Examples with RolePrincipalGrant org.apache.hadoop.hive.metastore.api.RolePrincipalGrant used on opensource projects

Example 6 with RolePrincipalGrant

use of org.apache.hadoop.hive.metastore.api.RolePrincipalGrant in project hive by apache.

the class SQLStdHiveAccessController method getAllRoleAncestors.

/**
 * Add role names of parentRoles and its parents to processedRolesMap
 *
 * @param processedRolesMap
 * @param roleGrants
 * @throws TException
 * @throws HiveAuthzPluginException
 * @throws MetaException
 */
private void getAllRoleAncestors(Map<String, HiveRoleGrant> processedRolesMap, List<RolePrincipalGrant> roleGrants) throws MetaException, HiveAuthzPluginException, TException {
    for (RolePrincipalGrant parentRoleGrant : roleGrants) {
        String parentRoleName = parentRoleGrant.getRoleName();
        if (processedRolesMap.get(parentRoleName) == null) {
            // unprocessed role: get its parents, add it to processed, and call this
            // function recursively
            List<RolePrincipalGrant> nextParentRoles = getRoleGrants(parentRoleName, PrincipalType.ROLE);
            processedRolesMap.put(parentRoleName, new HiveRoleGrant(parentRoleGrant));
            getAllRoleAncestors(processedRolesMap, nextParentRoles);
        }
    }
}

Example 7 with RolePrincipalGrant

use of org.apache.hadoop.hive.metastore.api.RolePrincipalGrant in project hive by apache.

the class HiveV1Authorizer method getRoleGrantInfoForPrincipal.

@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException {
    PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType());
    try {
        List<HiveRoleGrant> grants = new ArrayList<HiveRoleGrant>();
        Hive hive = Hive.getWithFastCheck(this.conf);
        for (RolePrincipalGrant grant : hive.getRoleGrantInfoForPrincipal(principal.getName(), type)) {
            grants.add(new HiveRoleGrant(grant));
        }
        return grants;
    } catch (HiveException e) {
        throw new HiveAuthzPluginException(e);
    }
}

Example 8 with RolePrincipalGrant

use of org.apache.hadoop.hive.metastore.api.RolePrincipalGrant in project hive by apache.

the class SQLStdHiveAccessController method getRolesFromMS.

private List<HiveRoleGrant> getRolesFromMS() throws HiveAuthzPluginException {
    try {
        List<RolePrincipalGrant> roles = getRoleGrants(currentUserName, PrincipalType.USER);
        Map<String, HiveRoleGrant> name2Rolesmap = new HashMap<String, HiveRoleGrant>();
        getAllRoleAncestors(name2Rolesmap, roles);
        List<HiveRoleGrant> currentRoles = new ArrayList<HiveRoleGrant>(roles.size());
        for (HiveRoleGrant role : name2Rolesmap.values()) {
            if (!HiveMetaStore.ADMIN.equalsIgnoreCase(role.getRoleName())) {
                currentRoles.add(role);
            } else {
                this.adminRole = role;
            }
        }
        return currentRoles;
    } catch (Exception e) {
        throw SQLAuthorizationUtils.getPluginException("Failed to retrieve roles for " + currentUserName, e);
    }
}

Example 9 with RolePrincipalGrant

use of org.apache.hadoop.hive.metastore.api.RolePrincipalGrant in project hive by apache.

the class HBaseStore method listRoleMembers.

@Override
public List<RolePrincipalGrant> listRoleMembers(String roleName) {
    boolean commit = false;
    openTransaction();
    try {
        HbaseMetastoreProto.RoleGrantInfoList gil = getHBase().getRolePrincipals(roleName);
        List<RolePrincipalGrant> roleMaps = new ArrayList<RolePrincipalGrant>(gil.getGrantInfoList().size());
        for (HbaseMetastoreProto.RoleGrantInfo giw : gil.getGrantInfoList()) {
            roleMaps.add(new RolePrincipalGrant(roleName, giw.getPrincipalName(), HBaseUtils.convertPrincipalTypes(giw.getPrincipalType()), giw.getGrantOption(), (int) giw.getAddTime(), giw.getGrantor(), HBaseUtils.convertPrincipalTypes(giw.getGrantorType())));
        }
        commit = true;
        return roleMaps;
    } catch (Exception e) {
        throw new RuntimeException(e);
    } finally {
        commitOrRoleBack(commit);
    }
}

Example 10 with RolePrincipalGrant

use of org.apache.hadoop.hive.metastore.api.RolePrincipalGrant in project hive by apache.

the class TestHBaseStoreIntegration method grantRevokeRoles.

@Test
public void grantRevokeRoles() throws Exception {
    int now = (int) (System.currentTimeMillis() / 1000);
    String roleName1 = "role1";
    store.addRole(roleName1, "me");
    String roleName2 = "role2";
    store.addRole(roleName2, "me");
    Role role1 = store.getRole(roleName1);
    Role role2 = store.getRole(roleName2);
    store.grantRole(role1, "fred", PrincipalType.USER, "bob", PrincipalType.USER, false);
    store.grantRole(role2, roleName1, PrincipalType.ROLE, "admin", PrincipalType.ROLE, true);
    store.grantRole(role2, "fred", PrincipalType.USER, "admin", PrincipalType.ROLE, false);
    List<Role> roles = store.listRoles("fred", PrincipalType.USER);
    Assert.assertEquals(3, roles.size());
    boolean sawRole1 = false, sawRole2 = false, sawPublic = false;
    for (Role role : roles) {
        if (role.getRoleName().equals(roleName1)) {
            sawRole1 = true;
        } else if (role.getRoleName().equals(roleName2)) {
            sawRole2 = true;
        } else if (role.getRoleName().equals(HiveMetaStore.PUBLIC)) {
            sawPublic = true;
        } else {
            Assert.fail("Unknown role name " + role.getRoleName());
        }
    }
    Assert.assertTrue(sawRole1 && sawRole2 && sawPublic);
    roles = store.listRoles("fred", PrincipalType.ROLE);
    Assert.assertEquals(0, roles.size());
    roles = store.listRoles(roleName1, PrincipalType.ROLE);
    Assert.assertEquals(1, roles.size());
    Role role = roles.get(0);
    Assert.assertEquals(roleName2, role.getRoleName());
    // Test listing all members in a role
    List<RolePrincipalGrant> grants = store.listRoleMembers(roleName1);
    Assert.assertEquals(1, grants.size());
    Assert.assertEquals("fred", grants.get(0).getPrincipalName());
    Assert.assertEquals(PrincipalType.USER, grants.get(0).getPrincipalType());
    Assert.assertTrue("Expected grant time of " + now + " got " + grants.get(0).getGrantTime(), grants.get(0).getGrantTime() >= now);
    Assert.assertEquals("bob", grants.get(0).getGrantorName());
    Assert.assertEquals(PrincipalType.USER, grants.get(0).getGrantorPrincipalType());
    Assert.assertFalse(grants.get(0).isGrantOption());
    grants = store.listRoleMembers(roleName2);
    Assert.assertEquals(2, grants.size());
    boolean sawFred = false;
    sawRole1 = false;
    for (RolePrincipalGrant m : grants) {
        if ("fred".equals(m.getPrincipalName()))
            sawFred = true;
        else if (roleName1.equals(m.getPrincipalName()))
            sawRole1 = true;
        else
            Assert.fail("Unexpected principal " + m.getPrincipalName());
    }
    Assert.assertTrue(sawFred && sawRole1);
    // Revoke a role with grant option, make sure it just goes to no grant option
    store.revokeRole(role2, roleName1, PrincipalType.ROLE, true);
    roles = store.listRoles(roleName1, PrincipalType.ROLE);
    Assert.assertEquals(1, roles.size());
    Assert.assertEquals(roleName2, roles.get(0).getRoleName());
    grants = store.listRoleMembers(roleName1);
    Assert.assertFalse(grants.get(0).isGrantOption());
    // Drop a role, make sure it is properly removed from the map
    store.removeRole(roleName1);
    roles = store.listRoles("fred", PrincipalType.USER);
    Assert.assertEquals(2, roles.size());
    sawRole2 = sawPublic = false;
    for (Role m : roles) {
        if (m.getRoleName().equals(roleName2))
            sawRole2 = true;
        else if (m.getRoleName().equals(HiveMetaStore.PUBLIC))
            sawPublic = true;
        else
            Assert.fail("Unknown role " + m.getRoleName());
    }
    Assert.assertTrue(sawRole2 && sawPublic);
    roles = store.listRoles(roleName1, PrincipalType.ROLE);
    Assert.assertEquals(0, roles.size());
    // Revoke a role without grant option, make sure it goes away
    store.revokeRole(role2, "fred", PrincipalType.USER, false);
    roles = store.listRoles("fred", PrincipalType.USER);
    Assert.assertEquals(1, roles.size());
    Assert.assertEquals(HiveMetaStore.PUBLIC, roles.get(0).getRoleName());
}