Search in sources :

Example 6 with HivePrivilegeInfo

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project hive by apache.

the class DDLTask method writeGrantInfo.

static String writeGrantInfo(List<HivePrivilegeInfo> privileges, boolean testMode) {
    if (privileges == null || privileges.isEmpty()) {
        return "";
    }
    StringBuilder builder = new StringBuilder();
    // sort the list to get sorted (deterministic) output (for ease of testing)
    Collections.sort(privileges, new Comparator<HivePrivilegeInfo>() {

        @Override
        public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) {
            int compare = o1.getObject().compareTo(o2.getObject());
            if (compare == 0) {
                compare = o1.getPrincipal().compareTo(o2.getPrincipal());
            }
            if (compare == 0) {
                compare = o1.getPrivilege().compareTo(o2.getPrivilege());
            }
            return compare;
        }
    });
    for (HivePrivilegeInfo privilege : privileges) {
        HivePrincipal principal = privilege.getPrincipal();
        HivePrivilegeObject resource = privilege.getObject();
        HivePrincipal grantor = privilege.getGrantorPrincipal();
        appendNonNull(builder, resource.getDbname(), true);
        appendNonNull(builder, resource.getObjectName());
        appendNonNull(builder, resource.getPartKeys());
        appendNonNull(builder, resource.getColumns());
        appendNonNull(builder, principal.getName());
        appendNonNull(builder, principal.getType());
        appendNonNull(builder, privilege.getPrivilege().getName());
        appendNonNull(builder, privilege.isGrantOption());
        appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L);
        appendNonNull(builder, grantor.getName());
    }
    return builder.toString();
}
Also used : HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 7 with HivePrivilegeInfo

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project hive by apache.

the class ShowGrantOperation method execute.

@Override
public int execute() throws HiveException {
    HiveAuthorizer authorizer = PrivilegeUtils.getSessionAuthorizer(context.getConf());
    try {
        List<HivePrivilegeInfo> privInfos = authorizer.showPrivileges(PrivilegeUtils.getAuthorizationTranslator(authorizer).getHivePrincipal(desc.getPrincipalDesc()), PrivilegeUtils.getAuthorizationTranslator(authorizer).getHivePrivilegeObject(desc.getHiveObj()));
        boolean testMode = context.getConf().getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST);
        ShowUtils.writeToFile(writeGrantInfo(privInfos, testMode), desc.getResFile(), context);
    } catch (IOException e) {
        throw new HiveException("Error in show grant statement", e);
    }
    return 0;
}
Also used : HiveAuthorizer(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer) HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo) HiveException(org.apache.hadoop.hive.ql.metadata.HiveException) IOException(java.io.IOException)

Example 8 with HivePrivilegeInfo

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project ranger by apache.

the class RangerHivePlugin method getHivePrivilegeInfos.

private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
    List<HivePrivilegeInfo> ret = new ArrayList<>();
    HivePrivilegeObject.HivePrivilegeObjectType objectType = null;
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions = null;
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = null;
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> rolePermissions = null;
    String dbName = null;
    String objectName = null;
    String columnName = null;
    List<String> partValues = null;
    try {
        HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);
        if (msObjRef != null) {
            HivePrivilegeObject hivePrivilegeObject = null;
            if (msObjRef.getDbName() != null) {
                // when resource is specified in the show grants, acl will be for that resource / user / groups
                objectType = getPluginPrivilegeObjType(msObjRef.getObjectType());
                dbName = msObjRef.getDbName();
                objectName = msObjRef.getObjectName();
                columnName = (msObjRef.getColumnName() == null) ? new String() : msObjRef.getColumnName();
                partValues = (msObjRef.getPartValues() == null) ? new ArrayList<>() : msObjRef.getPartValues();
                hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);
                RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject);
                if (rangerResourceACLs != null) {
                    Map<String, Map<String, RangerResourceACLs.AccessResult>> userRangerACLs = rangerResourceACLs.getUserACLs();
                    Map<String, Map<String, RangerResourceACLs.AccessResult>> groupRangerACLs = rangerResourceACLs.getGroupACLs();
                    Map<String, Map<String, RangerResourceACLs.AccessResult>> roleRangerACLs = rangerResourceACLs.getRoleACLs();
                    userPermissions = convertRangerACLsToHiveACLs(userRangerACLs);
                    groupPermissions = convertRangerACLsToHiveACLs(groupRangerACLs);
                    rolePermissions = convertRangerACLsToHiveACLs(roleRangerACLs);
                    if (principal != null) {
                        if (principal.getType() == HivePrincipal.HivePrincipalType.USER) {
                            String user = principal.getName();
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
                            if (userACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
                                for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(userACL, userAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                            Set<String> groups = getPrincipalGroup(user);
                            for (String group : groups) {
                                Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
                                if (groupACLs != null) {
                                    Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
                                    for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
                                        RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
                                        if (policy != null) {
                                            String aclname = getPermission(groupACL, groupAccessResult, policy);
                                            HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                            ret.add(privilegeInfo);
                                        }
                                    }
                                }
                            }
                        } else if (principal.getType() == HivePrincipal.HivePrincipalType.ROLE) {
                            String role = principal.getName();
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
                            if (roleACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
                                for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(roleACL, roleAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                    } else {
                        // Request is for all the ACLs on a resource
                        for (String user : userRangerACLs.keySet()) {
                            HivePrincipal hivePrincipal = new HivePrincipal(user, HivePrincipal.HivePrincipalType.USER);
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
                            if (userACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
                                for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(userACL, userAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                        for (String group : groupRangerACLs.keySet()) {
                            HivePrincipal hivePrincipal = new HivePrincipal(group, HivePrincipal.HivePrincipalType.GROUP);
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
                            if (groupACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
                                for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(groupACL, groupAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                        for (String role : roleRangerACLs.keySet()) {
                            HivePrincipal hivePrincipal = new HivePrincipal(role, HivePrincipal.HivePrincipalType.ROLE);
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
                            if (roleACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
                                for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(roleACL, roleAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    } catch (Exception e) {
        throw new HiveAuthzPluginException("hive showPrivileges" + ": " + e.getMessage(), e);
    }
    return ret;
}
Also used : HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo) HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType) HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef) ArrayList(java.util.ArrayList) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject) HiveResourceACLs(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) IOException(java.io.IOException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerResourceACLs(org.apache.ranger.plugin.policyengine.RangerResourceACLs) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege) Map(java.util.Map) HashMap(java.util.HashMap)

Example 9 with HivePrivilegeInfo

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project ranger by apache.

the class RangerHivePlugin method createHivePrivilegeInfo.

private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal, HivePrivilegeObject.HivePrivilegeObjectType objectType, String dbName, String objectName, String columnName, List<String> partValues, String aclName, RangerPolicy policy) {
    HivePrivilegeInfo ret = null;
    int creationDate = 0;
    boolean delegateAdmin = false;
    for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
        List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
        List<String> users = policyItem.getUsers();
        List<String> groups = policyItem.getGroups();
        List<String> accessTypes = new ArrayList<>();
        for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
            accessTypes.add(policyItemAccess.getType());
        }
        if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName()) || groups.contains(hivePrincipal.getName()))) {
            creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime() / 1000);
            delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
        }
    }
    HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
    HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
    HivePrivilege privilege = new HivePrivilege(aclName, null);
    ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);
    return ret;
}
Also used : HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo) HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege) ArrayList(java.util.ArrayList) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)

Aggregations

HivePrivilegeInfo (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)9 HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)6 HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)6 IOException (java.io.IOException)4 ArrayList (java.util.ArrayList)4 HiveObjectRef (org.apache.hadoop.hive.metastore.api.HiveObjectRef)4 HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)4 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)3 HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)3 HiveObjectPrivilege (org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)2 PrivilegeGrantInfo (org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)2 HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)2 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)2 HiveAuthorizer (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer)2 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)2 HashMap (java.util.HashMap)1 Map (java.util.Map)1 IMetaStoreClient (org.apache.hadoop.hive.metastore.IMetaStoreClient)1 MetaException (org.apache.hadoop.hive.metastore.api.MetaException)1 PrincipalType (org.apache.hadoop.hive.metastore.api.PrincipalType)1