Search in sources :

Example 21 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class ThriftMetastoreUtil method listEnabledRoles.

public static Stream<String> listEnabledRoles(ConnectorIdentity identity, Function<HivePrincipal, Set<RoleGrant>> listRoleGrants) {
    Optional<SelectedRole> role = identity.getRole();
    if (role.isPresent() && role.get().getType() == SelectedRole.Type.NONE) {
        return Stream.of(PUBLIC_ROLE_NAME);
    }
    HivePrincipal principal;
    if (!role.isPresent() || role.get().getType() == SelectedRole.Type.ALL) {
        principal = new HivePrincipal(USER, identity.getUser());
    } else {
        principal = new HivePrincipal(ROLE, role.get().getRole().get());
    }
    Stream<String> roles = Stream.of(PUBLIC_ROLE_NAME);
    if (principal.getType() == ROLE) {
        roles = Stream.concat(roles, Stream.of(principal.getName()));
    }
    return Stream.concat(roles, listApplicableRoles(principal, listRoleGrants).map(RoleGrant::getRoleName).filter(Predicate.isEqual(ADMIN_ROLE_NAME).negate()));
}
Also used : RoleGrant(io.prestosql.spi.security.RoleGrant) HivePrincipal(io.prestosql.plugin.hive.metastore.HivePrincipal) SelectedRole(io.prestosql.spi.security.SelectedRole)

Example 22 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class ThriftHiveMetastore method revokeTablePrivileges.

@Override
public void revokeTablePrivileges(String databaseName, String tableName, HivePrincipal sourceGrantee, Set<HivePrivilegeInfo> privileges) {
    Set<PrivilegeGrantInfo> requestedPrivileges = privileges.stream().map(ThriftMetastoreUtil::toMetastoreApiPrivilegeGrantInfo).collect(Collectors.toSet());
    checkArgument(!containsAllPrivilege(requestedPrivileges), "\"ALL\" not supported in PrivilegeGrantInfo.privilege");
    HivePrincipal grantee = ThriftMetastoreUtil.applyRoleNameCaseSensitive(sourceGrantee, isRoleNameCaseSensitive);
    try {
        retry().stopOnIllegalExceptions().run("revokeTablePrivileges", stats.getRevokeTablePrivileges().wrap(() -> {
            try (ThriftMetastoreClient metastoreClient = clientProvider.createMetastoreClient()) {
                Set<HivePrivilegeInfo.HivePrivilege> existingHivePrivileges = listTablePrivileges(databaseName, tableName, grantee).stream().map(HivePrivilegeInfo::getHivePrivilege).collect(toSet());
                Set<PrivilegeGrantInfo> privilegesToRevoke = requestedPrivileges.stream().filter(privilegeGrantInfo -> existingHivePrivileges.contains(getOnlyElement(ThriftMetastoreUtil.parsePrivilege(privilegeGrantInfo, Optional.empty())).getHivePrivilege())).collect(toSet());
                if (privilegesToRevoke.isEmpty()) {
                    return null;
                }
                metastoreClient.revokePrivileges(buildPrivilegeBag(databaseName, tableName, grantee, privilegesToRevoke));
            }
            return null;
        }));
    } catch (TException e) {
        throw new PrestoException(HiveErrorCode.HIVE_METASTORE_ERROR, e);
    } catch (Exception e) {
        throw propagate(e);
    }
}
Also used : TException(org.apache.thrift.TException) HivePrivilegeInfo(io.prestosql.plugin.hive.metastore.HivePrivilegeInfo) Set(java.util.Set) Collectors.toSet(java.util.stream.Collectors.toSet) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) PrivilegeGrantInfo(org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo) HivePrincipal(io.prestosql.plugin.hive.metastore.HivePrincipal) PrestoException(io.prestosql.spi.PrestoException) HiveViewNotSupportedException(io.prestosql.plugin.hive.HiveViewNotSupportedException) TableAlreadyExistsException(io.prestosql.spi.connector.TableAlreadyExistsException) NoSuchTxnException(org.apache.hadoop.hive.metastore.api.NoSuchTxnException) AlreadyExistsException(org.apache.hadoop.hive.metastore.api.AlreadyExistsException) SchemaAlreadyExistsException(io.prestosql.spi.connector.SchemaAlreadyExistsException) TableNotFoundException(io.prestosql.spi.connector.TableNotFoundException) InvalidInputException(org.apache.hadoop.hive.metastore.api.InvalidInputException) InvalidOperationException(org.apache.hadoop.hive.metastore.api.InvalidOperationException) TxnAbortedException(org.apache.hadoop.hive.metastore.api.TxnAbortedException) ConfigValSecurityException(org.apache.hadoop.hive.metastore.api.ConfigValSecurityException) UnknownDBException(org.apache.hadoop.hive.metastore.api.UnknownDBException) TException(org.apache.thrift.TException) IOException(java.io.IOException) PartitionNotFoundException(io.prestosql.plugin.hive.PartitionNotFoundException) NoSuchObjectException(org.apache.hadoop.hive.metastore.api.NoSuchObjectException) MetaException(org.apache.hadoop.hive.metastore.api.MetaException) PrestoException(io.prestosql.spi.PrestoException) NoSuchLockException(org.apache.hadoop.hive.metastore.api.NoSuchLockException) UnknownTableException(org.apache.hadoop.hive.metastore.api.UnknownTableException) SchemaNotFoundException(io.prestosql.spi.connector.SchemaNotFoundException) InvalidObjectException(org.apache.hadoop.hive.metastore.api.InvalidObjectException)

Example 23 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class SqlStandardAccessControlMetadata method revokeTablePrivileges.

@Override
public void revokeTablePrivileges(ConnectorSession session, SchemaTableName schemaTableName, Set<Privilege> privileges, HivePrincipal grantee, boolean grantOption) {
    String schemaName = schemaTableName.getSchemaName();
    String tableName = schemaTableName.getTableName();
    Set<HivePrivilegeInfo> hivePrivilegeInfos = privileges.stream().map(privilege -> new HivePrivilegeInfo(toHivePrivilege(privilege), grantOption, new HivePrincipal(USER, session.getUser()), new HivePrincipal(USER, session.getUser()))).collect(toSet());
    metastore.revokeTablePrivileges(schemaName, tableName, grantee, hivePrivilegeInfos);
}
Also used : ALREADY_EXISTS(io.prestosql.spi.StandardErrorCode.ALREADY_EXISTS) PrestoException(io.prestosql.spi.PrestoException) ImmutableSet(com.google.common.collect.ImmutableSet) HivePrivilegeInfo.toHivePrivilege(io.prestosql.plugin.hive.metastore.HivePrivilegeInfo.toHivePrivilege) ThriftMetastoreUtil.listEnabledPrincipals(io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil.listEnabledPrincipals) GrantInfo(io.prestosql.spi.security.GrantInfo) Set(java.util.Set) RoleGrant(io.prestosql.spi.security.RoleGrant) PrivilegeInfo(io.prestosql.spi.security.PrivilegeInfo) HivePrincipal(io.prestosql.plugin.hive.metastore.HivePrincipal) USER(io.prestosql.spi.security.PrincipalType.USER) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) ConnectorSession(io.prestosql.spi.connector.ConnectorSession) Privilege(io.prestosql.spi.security.Privilege) HivePrivilegeInfo(io.prestosql.plugin.hive.metastore.HivePrivilegeInfo) Objects.requireNonNull(java.util.Objects.requireNonNull) ThriftMetastoreUtil(io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil) Optional(java.util.Optional) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) SemiTransactionalHiveMetastore(io.prestosql.plugin.hive.metastore.SemiTransactionalHiveMetastore) ENGLISH(java.util.Locale.ENGLISH) Collectors.toSet(java.util.stream.Collectors.toSet) HivePrivilegeInfo(io.prestosql.plugin.hive.metastore.HivePrivilegeInfo) HivePrincipal(io.prestosql.plugin.hive.metastore.HivePrincipal)

Example 24 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class SqlStandardAccessControlMetadata method grantTablePrivileges.

@Override
public void grantTablePrivileges(ConnectorSession session, SchemaTableName schemaTableName, Set<Privilege> privileges, HivePrincipal grantee, boolean grantOption) {
    String schemaName = schemaTableName.getSchemaName();
    String tableName = schemaTableName.getTableName();
    Set<HivePrivilegeInfo> hivePrivilegeInfos = privileges.stream().map(privilege -> new HivePrivilegeInfo(toHivePrivilege(privilege), grantOption, new HivePrincipal(USER, session.getUser()), new HivePrincipal(USER, session.getUser()))).collect(toSet());
    metastore.grantTablePrivileges(schemaName, tableName, grantee, hivePrivilegeInfos);
}
Also used : ALREADY_EXISTS(io.prestosql.spi.StandardErrorCode.ALREADY_EXISTS) PrestoException(io.prestosql.spi.PrestoException) ImmutableSet(com.google.common.collect.ImmutableSet) HivePrivilegeInfo.toHivePrivilege(io.prestosql.plugin.hive.metastore.HivePrivilegeInfo.toHivePrivilege) ThriftMetastoreUtil.listEnabledPrincipals(io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil.listEnabledPrincipals) GrantInfo(io.prestosql.spi.security.GrantInfo) Set(java.util.Set) RoleGrant(io.prestosql.spi.security.RoleGrant) PrivilegeInfo(io.prestosql.spi.security.PrivilegeInfo) HivePrincipal(io.prestosql.plugin.hive.metastore.HivePrincipal) USER(io.prestosql.spi.security.PrincipalType.USER) SchemaTableName(io.prestosql.spi.connector.SchemaTableName) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) ConnectorSession(io.prestosql.spi.connector.ConnectorSession) Privilege(io.prestosql.spi.security.Privilege) HivePrivilegeInfo(io.prestosql.plugin.hive.metastore.HivePrivilegeInfo) Objects.requireNonNull(java.util.Objects.requireNonNull) ThriftMetastoreUtil(io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil) Optional(java.util.Optional) ImmutableSet.toImmutableSet(com.google.common.collect.ImmutableSet.toImmutableSet) SemiTransactionalHiveMetastore(io.prestosql.plugin.hive.metastore.SemiTransactionalHiveMetastore) ENGLISH(java.util.Locale.ENGLISH) Collectors.toSet(java.util.stream.Collectors.toSet) HivePrivilegeInfo(io.prestosql.plugin.hive.metastore.HivePrivilegeInfo) HivePrincipal(io.prestosql.plugin.hive.metastore.HivePrincipal)

Example 25 with HivePrincipal

use of io.prestosql.plugin.hive.metastore.HivePrincipal in project hetu-core by openlookeng.

the class SqlStandardAccessControlMetadata method listTablePrivileges.

@Override
public List<GrantInfo> listTablePrivileges(ConnectorSession session, List<SchemaTableName> tableNames) {
    Set<HivePrincipal> principals = listEnabledPrincipals(metastore, session.getIdentity()).collect(toImmutableSet());
    boolean isAdminRoleSet = hasAdminRole(principals);
    ImmutableList.Builder<GrantInfo> result = ImmutableList.builder();
    for (SchemaTableName tableName : tableNames) {
        if (isAdminRoleSet) {
            result.addAll(buildGrants(tableName, null));
        } else {
            for (HivePrincipal grantee : principals) {
                result.addAll(buildGrants(tableName, grantee));
            }
        }
    }
    return result.build();
}
Also used : HivePrincipal(io.prestosql.plugin.hive.metastore.HivePrincipal) ImmutableList(com.google.common.collect.ImmutableList) GrantInfo(io.prestosql.spi.security.GrantInfo) SchemaTableName(io.prestosql.spi.connector.SchemaTableName)

Aggregations

HivePrincipal (io.prestosql.plugin.hive.metastore.HivePrincipal)30 RoleGrant (io.prestosql.spi.security.RoleGrant)18 PrestoException (io.prestosql.spi.PrestoException)16 ImmutableSet (com.google.common.collect.ImmutableSet)14 HivePrivilegeInfo (io.prestosql.plugin.hive.metastore.HivePrivilegeInfo)12 HashSet (java.util.HashSet)12 Set (java.util.Set)12 ImmutableSet.toImmutableSet (com.google.common.collect.ImmutableSet.toImmutableSet)10 SemiTransactionalHiveMetastore (io.prestosql.plugin.hive.metastore.SemiTransactionalHiveMetastore)10 Collection (java.util.Collection)8 Collectors.toSet (java.util.stream.Collectors.toSet)8 PrivilegeGrantInfo (org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)8 USER (io.prestosql.spi.security.PrincipalType.USER)6 SelectedRole (io.prestosql.spi.security.SelectedRole)6 List (java.util.List)6 ENGLISH (java.util.Locale.ENGLISH)6 Objects.requireNonNull (java.util.Objects.requireNonNull)6 Optional (java.util.Optional)6 ImmutableList (com.google.common.collect.ImmutableList)5 SchemaTableName (io.prestosql.spi.connector.SchemaTableName)5