use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project hive by apache.
the class DDLTask method writeGrantInfo.
static String writeGrantInfo(List<HivePrivilegeInfo> privileges, boolean testMode) {
if (privileges == null || privileges.isEmpty()) {
return "";
}
StringBuilder builder = new StringBuilder();
// sort the list to get sorted (deterministic) output (for ease of testing)
Collections.sort(privileges, new Comparator<HivePrivilegeInfo>() {
@Override
public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) {
int compare = o1.getObject().compareTo(o2.getObject());
if (compare == 0) {
compare = o1.getPrincipal().compareTo(o2.getPrincipal());
}
if (compare == 0) {
compare = o1.getPrivilege().compareTo(o2.getPrivilege());
}
return compare;
}
});
for (HivePrivilegeInfo privilege : privileges) {
HivePrincipal principal = privilege.getPrincipal();
HivePrivilegeObject resource = privilege.getObject();
HivePrincipal grantor = privilege.getGrantorPrincipal();
appendNonNull(builder, resource.getDbname(), true);
appendNonNull(builder, resource.getObjectName());
appendNonNull(builder, resource.getPartKeys());
appendNonNull(builder, resource.getColumns());
appendNonNull(builder, principal.getName());
appendNonNull(builder, principal.getType());
appendNonNull(builder, privilege.getPrivilege().getName());
appendNonNull(builder, privilege.isGrantOption());
appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L);
appendNonNull(builder, grantor.getName());
}
return builder.toString();
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project hive by apache.
the class ShowGrantOperation method execute.
@Override
public int execute() throws HiveException {
HiveAuthorizer authorizer = PrivilegeUtils.getSessionAuthorizer(context.getConf());
try {
List<HivePrivilegeInfo> privInfos = authorizer.showPrivileges(PrivilegeUtils.getAuthorizationTranslator(authorizer).getHivePrincipal(desc.getPrincipalDesc()), PrivilegeUtils.getAuthorizationTranslator(authorizer).getHivePrivilegeObject(desc.getHiveObj()));
boolean testMode = context.getConf().getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST);
ShowUtils.writeToFile(writeGrantInfo(privInfos, testMode), desc.getResFile(), context);
} catch (IOException e) {
throw new HiveException("Error in show grant statement", e);
}
return 0;
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project ranger by apache.
the class RangerHivePlugin method getHivePrivilegeInfos.
private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
List<HivePrivilegeInfo> ret = new ArrayList<>();
HivePrivilegeObject.HivePrivilegeObjectType objectType = null;
Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions = null;
Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = null;
Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> rolePermissions = null;
String dbName = null;
String objectName = null;
String columnName = null;
List<String> partValues = null;
try {
HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);
if (msObjRef != null) {
HivePrivilegeObject hivePrivilegeObject = null;
if (msObjRef.getDbName() != null) {
// when resource is specified in the show grants, acl will be for that resource / user / groups
objectType = getPluginPrivilegeObjType(msObjRef.getObjectType());
dbName = msObjRef.getDbName();
objectName = msObjRef.getObjectName();
columnName = (msObjRef.getColumnName() == null) ? new String() : msObjRef.getColumnName();
partValues = (msObjRef.getPartValues() == null) ? new ArrayList<>() : msObjRef.getPartValues();
hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);
RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject);
if (rangerResourceACLs != null) {
Map<String, Map<String, RangerResourceACLs.AccessResult>> userRangerACLs = rangerResourceACLs.getUserACLs();
Map<String, Map<String, RangerResourceACLs.AccessResult>> groupRangerACLs = rangerResourceACLs.getGroupACLs();
Map<String, Map<String, RangerResourceACLs.AccessResult>> roleRangerACLs = rangerResourceACLs.getRoleACLs();
userPermissions = convertRangerACLsToHiveACLs(userRangerACLs);
groupPermissions = convertRangerACLsToHiveACLs(groupRangerACLs);
rolePermissions = convertRangerACLsToHiveACLs(roleRangerACLs);
if (principal != null) {
if (principal.getType() == HivePrincipal.HivePrincipalType.USER) {
String user = principal.getName();
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
if (userACLs != null) {
Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
if (policy != null) {
String aclname = getPermission(userACL, userAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
Set<String> groups = getPrincipalGroup(user);
for (String group : groups) {
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
if (groupACLs != null) {
Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
if (policy != null) {
String aclname = getPermission(groupACL, groupAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
} else if (principal.getType() == HivePrincipal.HivePrincipalType.ROLE) {
String role = principal.getName();
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
if (roleACLs != null) {
Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
if (policy != null) {
String aclname = getPermission(roleACL, roleAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
} else {
// Request is for all the ACLs on a resource
for (String user : userRangerACLs.keySet()) {
HivePrincipal hivePrincipal = new HivePrincipal(user, HivePrincipal.HivePrincipalType.USER);
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
if (userACLs != null) {
Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
if (policy != null) {
String aclname = getPermission(userACL, userAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
for (String group : groupRangerACLs.keySet()) {
HivePrincipal hivePrincipal = new HivePrincipal(group, HivePrincipal.HivePrincipalType.GROUP);
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
if (groupACLs != null) {
Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
if (policy != null) {
String aclname = getPermission(groupACL, groupAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
for (String role : roleRangerACLs.keySet()) {
HivePrincipal hivePrincipal = new HivePrincipal(role, HivePrincipal.HivePrincipalType.ROLE);
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
if (roleACLs != null) {
Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
if (policy != null) {
String aclname = getPermission(roleACL, roleAccessResult, policy);
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
ret.add(privilegeInfo);
}
}
}
}
}
}
}
}
} catch (Exception e) {
throw new HiveAuthzPluginException("hive showPrivileges" + ": " + e.getMessage(), e);
}
return ret;
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo in project ranger by apache.
the class RangerHivePlugin method createHivePrivilegeInfo.
private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal, HivePrivilegeObject.HivePrivilegeObjectType objectType, String dbName, String objectName, String columnName, List<String> partValues, String aclName, RangerPolicy policy) {
HivePrivilegeInfo ret = null;
int creationDate = 0;
boolean delegateAdmin = false;
for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
List<String> users = policyItem.getUsers();
List<String> groups = policyItem.getGroups();
List<String> accessTypes = new ArrayList<>();
for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
accessTypes.add(policyItemAccess.getType());
}
if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName()) || groups.contains(hivePrincipal.getName()))) {
creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime() / 1000);
delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
}
}
HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
HivePrivilege privilege = new HivePrivilege(aclName, null);
ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);
return ret;
}
Aggregations