Example 41 with HiveObjectRef
use of org.apache.hadoop.hive.metastore.api.HiveObjectRef in project hive by apache.
the class ObjectStore method listPrincipalPartitionGrants.
@Override
public List<HiveObjectPrivilege> listPrincipalPartitionGrants(String principalName, PrincipalType principalType, String catName, String dbName, String tableName, List<String> partValues, String partName) {
List<MPartitionPrivilege> mParts = listPrincipalMPartitionGrants(principalName, principalType, catName, dbName, tableName, partName);
if (mParts.isEmpty()) {
return Collections.emptyList();
}
List<HiveObjectPrivilege> result = new ArrayList<>();
for (int i = 0; i < mParts.size(); i++) {
MPartitionPrivilege sPart = mParts.get(i);
HiveObjectRef objectRef = new HiveObjectRef(HiveObjectType.PARTITION, dbName, tableName, partValues, null);
objectRef.setCatName(catName);
HiveObjectPrivilege secObj = new HiveObjectPrivilege(objectRef, sPart.getPrincipalName(), principalType, new PrivilegeGrantInfo(sPart.getPrivilege(), sPart.getCreateTime(), sPart.getGrantor(), PrincipalType.valueOf(sPart.getGrantorType()), sPart.getGrantOption()), sPart.getAuthorizer());
result.add(secObj);
}
return result;
}
Also used :
HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)
PrivilegeGrantInfo(org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)
HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef)
MPartitionPrivilege(org.apache.hadoop.hive.metastore.model.MPartitionPrivilege)
ArrayList(java.util.ArrayList)
MConstraint(org.apache.hadoop.hive.metastore.model.MConstraint)
SQLUniqueConstraint(org.apache.hadoop.hive.metastore.api.SQLUniqueConstraint)
SQLCheckConstraint(org.apache.hadoop.hive.metastore.api.SQLCheckConstraint)
SQLDefaultConstraint(org.apache.hadoop.hive.metastore.api.SQLDefaultConstraint)
SQLNotNullConstraint(org.apache.hadoop.hive.metastore.api.SQLNotNullConstraint)
Example 42 with HiveObjectRef
use of org.apache.hadoop.hive.metastore.api.HiveObjectRef in project hive by apache.
the class ObjectStore method convertDC.
private List<HiveObjectPrivilege> convertDC(List<MDCPrivilege> privs) {
List<HiveObjectPrivilege> result = new ArrayList<>();
for (MDCPrivilege priv : privs) {
String pname = priv.getPrincipalName();
String authorizer = priv.getAuthorizer();
PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType());
String dataConnectorName = priv.getDataConnector().getName();
HiveObjectRef objectRef = new HiveObjectRef(HiveObjectType.DATACONNECTOR, null, dataConnectorName, null, null);
PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption());
result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer));
}
return result;
}
Also used :
HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)
PrivilegeGrantInfo(org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)
MDCPrivilege(org.apache.hadoop.hive.metastore.model.MDCPrivilege)
HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef)
ArrayList(java.util.ArrayList)
PrincipalType(org.apache.hadoop.hive.metastore.api.PrincipalType)
Example 43 with HiveObjectRef
use of org.apache.hadoop.hive.metastore.api.HiveObjectRef in project ranger by apache.
the class RangerHivePlugin method getHivePrivilegeInfos.
private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
List<HivePrivilegeInfo> ret = new ArrayList<>();
HivePrivilegeObject.HivePrivilegeObjectType objectType = null;
Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions = null;
Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = null;
Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> rolePermissions = null;
String dbName = null;
String objectName = null;
String columnName = null;
List<String> partValues = null;
try {
HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);
if (msObjRef != null) {
HivePrivilegeObject hivePrivilegeObject = null;
if (msObjRef.getDbName() != null) {
// when resource is specified in the show grants, acl will be for that resource / user / groups
objectType = getPluginPrivilegeObjType(msObjRef.getObjectType());
dbName = msObjRef.getDbName();
objectName = msObjRef.getObjectName();
columnName = (msObjRef.getColumnName() == null) ? new String() : msObjRef.getColumnName();
partValues = (msObjRef.getPartValues() == null) ? new ArrayList<>() : msObjRef.getPartValues();
hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);
RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject);
if (rangerResourceACLs != null) {
Map<String, Map<String, RangerResourceACLs.AccessResult>> userRangerACLs = rangerResourceACLs.getUserACLs();
Map<String, Map<String, RangerResourceACLs.AccessResult>> groupRangerACLs = rangerResourceACLs.getGroupACLs();
Map<String, Map<String, RangerResourceACLs.AccessResult>> roleRangerACLs = rangerResourceACLs.getRoleACLs();
userPermissions = convertRangerACLsToHiveACLs(userRangerACLs);
groupPermissions = convertRangerACLsToHiveACLs(groupRangerACLs);
rolePermissions = convertRangerACLsToHiveACLs(roleRangerACLs);
if (principal != null) {
if (principal.getType() == HivePrincipal.HivePrincipalType.USER) {
String user = principal.getName();
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
if (userACLs != null) {
Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
if (policy != null) {
String aclname = getPermission(userACL, userAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
Set<String> groups = getPrincipalGroup(user);
for (String group : groups) {
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
if (groupACLs != null) {
Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
if (policy != null) {
String aclname = getPermission(groupACL, groupAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
} else if (principal.getType() == HivePrincipal.HivePrincipalType.ROLE) {
String role = principal.getName();
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
if (roleACLs != null) {
Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
if (policy != null) {
String aclname = getPermission(roleACL, roleAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
} else {
// Request is for all the ACLs on a resource
for (String user : userRangerACLs.keySet()) {
HivePrincipal hivePrincipal = new HivePrincipal(user, HivePrincipal.HivePrincipalType.USER);
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
if (userACLs != null) {
Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
if (policy != null) {
String aclname = getPermission(userACL, userAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
for (String group : groupRangerACLs.keySet()) {
HivePrincipal hivePrincipal = new HivePrincipal(group, HivePrincipal.HivePrincipalType.GROUP);
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
if (groupACLs != null) {
Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
if (policy != null) {
String aclname = getPermission(groupACL, groupAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
for (String role : roleRangerACLs.keySet()) {
HivePrincipal hivePrincipal = new HivePrincipal(role, HivePrincipal.HivePrincipalType.ROLE);
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
if (roleACLs != null) {
Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
if (policy != null) {
String aclname = getPermission(roleACL, roleAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
}
}
}
}
} catch (Exception e) {
throw new HiveAuthzPluginException("hive showPrivileges" + ": " + e.getMessage(), e);
}
return ret;
}
Also used :
HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)
HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)
HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef)
ArrayList(java.util.ArrayList)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
HiveResourceACLs(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
IOException(java.io.IOException)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerResourceACLs(org.apache.ranger.plugin.policyengine.RangerResourceACLs)
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 44 with HiveObjectRef
use of org.apache.hadoop.hive.metastore.api.HiveObjectRef in project presto by prestodb.
the class ThriftHiveMetastore method listTablePrivileges.
@Override
public Set<HivePrivilegeInfo> listTablePrivileges(MetastoreContext metastoreContext, String databaseName, String tableName, PrestoPrincipal principal) {
try {
return retry().stopOnIllegalExceptions().run("getListPrivileges", stats.getListPrivileges().wrap(() -> getMetastoreClientThenCall(metastoreContext, client -> {
Table table = client.getTable(databaseName, tableName);
ImmutableSet.Builder<HivePrivilegeInfo> privileges = ImmutableSet.builder();
List<HiveObjectPrivilege> hiveObjectPrivilegeList;
// principal can be null when we want to list all privileges for admins
if (principal == null) {
hiveObjectPrivilegeList = client.listPrivileges(null, null, new HiveObjectRef(TABLE, databaseName, tableName, null, null));
} else {
if (principal.getType() == USER && table.getOwner().equals(principal.getName())) {
privileges.add(new HivePrivilegeInfo(OWNERSHIP, true, principal, principal));
}
hiveObjectPrivilegeList = client.listPrivileges(principal.getName(), fromPrestoPrincipalType(principal.getType()), new HiveObjectRef(TABLE, databaseName, tableName, null, null));
}
for (HiveObjectPrivilege hiveObjectPrivilege : hiveObjectPrivilegeList) {
PrestoPrincipal grantee = new PrestoPrincipal(fromMetastoreApiPrincipalType(hiveObjectPrivilege.getPrincipalType()), hiveObjectPrivilege.getPrincipalName());
privileges.addAll(parsePrivilege(hiveObjectPrivilege.getGrantInfo(), Optional.of(grantee)));
}
return privileges.build();
})));
} catch (TException e) {
throw new PrestoException(HIVE_METASTORE_ERROR, e);
} catch (Exception e) {
throw propagate(e);
}
}
Also used :
TException(org.apache.thrift.TException)
HivePrivilegeInfo(com.facebook.presto.hive.metastore.HivePrivilegeInfo)
HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)
Table(org.apache.hadoop.hive.metastore.api.Table)
ThriftMetastoreUtil.fromMetastoreApiTable(com.facebook.presto.hive.metastore.thrift.ThriftMetastoreUtil.fromMetastoreApiTable)
ImmutableSet(com.google.common.collect.ImmutableSet)
HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef)
PrestoException(com.facebook.presto.spi.PrestoException)
PrestoPrincipal(com.facebook.presto.spi.security.PrestoPrincipal)
SchemaAlreadyExistsException(com.facebook.presto.hive.SchemaAlreadyExistsException)
AlreadyExistsException(org.apache.hadoop.hive.metastore.api.AlreadyExistsException)
TableAlreadyExistsException(com.facebook.presto.hive.TableAlreadyExistsException)
InvalidInputException(org.apache.hadoop.hive.metastore.api.InvalidInputException)
InvalidOperationException(org.apache.hadoop.hive.metastore.api.InvalidOperationException)
UnknownDBException(org.apache.hadoop.hive.metastore.api.UnknownDBException)
TException(org.apache.thrift.TException)
NoSuchObjectException(org.apache.hadoop.hive.metastore.api.NoSuchObjectException)
MetaException(org.apache.hadoop.hive.metastore.api.MetaException)
PartitionNotFoundException(com.facebook.presto.hive.PartitionNotFoundException)
SchemaNotFoundException(com.facebook.presto.spi.SchemaNotFoundException)
HiveViewNotSupportedException(com.facebook.presto.hive.HiveViewNotSupportedException)
PrestoException(com.facebook.presto.spi.PrestoException)
UnknownTableException(org.apache.hadoop.hive.metastore.api.UnknownTableException)
InvalidObjectException(org.apache.hadoop.hive.metastore.api.InvalidObjectException)
TableNotFoundException(com.facebook.presto.spi.TableNotFoundException)
Aggregations
HiveObjectRef (org.apache.hadoop.hive.metastore.api.HiveObjectRef)44
HiveObjectPrivilege (org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)38
PrivilegeGrantInfo (org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)35
ArrayList (java.util.ArrayList)34
PrincipalType (org.apache.hadoop.hive.metastore.api.PrincipalType)13
List (java.util.List)11
IOException (java.io.IOException)10
LinkedList (java.util.LinkedList)10
PrincipalPrivilegeSet (org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet)10
PrivilegeBag (org.apache.hadoop.hive.metastore.api.PrivilegeBag)10
Database (org.apache.hadoop.hive.metastore.api.Database)9
SQLCheckConstraint (org.apache.hadoop.hive.metastore.api.SQLCheckConstraint)9
SQLDefaultConstraint (org.apache.hadoop.hive.metastore.api.SQLDefaultConstraint)9
SQLNotNullConstraint (org.apache.hadoop.hive.metastore.api.SQLNotNullConstraint)9
SQLUniqueConstraint (org.apache.hadoop.hive.metastore.api.SQLUniqueConstraint)9
Table (org.apache.hadoop.hive.metastore.api.Table)9
MConstraint (org.apache.hadoop.hive.metastore.model.MConstraint)9
Test (org.junit.Test)6
Map (java.util.Map)5
MetaException (org.apache.hadoop.hive.metastore.api.MetaException)5
