IN (push, cron)
 #      env: PRODUCT_TESTS_SUITE=suite-4 PRODUCT_TESTS_CONFIG=config-hdp3
 #    - if: type IN (push, cron)
+#      env: PRODUCT_TESTS_SUITE=suite-5 PRODUCT_TESTS_CONFIG=config-hdp3
+#    - if: type IN (push, cron)
 #      env: HIVE_TESTS=true PRODUCT_TESTS_CONFIG=config-hdp3
 
 dist: xenial

presto-docs/src/main/sphinx/connector/hive-security.rst

@@ -125,6 +125,8 @@ Property Name                                      Description
 ================================================== ============================================================
 ``hive.metastore.authentication.type``             Hive metastore authentication type.
 
+``hive.metastore.thrift.impersonation.enabled``    Enable Hive metastore end user impersonation.
+
 ``hive.metastore.service.principal``               The Kerberos principal of the Hive metastore service.
 
 ``hive.metastore.client.principal``                The Kerberos principal that Presto will use when connecting
@@ -145,6 +147,13 @@ Thrift service using SASL and authenticate using Kerberos.
 
 This property is optional; the default is ``NONE``.
 
+``hive.metastore.thrift.impersonation.enabled``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Enable end-user Hive metastore impersonation.
+
+This property is optional; the default is ``false``.
+
 ``hive.metastore.service.principal``
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -214,6 +223,7 @@ Example configuration with ``KERBEROS`` authentication
 .. code-block:: none
 
     hive.metastore.authentication.type=KERBEROS
+    hive.metastore.thrift.impersonation.enabled=true
     hive.metastore.service.principal=hive/hive-metastore-host.example.com@EXAMPLE.COM
     hive.metastore.client.principal=presto@EXAMPLE.COM
     hive.metastore.client.keytab=/etc/presto/hive.keytab
@@ -394,12 +404,6 @@ Keytab files must be distributed to every node in the cluster that runs Presto.
 
 :ref:`Additional Information About Keytab Files.<hive-security-additional-keytab>`
 
-Impersonation Accessing the Hive Metastore
-------------------------------------------
-
-Presto does not currently support impersonating the end user when accessing the
-Hive metastore.
-
 .. _configuring-hadoop-impersonation:
 
 Impersonation in Hadoop

presto-docs/src/main/sphinx/connector/hive.rst

@@ -211,6 +211,8 @@ Property Name                                      Description
                                                    Possible values are ``NONE`` or ``KERBEROS``
                                                    (defaults to ``NONE``).
 
+``hive.metastore.thrift.impersonation.enabled``    Enable Hive metastore end user impersonation.
+
 ``hive.metastore.service.principal``               The Kerberos principal of the Hive metastore service.
 
 ``hive.metastore.client.principal``                The Kerberos principal that Presto will use when connecting

presto-geospatial/src/test/java/io/prestosql/plugin/geospatial/TestSpatialJoins.java

@@ -21,6 +21,7 @@
 import io.prestosql.plugin.hive.HiveConfig;
 import io.prestosql.plugin.hive.HiveHdfsConfiguration;
 import io.prestosql.plugin.hive.HivePlugin;
+import io.prestosql.plugin.hive.authentication.HiveIdentity;
 import io.prestosql.plugin.hive.authentication.NoHdfsAuthentication;
 import io.prestosql.plugin.hive.metastore.Database;
 import io.prestosql.plugin.hive.metastore.file.FileHiveMetastore;
@@ -33,6 +34,7 @@
 import java.util.Optional;
 
 import static io.prestosql.SystemSessionProperties.SPATIAL_PARTITIONING_TABLE_NAME;
+import static io.prestosql.testing.TestingConnectorSession.SESSION;
 import static io.prestosql.testing.TestingSession.testSessionBuilder;
 import static java.lang.String.format;
 
@@ -82,11 +84,13 @@ private static DistributedQueryRunner createQueryRunner()
         HdfsEnvironment hdfsEnvironment = new HdfsEnvironment(hdfsConfiguration, hiveConfig, new NoHdfsAuthentication());
 
         FileHiveMetastore metastore = new FileHiveMetastore(hdfsEnvironment, baseDir.toURI().toString(), "test");
-        metastore.createDatabase(Database.builder()
-                .setDatabaseName("default")
-                .setOwnerName("public")
-                .setOwnerType(PrincipalType.ROLE)
-                .build());
+        metastore.createDatabase(
+                new HiveIdentity(SESSION),
+                Database.builder()
+                        .setDatabaseName("default")
+                        .setOwnerName("public")
+                        .setOwnerType(PrincipalType.ROLE)
+                        .build());
         queryRunner.installPlugin(new HivePlugin("hive", Optional.of(metastore)));
 
         queryRunner.createCatalog("hive", "hive");

presto-hive/src/main/java/io/prestosql/plugin/hive/CreateEmptyPartitionProcedure.java

@@ -19,6 +19,7 @@
 import io.airlift.slice.Slices;
 import io.prestosql.plugin.hive.LocationService.WriteInfo;
 import io.prestosql.plugin.hive.PartitionUpdate.UpdateMode;
+import io.prestosql.plugin.hive.authentication.HiveIdentity;
 import io.prestosql.plugin.hive.metastore.HiveMetastore;
 import io.prestosql.spi.PrestoException;
 import io.prestosql.spi.classloader.ThreadContextClassLoader;
@@ -111,7 +112,7 @@ private void doCreateEmptyPartition(ConnectorSession session, String schema, Str
                 .map(String.class::cast)
                 .collect(toImmutableList());
 
-        if (metastore.getPartition(schema, table, partitionStringValues).isPresent()) {
+        if (metastore.getPartition(new HiveIdentity(session), schema, table, partitionStringValues).isPresent()) {
             throw new PrestoException(ALREADY_EXISTS, "Partition already exists");
         }
         String partitionName = FileUtils.makePartName(actualPartitionColumnNames, partitionStringValues);