Examples with HivePrincipal io.prestosql.plugin.hive.metastore.HivePrincipal used on opensource projects

Example 1 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class ThriftMetastoreUtil method listApplicableTablePrivileges.

public static Stream<HivePrivilegeInfo> listApplicableTablePrivileges(SemiTransactionalHiveMetastore metastore, String databaseName, String tableName, String user) {
    HivePrincipal userPrincipal = new HivePrincipal(USER, user);
    Stream<HivePrincipal> principals = Stream.concat(Stream.of(userPrincipal), listApplicableRoles(metastore, userPrincipal).map(role -> new HivePrincipal(ROLE, role)));
    return listTablePrivileges(metastore, databaseName, tableName, principals);
}

Example 2 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class ThriftHiveMetastore method grantTablePrivileges.

@Override
public void grantTablePrivileges(String databaseName, String tableName, HivePrincipal sourceGrantee, Set<HivePrivilegeInfo> privileges) {
    Set<PrivilegeGrantInfo> requestedPrivileges = privileges.stream().map(ThriftMetastoreUtil::toMetastoreApiPrivilegeGrantInfo).collect(Collectors.toSet());
    checkArgument(!containsAllPrivilege(requestedPrivileges), "\"ALL\" not supported in PrivilegeGrantInfo.privilege");
    HivePrincipal grantee = ThriftMetastoreUtil.applyRoleNameCaseSensitive(sourceGrantee, isRoleNameCaseSensitive);
    try {
        retry().stopOnIllegalExceptions().run("grantTablePrivileges", stats.getGrantTablePrivileges().wrap(() -> {
            try (ThriftMetastoreClient metastoreClient = clientProvider.createMetastoreClient()) {
                Set<HivePrivilegeInfo> existingPrivileges = listTablePrivileges(databaseName, tableName, grantee);
                Set<PrivilegeGrantInfo> privilegesToGrant = new HashSet<>(requestedPrivileges);
                Iterator<PrivilegeGrantInfo> iterator = privilegesToGrant.iterator();
                while (iterator.hasNext()) {
                    HivePrivilegeInfo requestedPrivilege = getOnlyElement(ThriftMetastoreUtil.parsePrivilege(iterator.next(), Optional.empty()));
                    for (HivePrivilegeInfo existingPrivilege : existingPrivileges) {
                        if ((requestedPrivilege.isContainedIn(existingPrivilege))) {
                            iterator.remove();
                        } else if (existingPrivilege.isContainedIn(requestedPrivilege)) {
                            throw new PrestoException(NOT_SUPPORTED, format("Granting %s WITH GRANT OPTION is not supported while %s possesses %s", requestedPrivilege.getHivePrivilege().name(), grantee, requestedPrivilege.getHivePrivilege().name()));
                        }
                    }
                }
                if (privilegesToGrant.isEmpty()) {
                    return null;
                }
                metastoreClient.grantPrivileges(buildPrivilegeBag(databaseName, tableName, grantee, privilegesToGrant));
            }
            return null;
        }));
    } catch (TException e) {
        throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, e);
    } catch (Exception e) {
        throw propagate(e);
    }
}

Example 3 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class SqlStandardAccessControl method hasAdminOptionForRoles.

private boolean hasAdminOptionForRoles(ConnectorTransactionHandle transaction, ConnectorIdentity identity, Set<String> roles) {
    if (isAdmin(transaction, identity)) {
        return true;
    }
    SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction));
    Set<String> rolesWithGrantOption = listApplicableRoles(new HivePrincipal(USER, identity.getUser()), metastore::listRoleGrants).filter(RoleGrant::isGrantable).map(RoleGrant::getRoleName).collect(toSet());
    return rolesWithGrantOption.containsAll(roles);
}

Example 4 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class FileHiveMetastore method removeNonExistingRoles.

private static Set<RoleGrant> removeNonExistingRoles(Set<RoleGrant> grants, Set<String> existingRoles) {
    ImmutableSet.Builder<RoleGrant> result = ImmutableSet.builder();
    for (RoleGrant grant : grants) {
        if (!existingRoles.contains(grant.getRoleName())) {
            continue;
        }
        HivePrincipal grantee = HivePrincipal.from(grant.getGrantee());
        if (grantee.getType() == ROLE && !existingRoles.contains(grantee.getName())) {
            continue;
        }
        result.add(grant);
    }
    return result.build();
}

Example 5 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class FileHiveMetastore method createTable.

@Override
public synchronized void createTable(HiveIdentity identity, Table table, PrincipalPrivileges principalPrivileges) {
    verifyTableNotExists(table.getDatabaseName(), table.getTableName());
    Path tableMetadataDirectory = getTableMetadataDirectory(table);
    // validate table location
    if (table.getTableType().equals(VIRTUAL_VIEW.name())) {
        checkArgument(table.getStorage().getLocation().isEmpty(), "Storage location for view must be empty");
    } else if (table.getTableType().equals(MANAGED_TABLE.name())) {
        if (!tableMetadataDirectory.equals(new Path(table.getStorage().getLocation()))) {
            throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "Table directory must be " + tableMetadataDirectory);
        }
    } else if (table.getTableType().equals(EXTERNAL_TABLE.name())) {
        try {
            Path externalLocation = new Path(table.getStorage().getLocation());
            FileSystem externalFileSystem = hdfsEnvironment.getFileSystem(hdfsContext, externalLocation);
            if (!externalFileSystem.isDirectory(externalLocation)) {
                throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "External table location does not exist");
            }
            if (isChildDirectory(catalogDirectory, externalLocation)) {
                throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "External table location can not be inside the system metadata directory");
            }
        } catch (IOException e) {
            throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "Could not validate external location", e);
        }
    } else {
        throw new PrestoException(NOT_SUPPORTED, "Table type not supported: " + table.getTableType());
    }
    writeSchemaFile("table", tableMetadataDirectory, tableCodec, new TableMetadata(table), false);
    for (Entry<String, Collection<HivePrivilegeInfo>> entry : principalPrivileges.getUserPrivileges().asMap().entrySet()) {
        setTablePrivileges(new HivePrincipal(USER, entry.getKey()), table.getDatabaseName(), table.getTableName(), entry.getValue());
    }
    for (Entry<String, Collection<HivePrivilegeInfo>> entry : principalPrivileges.getRolePrivileges().asMap().entrySet()) {
        setTablePrivileges(new HivePrincipal(ROLE, entry.getKey()), table.getDatabaseName(), table.getTableName(), entry.getValue());
    }
}