Example 6 with HiveAccessControlException
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException in project hive by apache.
the class SQLStdHiveAccessController method getRoleGrantInfoForPrincipal.
@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException {
try {
// first authorize the call
if (!isUserAdmin()) {
ensureShowGrantAllowed(principal);
}
List<RolePrincipalGrant> roleGrants = getRoleGrants(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType()));
List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(roleGrants.size());
for (RolePrincipalGrant roleGrant : roleGrants) {
hiveRoleGrants.add(new HiveRoleGrant(roleGrant));
}
return hiveRoleGrants;
} catch (Exception e) {
throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user " + principal.getName(), e);
}
}
Also used :
RolePrincipalGrant(org.apache.hadoop.hive.metastore.api.RolePrincipalGrant)
HiveRoleGrant(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant)
ArrayList(java.util.ArrayList)
MetaException(org.apache.hadoop.hive.metastore.api.MetaException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
TException(org.apache.thrift.TException)
Example 7 with HiveAccessControlException
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException in project hive by apache.
the class SQLStdHiveAccessController method grantPrivileges.
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
hivePrivileges = expandAndValidatePrivileges(hivePrivileges);
IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient();
// authorize the grant
GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin());
// grant
PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
try {
metastoreClient.grant_privileges(privBag);
} catch (Exception e) {
throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e);
}
}
Also used :
PrivilegeBag(org.apache.hadoop.hive.metastore.api.PrivilegeBag)
IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient)
MetaException(org.apache.hadoop.hive.metastore.api.MetaException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
TException(org.apache.thrift.TException)
Example 8 with HiveAccessControlException
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException in project hive by apache.
the class RevokePrivAuthUtils method authorizeAndGetRevokePrivileges.
public static List<HiveObjectPrivilege> authorizeAndGetRevokePrivileges(List<HivePrincipal> principals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, boolean grantOption, IMetaStoreClient mClient, String userName) throws HiveAuthzPluginException, HiveAccessControlException {
List<HiveObjectPrivilege> matchingPrivs = new ArrayList<HiveObjectPrivilege>();
StringBuilder errMsg = new StringBuilder();
for (HivePrincipal principal : principals) {
// get metastore/thrift privilege object for this principal and object, not looking at
// privileges obtained indirectly via roles
List<HiveObjectPrivilege> msObjPrivs;
try {
msObjPrivs = mClient.list_privileges(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType()), SQLAuthorizationUtils.getThriftHiveObjectRef(hivePrivObject));
} catch (MetaException e) {
throw new HiveAuthzPluginException(e);
} catch (TException e) {
throw new HiveAuthzPluginException(e);
}
// the resulting privileges need to be filtered on privilege type and
// username
// create a Map to capture object privileges corresponding to privilege
// type
Map<String, HiveObjectPrivilege> priv2privObj = new HashMap<String, HiveObjectPrivilege>();
for (HiveObjectPrivilege msObjPriv : msObjPrivs) {
PrivilegeGrantInfo grantInfo = msObjPriv.getGrantInfo();
// check if the grantor matches current user
if (grantInfo.getGrantor() != null && grantInfo.getGrantor().equals(userName) && grantInfo.getGrantorType() == PrincipalType.USER) {
// add to the map
priv2privObj.put(grantInfo.getPrivilege(), msObjPriv);
}
// else skip this one
}
// find the privileges that we are looking for
for (HivePrivilege hivePrivilege : hivePrivileges) {
HiveObjectPrivilege matchedPriv = priv2privObj.get(hivePrivilege.getName());
if (matchedPriv != null) {
matchingPrivs.add(matchedPriv);
} else {
errMsg.append("Cannot find privilege ").append(hivePrivilege).append(" for ").append(principal).append(" on ").append(hivePrivObject).append(" granted by ").append(userName).append(System.getProperty("line.separator"));
}
}
}
if (errMsg.length() != 0) {
throw new HiveAccessControlException(errMsg.toString());
}
return matchingPrivs;
}
Also used :
TException(org.apache.thrift.TException)
HashMap(java.util.HashMap)
PrivilegeGrantInfo(org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)
HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)
ArrayList(java.util.ArrayList)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
MetaException(org.apache.hadoop.hive.metastore.api.MetaException)
Example 9 with HiveAccessControlException
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException in project hive by apache.
the class TestJdbcMetadataApiAuth method testMetaApiDisAllowed.
/**
* Call the HS2 metadata api's with authorizer disallowing those calls
* @throws Exception
*/
@Test
public void testMetaApiDisAllowed() throws Exception {
TestAuthValidator.allowActions = false;
Connection hs2Conn = getConnection("user1");
DatabaseMetaData dbmetadata = hs2Conn.getMetaData();
try {
dbmetadata.getCatalogs();
fail("HiveAccessControlException expected");
} catch (SQLException e) {
assertErrorContains(e, TestAuthValidator.DENIED_ERR);
} catch (Exception e) {
fail("HiveAccessControlException expected");
}
try {
dbmetadata.getSchemas();
fail("HiveAccessControlException expected");
} catch (SQLException e) {
assertErrorContains(e, TestAuthValidator.DENIED_ERR);
} catch (Exception e) {
fail("HiveAccessControlException expected");
}
try {
dbmetadata.getTypeInfo();
fail("HiveAccessControlException expected");
} catch (SQLException e) {
assertErrorContains(e, TestAuthValidator.DENIED_ERR);
} catch (Exception e) {
fail("HiveAccessControlException expected");
}
try {
dbmetadata.getTables(null, "default", "t%", null);
fail("HiveAccessControlException expected");
} catch (SQLException e) {
assertErrorContains(e, TestAuthValidator.DENIED_ERR);
} catch (Exception e) {
fail("HiveAccessControlException expected");
}
try {
dbmetadata.getTableTypes();
fail("HiveAccessControlException expected");
} catch (SQLException e) {
assertErrorContains(e, TestAuthValidator.DENIED_ERR);
} catch (Exception e) {
fail("HiveAccessControlException expected");
}
try {
dbmetadata.getColumns(null, "default", "nosuchtable", null);
fail("HiveAccessControlException expected");
} catch (SQLException e) {
assertErrorContains(e, TestAuthValidator.DENIED_ERR);
} catch (Exception e) {
fail("HiveAccessControlException expected");
}
try {
dbmetadata.getFunctions(null, null, "trim");
fail("HiveAccessControlException expected");
} catch (SQLException e) {
assertErrorContains(e, TestAuthValidator.DENIED_ERR);
} catch (Exception e) {
fail("HiveAccessControlException expected");
}
}
Also used :
SQLException(java.sql.SQLException)
Connection(java.sql.Connection)
DatabaseMetaData(java.sql.DatabaseMetaData)
SQLException(java.sql.SQLException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
Test(org.junit.Test)
Example 10 with HiveAccessControlException
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException in project hive by apache.
the class SQLStdHiveAccessController method showPrivileges.
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
try {
// First authorize the call
if (principal == null) {
// only the admin is allowed to list privileges for any user
if (!isUserAdmin()) {
throw new HiveAccessControlException("User : " + currentUserName + " has to specify" + " a user name or role in the show grant. " + ADMIN_ONLY_MSG);
}
} else {
// principal is specified, authorize on it
if (!isUserAdmin()) {
ensureShowGrantAllowed(principal);
}
}
IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient();
List<HivePrivilegeInfo> resPrivInfos = new ArrayList<HivePrivilegeInfo>();
String principalName = principal == null ? null : principal.getName();
PrincipalType principalType = principal == null ? null : AuthorizationUtils.getThriftPrincipalType(principal.getType());
// get metastore/thrift privilege object using metastore api
List<HiveObjectPrivilege> msObjPrivs = mClient.list_privileges(principalName, principalType, SQLAuthorizationUtils.getThriftHiveObjectRef(privObj));
// convert the metastore thrift objects to result objects
for (HiveObjectPrivilege msObjPriv : msObjPrivs) {
// result principal
HivePrincipal resPrincipal = new HivePrincipal(msObjPriv.getPrincipalName(), AuthorizationUtils.getHivePrincipalType(msObjPriv.getPrincipalType()));
// result privilege
PrivilegeGrantInfo msGrantInfo = msObjPriv.getGrantInfo();
HivePrivilege resPrivilege = new HivePrivilege(msGrantInfo.getPrivilege(), null);
// result object
HiveObjectRef msObjRef = msObjPriv.getHiveObject();
if (!isSupportedObjectType(msObjRef.getObjectType())) {
// ignore them
continue;
}
HivePrivilegeObject resPrivObj = new HivePrivilegeObject(getPluginPrivilegeObjType(msObjRef.getObjectType()), msObjRef.getDbName(), msObjRef.getObjectName(), msObjRef.getPartValues(), msObjRef.getColumnName());
// result grantor principal
HivePrincipal grantorPrincipal = new HivePrincipal(msGrantInfo.getGrantor(), AuthorizationUtils.getHivePrincipalType(msGrantInfo.getGrantorType()));
HivePrivilegeInfo resPrivInfo = new HivePrivilegeInfo(resPrincipal, resPrivilege, resPrivObj, grantorPrincipal, msGrantInfo.isGrantOption(), msGrantInfo.getCreateTime());
resPrivInfos.add(resPrivInfo);
}
return resPrivInfos;
} catch (Exception e) {
throw SQLAuthorizationUtils.getPluginException("Error showing privileges", e);
}
}
Also used :
HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)
PrivilegeGrantInfo(org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)
HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)
HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef)
ArrayList(java.util.ArrayList)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient)
MetaException(org.apache.hadoop.hive.metastore.api.MetaException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
TException(org.apache.thrift.TException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
PrincipalType(org.apache.hadoop.hive.metastore.api.PrincipalType)
Aggregations
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)12
HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)11
TException (org.apache.thrift.TException)8
MetaException (org.apache.hadoop.hive.metastore.api.MetaException)7
IMetaStoreClient (org.apache.hadoop.hive.metastore.IMetaStoreClient)5
HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)4
ArrayList (java.util.ArrayList)3
HiveObjectPrivilege (org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)3
PrivilegeBag (org.apache.hadoop.hive.metastore.api.PrivilegeBag)2
PrivilegeGrantInfo (org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)2
HiveAuthzContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext)2
HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)2
HiveRoleGrant (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant)2
Connection (java.sql.Connection)1
DatabaseMetaData (java.sql.DatabaseMetaData)1
SQLException (java.sql.SQLException)1
HashMap (java.util.HashMap)1
DrillRuntimeException (org.apache.drill.common.exceptions.DrillRuntimeException)1
UserException (org.apache.drill.common.exceptions.UserException)1
HiveObjectRef (org.apache.hadoop.hive.metastore.api.HiveObjectRef)1
