Example 6 with HivePrincipal
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal in project hive by apache.
the class DDLTask method grantOrRevokeRole.
private int grantOrRevokeRole(Hive db, GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws HiveException {
HiveAuthorizer authorizer = getSessionAuthorizer(db);
//convert to the types needed for plugin api
HivePrincipal grantorPrinc = null;
if (grantOrRevokeRoleDDL.getGrantor() != null) {
grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(), AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType()));
}
List<HivePrincipal> principals = AuthorizationUtils.getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc(), getAuthorizationTranslator(authorizer));
List<String> roles = grantOrRevokeRoleDDL.getRoles();
boolean grantOption = grantOrRevokeRoleDDL.isGrantOption();
if (grantOrRevokeRoleDDL.getGrant()) {
authorizer.grantRole(principals, roles, grantOption, grantorPrinc);
} else {
authorizer.revokeRole(principals, roles, grantOption, grantorPrinc);
}
return 0;
}
Also used :
HiveAuthorizer(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer)
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
Example 7 with HivePrincipal
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal in project hive by apache.
the class DDLTask method grantOrRevokePrivileges.
private int grantOrRevokePrivileges(Hive db, List<PrincipalDesc> principals, List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException {
HiveAuthorizer authorizer = getSessionAuthorizer(db);
//Convert to object types used by the authorization plugin interface
List<HivePrincipal> hivePrincipals = AuthorizationUtils.getHivePrincipals(principals, getAuthorizationTranslator(authorizer));
List<HivePrivilege> hivePrivileges = AuthorizationUtils.getHivePrivileges(privileges, getAuthorizationTranslator(authorizer));
HivePrivilegeObject hivePrivObject = getAuthorizationTranslator(authorizer).getHivePrivilegeObject(privSubjectDesc);
HivePrincipal grantorPrincipal = new HivePrincipal(grantor, AuthorizationUtils.getHivePrincipalType(grantorType));
if (isGrant) {
authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
} else {
authorizer.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
}
//no exception thrown, so looks good
return 0;
}
Also used :
HiveAuthorizer(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer)
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
Example 8 with HivePrincipal
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal in project hive by apache.
the class DDLTask method writeGrantInfo.
static String writeGrantInfo(List<HivePrivilegeInfo> privileges, boolean testMode) {
if (privileges == null || privileges.isEmpty()) {
return "";
}
StringBuilder builder = new StringBuilder();
//sort the list to get sorted (deterministic) output (for ease of testing)
Collections.sort(privileges, new Comparator<HivePrivilegeInfo>() {
@Override
public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) {
int compare = o1.getObject().compareTo(o2.getObject());
if (compare == 0) {
compare = o1.getPrincipal().compareTo(o2.getPrincipal());
}
if (compare == 0) {
compare = o1.getPrivilege().compareTo(o2.getPrivilege());
}
return compare;
}
});
for (HivePrivilegeInfo privilege : privileges) {
HivePrincipal principal = privilege.getPrincipal();
HivePrivilegeObject resource = privilege.getObject();
HivePrincipal grantor = privilege.getGrantorPrincipal();
appendNonNull(builder, resource.getDbname(), true);
appendNonNull(builder, resource.getObjectName());
appendNonNull(builder, resource.getPartKeys());
appendNonNull(builder, resource.getColumns());
appendNonNull(builder, principal.getName());
appendNonNull(builder, principal.getType());
appendNonNull(builder, privilege.getPrivilege().getName());
appendNonNull(builder, privilege.isGrantOption());
appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L);
appendNonNull(builder, grantor.getName());
}
return builder.toString();
}
Also used :
HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
Example 9 with HivePrincipal
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal in project hive by apache.
the class GrantPrivAuthUtils method checkRequiredPrivileges.
private static void checkRequiredPrivileges(RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject, IMetaStoreClient metastoreClient, String userName, List<String> curRoles, boolean isAdmin, HiveOperationType opType) throws HiveAuthzPluginException, HiveAccessControlException {
// keep track of the principals on which privileges have been checked for
// this object
// get privileges for this user and its roles on this object
RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore(metastoreClient, userName, hivePrivObject, curRoles, isAdmin);
// check if required privileges is subset of available privileges
List<String> deniedMessages = new ArrayList<String>();
Collection<SQLPrivTypeGrant> missingPrivs = reqPrivileges.findMissingPrivs(availPrivs);
SQLAuthorizationUtils.addMissingPrivMsg(missingPrivs, hivePrivObject, deniedMessages);
SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), opType, deniedMessages);
}
Also used :
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
ArrayList(java.util.ArrayList)
Example 10 with HivePrincipal
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal in project hive by apache.
the class SQLAuthorizationUtils method getThriftPrivilegesBag.
/**
* Create thrift privileges bag
*
* @param hivePrincipals
* @param hivePrivileges
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
* @return
* @throws HiveAuthzPluginException
*/
static PrivilegeBag getThriftPrivilegesBag(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException {
HiveObjectRef privObj = getThriftHiveObjectRef(hivePrivObject);
PrivilegeBag privBag = new PrivilegeBag();
for (HivePrivilege privilege : hivePrivileges) {
if (privilege.getColumns() != null && privilege.getColumns().size() > 0) {
throw new HiveAuthzPluginException("Privileges on columns not supported currently" + " in sql standard authorization mode");
}
if (!SUPPORTED_PRIVS_SET.contains(privilege.getName().toUpperCase(Locale.US))) {
throw new HiveAuthzPluginException("Privilege: " + privilege.getName() + " is not supported in sql standard authorization mode");
}
PrivilegeGrantInfo grantInfo = getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, grantOption, 0);
for (HivePrincipal principal : hivePrincipals) {
HiveObjectPrivilege objPriv = new HiveObjectPrivilege(privObj, principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo);
privBag.addToPrivileges(objPriv);
}
}
return privBag;
}
Also used :
PrivilegeBag(org.apache.hadoop.hive.metastore.api.PrivilegeBag)
HiveObjectPrivilege(org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)
PrivilegeGrantInfo(org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)
HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)
HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)
HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
Aggregations
HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)11
ArrayList (java.util.ArrayList)5
HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)5
HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)5
IMetaStoreClient (org.apache.hadoop.hive.metastore.IMetaStoreClient)4
HiveObjectPrivilege (org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)4
MetaException (org.apache.hadoop.hive.metastore.api.MetaException)4
PrivilegeGrantInfo (org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)4
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)4
HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)4
TException (org.apache.thrift.TException)4
HiveObjectRef (org.apache.hadoop.hive.metastore.api.HiveObjectRef)3
HivePrivilegeInfo (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)3
HiveAuthorizer (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer)2
HashMap (java.util.HashMap)1
PrincipalType (org.apache.hadoop.hive.metastore.api.PrincipalType)1
PrivilegeBag (org.apache.hadoop.hive.metastore.api.PrivilegeBag)1
