set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;

set user.name=hive_admin_user;
show current roles;
set role ADMIN;

----------
-- create the following user, role mapping
-- user1 -> role1 -> role2 -> role3
----------

create role role1;
grant role1 to user user1;

create role role2;
grant role2 to role role1;

create role role3;
grant role3 to role role2;


create table t1(i int);
grant select on t1 to role role3;

set user.name=user1;
show current roles;
select * from t1;

set user.name=hive_admin_user;
show current roles;
grant select on t1 to role role2;


set user.name=user1;
show current roles;
select * from t1;

set user.name=hive_admin_user;
set role ADMIN;
show current roles;
revoke select on table t1 from role role2;


create role role4;
grant role4 to user user1;
grant role3 to role role4;;

set user.name=user1;
show current roles;
select * from t1;

set user.name=hive_admin_user;
show current roles;
set role ADMIN;

-- Revoke role3 from hierarchy one at a time and check permissions
-- after revoking from both, select should fail
revoke role3 from role role2;

set user.name=user1;
show current roles;
select * from t1;

set user.name=hive_admin_user;
show current roles;
set role ADMIN;
revoke role3 from role role4;

set user.name=user1;
show current roles;
select * from t1;