use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.
the class ThriftMetastoreUtil method listApplicableTablePrivileges.
public static Stream<HivePrivilegeInfo> listApplicableTablePrivileges(SemiTransactionalHiveMetastore metastore, String databaseName, String tableName, String user) {
HivePrincipal userPrincipal = new HivePrincipal(USER, user);
Stream<HivePrincipal> principals = Stream.concat(Stream.of(userPrincipal), listApplicableRoles(metastore, userPrincipal).map(role -> new HivePrincipal(ROLE, role)));
return listTablePrivileges(metastore, databaseName, tableName, principals);
}
use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.
the class ThriftHiveMetastore method grantTablePrivileges.
@Override
public void grantTablePrivileges(String databaseName, String tableName, HivePrincipal sourceGrantee, Set<HivePrivilegeInfo> privileges) {
Set<PrivilegeGrantInfo> requestedPrivileges = privileges.stream().map(ThriftMetastoreUtil::toMetastoreApiPrivilegeGrantInfo).collect(Collectors.toSet());
checkArgument(!containsAllPrivilege(requestedPrivileges), "\"ALL\" not supported in PrivilegeGrantInfo.privilege");
HivePrincipal grantee = ThriftMetastoreUtil.applyRoleNameCaseSensitive(sourceGrantee, isRoleNameCaseSensitive);
try {
retry().stopOnIllegalExceptions().run("grantTablePrivileges", stats.getGrantTablePrivileges().wrap(() -> {
try (ThriftMetastoreClient metastoreClient = clientProvider.createMetastoreClient()) {
Set<HivePrivilegeInfo> existingPrivileges = listTablePrivileges(databaseName, tableName, grantee);
Set<PrivilegeGrantInfo> privilegesToGrant = new HashSet<>(requestedPrivileges);
Iterator<PrivilegeGrantInfo> iterator = privilegesToGrant.iterator();
while (iterator.hasNext()) {
HivePrivilegeInfo requestedPrivilege = getOnlyElement(ThriftMetastoreUtil.parsePrivilege(iterator.next(), Optional.empty()));
for (HivePrivilegeInfo existingPrivilege : existingPrivileges) {
if ((requestedPrivilege.isContainedIn(existingPrivilege))) {
iterator.remove();
} else if (existingPrivilege.isContainedIn(requestedPrivilege)) {
throw new PrestoException(NOT_SUPPORTED, format("Granting %s WITH GRANT OPTION is not supported while %s possesses %s", requestedPrivilege.getHivePrivilege().name(), grantee, requestedPrivilege.getHivePrivilege().name()));
}
}
}
if (privilegesToGrant.isEmpty()) {
return null;
}
metastoreClient.grantPrivileges(buildPrivilegeBag(databaseName, tableName, grantee, privilegesToGrant));
}
return null;
}));
} catch (TException e) {
throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, e);
} catch (Exception e) {
throw propagate(e);
}
}
use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.
the class SqlStandardAccessControl method hasAdminOptionForRoles.
private boolean hasAdminOptionForRoles(ConnectorTransactionHandle transaction, ConnectorIdentity identity, Set<String> roles) {
if (isAdmin(transaction, identity)) {
return true;
}
SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction));
Set<String> rolesWithGrantOption = listApplicableRoles(new HivePrincipal(USER, identity.getUser()), metastore::listRoleGrants).filter(RoleGrant::isGrantable).map(RoleGrant::getRoleName).collect(toSet());
return rolesWithGrantOption.containsAll(roles);
}
use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.
the class FileHiveMetastore method removeNonExistingRoles.
private static Set<RoleGrant> removeNonExistingRoles(Set<RoleGrant> grants, Set<String> existingRoles) {
ImmutableSet.Builder<RoleGrant> result = ImmutableSet.builder();
for (RoleGrant grant : grants) {
if (!existingRoles.contains(grant.getRoleName())) {
continue;
}
HivePrincipal grantee = HivePrincipal.from(grant.getGrantee());
if (grantee.getType() == ROLE && !existingRoles.contains(grantee.getName())) {
continue;
}
result.add(grant);
}
return result.build();
}
use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.
the class FileHiveMetastore method createTable.
@Override
public synchronized void createTable(HiveIdentity identity, Table table, PrincipalPrivileges principalPrivileges) {
verifyTableNotExists(table.getDatabaseName(), table.getTableName());
Path tableMetadataDirectory = getTableMetadataDirectory(table);
// validate table location
if (table.getTableType().equals(VIRTUAL_VIEW.name())) {
checkArgument(table.getStorage().getLocation().isEmpty(), "Storage location for view must be empty");
} else if (table.getTableType().equals(MANAGED_TABLE.name())) {
if (!tableMetadataDirectory.equals(new Path(table.getStorage().getLocation()))) {
throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "Table directory must be " + tableMetadataDirectory);
}
} else if (table.getTableType().equals(EXTERNAL_TABLE.name())) {
try {
Path externalLocation = new Path(table.getStorage().getLocation());
FileSystem externalFileSystem = hdfsEnvironment.getFileSystem(hdfsContext, externalLocation);
if (!externalFileSystem.isDirectory(externalLocation)) {
throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "External table location does not exist");
}
if (isChildDirectory(catalogDirectory, externalLocation)) {
throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "External table location can not be inside the system metadata directory");
}
} catch (IOException e) {
throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, "Could not validate external location", e);
}
} else {
throw new PrestoException(NOT_SUPPORTED, "Table type not supported: " + table.getTableType());
}
writeSchemaFile("table", tableMetadataDirectory, tableCodec, new TableMetadata(table), false);
for (Entry<String, Collection<HivePrivilegeInfo>> entry : principalPrivileges.getUserPrivileges().asMap().entrySet()) {
setTablePrivileges(new HivePrincipal(USER, entry.getKey()), table.getDatabaseName(), table.getTableName(), entry.getValue());
}
for (Entry<String, Collection<HivePrivilegeInfo>> entry : principalPrivileges.getRolePrivileges().asMap().entrySet()) {
setTablePrivileges(new HivePrincipal(ROLE, entry.getKey()), table.getDatabaseName(), table.getTableName(), entry.getValue());
}
}
Aggregations