Search in sources :

Example 6 with HiveAuthzPluginException

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException in project hive by apache.

the class SQLStdHiveAccessController method grantPrivileges.

@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
    hivePrivileges = expandAndValidatePrivileges(hivePrivileges);
    IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient();
    // authorize the grant
    GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin());
    // grant
    PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
    try {
        metastoreClient.grant_privileges(privBag);
    } catch (Exception e) {
        throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e);
    }
}
Also used : PrivilegeBag(org.apache.hadoop.hive.metastore.api.PrivilegeBag) IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient) MetaException(org.apache.hadoop.hive.metastore.api.MetaException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) TException(org.apache.thrift.TException)

Example 7 with HiveAuthzPluginException

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException in project hive by apache.

the class SQLStdHiveAccessController method revokePrivileges.

@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
    hivePrivileges = expandAndValidatePrivileges(hivePrivileges);
    IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient();
    // authorize the revoke, and get the set of privileges to be revoked
    List<HiveObjectPrivilege> revokePrivs = RevokePrivAuthUtils.authorizeAndGetRevokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName());
    try {
        // unfortunately, the metastore api revokes all privileges that match on
        // principal, privilege object type it does not filter on the grator
        // username.
        // So this will revoke privileges that are granted by other users.This is
        // not SQL compliant behavior. Need to change/add a metastore api
        // that has desired behavior.
        metastoreClient.revoke_privileges(new PrivilegeBag(revokePrivs), grantOption);
    } catch (Exception e) {
        throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e);
    }
}
Also used : HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege) PrivilegeBag(org.apache.hadoop.hive.metastore.api.PrivilegeBag) IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient) MetaException(org.apache.hadoop.hive.metastore.api.MetaException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) TException(org.apache.thrift.TException)

Example 8 with HiveAuthzPluginException

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException in project hive by apache.

the class SQLStdHiveAccessController method grantRole.

@Override
public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
    if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
        throw new HiveAccessControlException("Current user : " + currentUserName + " is not" + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
    }
    for (HivePrincipal hivePrincipal : hivePrincipals) {
        for (String roleName : roleNames) {
            try {
                IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient();
                mClient.grant_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantorPrinc.getName(), AuthorizationUtils.getThriftPrincipalType(grantorPrinc.getType()), grantOption);
            } catch (MetaException e) {
                throw SQLAuthorizationUtils.getPluginException("Error granting role", e);
            } catch (Exception e) {
                String msg = "Error granting roles for " + hivePrincipal.getName() + " to role " + roleName;
                throw SQLAuthorizationUtils.getPluginException(msg, e);
            }
        }
    }
}
Also used : HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient) MetaException(org.apache.hadoop.hive.metastore.api.MetaException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) TException(org.apache.thrift.TException) MetaException(org.apache.hadoop.hive.metastore.api.MetaException)

Example 9 with HiveAuthzPluginException

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException in project hive by apache.

the class SQLStdHiveAccessController method showPrivileges.

@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
    try {
        // First authorize the call
        if (principal == null) {
            // only the admin is allowed to list privileges for any user
            if (!isUserAdmin()) {
                throw new HiveAccessControlException("User : " + currentUserName + " has to specify" + " a user name or role in the show grant. " + ADMIN_ONLY_MSG);
            }
        } else {
            // principal is specified, authorize on it
            if (!isUserAdmin()) {
                ensureShowGrantAllowed(principal);
            }
        }
        IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient();
        List<HivePrivilegeInfo> resPrivInfos = new ArrayList<HivePrivilegeInfo>();
        String principalName = principal == null ? null : principal.getName();
        PrincipalType principalType = principal == null ? null : AuthorizationUtils.getThriftPrincipalType(principal.getType());
        // get metastore/thrift privilege object using metastore api
        List<HiveObjectPrivilege> msObjPrivs = mClient.list_privileges(principalName, principalType, SQLAuthorizationUtils.getThriftHiveObjectRef(privObj));
        // convert the metastore thrift objects to result objects
        for (HiveObjectPrivilege msObjPriv : msObjPrivs) {
            // result principal
            HivePrincipal resPrincipal = new HivePrincipal(msObjPriv.getPrincipalName(), AuthorizationUtils.getHivePrincipalType(msObjPriv.getPrincipalType()));
            // result privilege
            PrivilegeGrantInfo msGrantInfo = msObjPriv.getGrantInfo();
            HivePrivilege resPrivilege = new HivePrivilege(msGrantInfo.getPrivilege(), null);
            // result object
            HiveObjectRef msObjRef = msObjPriv.getHiveObject();
            if (!isSupportedObjectType(msObjRef.getObjectType())) {
                // ignore them
                continue;
            }
            HivePrivilegeObject resPrivObj = new HivePrivilegeObject(getPluginPrivilegeObjType(msObjRef.getObjectType()), msObjRef.getDbName(), msObjRef.getObjectName(), msObjRef.getPartValues(), msObjRef.getColumnName());
            // result grantor principal
            HivePrincipal grantorPrincipal = new HivePrincipal(msGrantInfo.getGrantor(), AuthorizationUtils.getHivePrincipalType(msGrantInfo.getGrantorType()));
            HivePrivilegeInfo resPrivInfo = new HivePrivilegeInfo(resPrincipal, resPrivilege, resPrivObj, grantorPrincipal, msGrantInfo.isGrantOption(), msGrantInfo.getCreateTime());
            resPrivInfos.add(resPrivInfo);
        }
        return resPrivInfos;
    } catch (Exception e) {
        throw SQLAuthorizationUtils.getPluginException("Error showing privileges", e);
    }
}
Also used : HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo) PrivilegeGrantInfo(org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo) HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege) HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef) ArrayList(java.util.ArrayList) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject) IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient) MetaException(org.apache.hadoop.hive.metastore.api.MetaException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) TException(org.apache.thrift.TException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) PrincipalType(org.apache.hadoop.hive.metastore.api.PrincipalType)

Example 10 with HiveAuthzPluginException

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException in project hive by apache.

the class SQLStdHiveAccessController method revokeRole.

@Override
public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
    if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
        throw new HiveAccessControlException("Current user : " + currentUserName + " is not" + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
    }
    for (HivePrincipal hivePrincipal : hivePrincipals) {
        for (String roleName : roleNames) {
            try {
                IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient();
                mClient.revoke_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption);
            } catch (Exception e) {
                String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role " + roleName;
                throw SQLAuthorizationUtils.getPluginException(msg, e);
            }
        }
    }
}
Also used : HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient) MetaException(org.apache.hadoop.hive.metastore.api.MetaException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) TException(org.apache.thrift.TException)

Aggregations

HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)18 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)15 TException (org.apache.thrift.TException)10 MetaException (org.apache.hadoop.hive.metastore.api.MetaException)9 IMetaStoreClient (org.apache.hadoop.hive.metastore.IMetaStoreClient)6 HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)6 HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)6 ArrayList (java.util.ArrayList)5 HiveObjectPrivilege (org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)5 PrivilegeGrantInfo (org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)4 HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)4 HiveObjectRef (org.apache.hadoop.hive.metastore.api.HiveObjectRef)3 PrivilegeBag (org.apache.hadoop.hive.metastore.api.PrivilegeBag)3 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)3 HashMap (java.util.HashMap)2 HiveConf (org.apache.hadoop.hive.conf.HiveConf)2 PrincipalType (org.apache.hadoop.hive.metastore.api.PrincipalType)2 RolePrincipalGrant (org.apache.hadoop.hive.metastore.api.RolePrincipalGrant)2 UDFArgumentLengthException (org.apache.hadoop.hive.ql.exec.UDFArgumentLengthException)2 HiveMetastoreAuthorizationProvider (org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider)2