Example 6 with HivePrivObjectActionType
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType in project ranger by apache.
the class RangerHivePlugin method getAccessType.
private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType, HiveObjectType hiveObjectType, boolean isInput) {
HiveAccessType accessType = HiveAccessType.NONE;
HivePrivObjectActionType objectActionType = hiveObj.getActionType();
// This is for S3 read operation
if (hiveObjectType == HiveObjectType.URI && isInput) {
accessType = HiveAccessType.READ;
return accessType;
}
// This is for S3 write
if (hiveObjectType == HiveObjectType.URI && !isInput) {
accessType = HiveAccessType.WRITE;
return accessType;
}
switch(objectActionType) {
case INSERT:
case INSERT_OVERWRITE:
case UPDATE:
case DELETE:
accessType = HiveAccessType.UPDATE;
break;
case OTHER:
switch(hiveOpType) {
case CREATEDATABASE:
if (hiveObj.getType() == HivePrivilegeObjectType.DATABASE) {
accessType = HiveAccessType.CREATE;
}
break;
case CREATEFUNCTION:
if (hiveObj.getType() == HivePrivilegeObjectType.FUNCTION) {
accessType = HiveAccessType.CREATE;
}
if (hiveObjectType == HiveObjectType.GLOBAL) {
accessType = HiveAccessType.TEMPUDFADMIN;
}
break;
case CREATETABLE:
case CREATEVIEW:
case CREATETABLE_AS_SELECT:
case CREATE_MATERIALIZED_VIEW:
if (hiveObj.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW) {
accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE;
}
break;
case ALTERDATABASE:
case ALTERDATABASE_LOCATION:
case ALTERDATABASE_OWNER:
case ALTERINDEX_PROPS:
case ALTERINDEX_REBUILD:
case ALTERPARTITION_BUCKETNUM:
case ALTERPARTITION_FILEFORMAT:
case ALTERPARTITION_LOCATION:
case ALTERPARTITION_MERGEFILES:
case ALTERPARTITION_PROTECTMODE:
case ALTERPARTITION_SERDEPROPERTIES:
case ALTERPARTITION_SERIALIZER:
case ALTERTABLE_ADDCOLS:
case ALTERTABLE_ADDPARTS:
case ALTERTABLE_ARCHIVE:
case ALTERTABLE_BUCKETNUM:
case ALTERTABLE_CLUSTER_SORT:
case ALTERTABLE_COMPACT:
case ALTERTABLE_DROPPARTS:
case ALTERTABLE_DROPCONSTRAINT:
case ALTERTABLE_ADDCONSTRAINT:
case ALTERTABLE_FILEFORMAT:
case ALTERTABLE_LOCATION:
case ALTERTABLE_MERGEFILES:
case ALTERTABLE_PARTCOLTYPE:
case ALTERTABLE_PROPERTIES:
case ALTERTABLE_PROTECTMODE:
case ALTERTABLE_RENAME:
case ALTERTABLE_RENAMECOL:
case ALTERTABLE_RENAMEPART:
case ALTERTABLE_REPLACECOLS:
case ALTERTABLE_SERDEPROPERTIES:
case ALTERTABLE_SERIALIZER:
case ALTERTABLE_SKEWED:
case ALTERTABLE_TOUCH:
case ALTERTABLE_UNARCHIVE:
case ALTERTABLE_UPDATEPARTSTATS:
case ALTERTABLE_UPDATETABLESTATS:
case ALTERTABLE_UPDATECOLUMNS:
case ALTERTBLPART_SKEWED_LOCATION:
case ALTERVIEW_AS:
case ALTERVIEW_PROPERTIES:
case ALTERVIEW_RENAME:
case ALTER_MATERIALIZED_VIEW_REWRITE:
case DROPVIEW_PROPERTIES:
case MSCK:
accessType = HiveAccessType.ALTER;
break;
case DROPFUNCTION:
case DROPINDEX:
case DROPTABLE:
case DROPVIEW:
case DROP_MATERIALIZED_VIEW:
case DROPDATABASE:
accessType = HiveAccessType.DROP;
break;
case CREATEINDEX:
accessType = HiveAccessType.INDEX;
break;
case IMPORT:
/*
This can happen during hive IMPORT command IFF a table is also being created as part of IMPORT.
If so then
- this would appear in the outputHObjs, i.e. accessType == false
- user then must have CREATE permission on the database
During IMPORT command it is not possible for a database to be in inputHObj list. Thus returning SELECT
when accessType==true is never expected to be hit in practice.
*/
accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE;
break;
case EXPORT:
case LOAD:
accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE;
break;
case LOCKDB:
case LOCKTABLE:
case UNLOCKDB:
case UNLOCKTABLE:
accessType = HiveAccessType.LOCK;
break;
/*
* SELECT access is done for many of these metadata operations since hive does not call back for filtering.
* Overtime these should move to _any/USE access (as hive adds support for filtering).
*/
case QUERY:
case SHOW_TABLESTATUS:
case SHOW_CREATETABLE:
case SHOWINDEXES:
case SHOWPARTITIONS:
case SHOW_TBLPROPERTIES:
case ANALYZE_TABLE:
accessType = HiveAccessType.SELECT;
break;
case SHOWCOLUMNS:
case DESCTABLE:
switch(StringUtil.toLower(hivePlugin.DescribeShowTableAuth)) {
case "show-allowed":
// SELECT/SHOWCOLUMS/DESCTABLE to filter the columns based on access provided in ranger.
case "none":
case "":
accessType = HiveAccessType.SELECT;
break;
case "show-all":
accessType = HiveAccessType.USE;
break;
}
break;
// any access done for metadata access of actions that have support from hive for filtering
case SHOWDATABASES:
case SWITCHDATABASE:
case DESCDATABASE:
case SHOWTABLES:
case SHOWVIEWS:
accessType = HiveAccessType.USE;
break;
case TRUNCATETABLE:
accessType = HiveAccessType.UPDATE;
break;
case GRANT_PRIVILEGE:
case REVOKE_PRIVILEGE:
// access check will be performed at the ranger-admin side
accessType = HiveAccessType.NONE;
break;
case REPLDUMP:
case REPLLOAD:
case REPLSTATUS:
accessType = HiveAccessType.REPLADMIN;
break;
case KILL_QUERY:
case CREATE_RESOURCEPLAN:
case SHOW_RESOURCEPLAN:
case ALTER_RESOURCEPLAN:
case DROP_RESOURCEPLAN:
case CREATE_TRIGGER:
case ALTER_TRIGGER:
case DROP_TRIGGER:
case CREATE_POOL:
case ALTER_POOL:
case DROP_POOL:
case CREATE_MAPPING:
case ALTER_MAPPING:
case DROP_MAPPING:
case LLAP_CACHE_PURGE:
case LLAP_CLUSTER_INFO:
accessType = HiveAccessType.SERVICEADMIN;
break;
case ADD:
case COMPILE:
accessType = HiveAccessType.TEMPUDFADMIN;
break;
case DELETE:
case CREATEMACRO:
case CREATEROLE:
case DESCFUNCTION:
case DFS:
case DROPMACRO:
case DROPROLE:
case EXPLAIN:
case GRANT_ROLE:
case REVOKE_ROLE:
case RESET:
case SET:
case SHOWCONF:
case SHOWFUNCTIONS:
case SHOWLOCKS:
case SHOW_COMPACTIONS:
case SHOW_GRANT:
case SHOW_ROLES:
case SHOW_ROLE_GRANT:
case SHOW_ROLE_PRINCIPALS:
case SHOW_TRANSACTIONS:
break;
}
break;
}
return accessType;
}
Also used :
HivePrivObjectActionType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType)
Aggregations
HivePrivObjectActionType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType)6
HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)5
HivePrivilegeObjectType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)5
ArrayList (java.util.ArrayList)3
DataConnector (org.apache.hadoop.hive.metastore.api.DataConnector)1
Database (org.apache.hadoop.hive.metastore.api.Database)1
Table (org.apache.hadoop.hive.metastore.api.Table)1
Entity (org.apache.hadoop.hive.ql.hooks.Entity)1
ReadEntity (org.apache.hadoop.hive.ql.hooks.ReadEntity)1
WriteEntity (org.apache.hadoop.hive.ql.hooks.WriteEntity)1
HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)1
Table (org.apache.hadoop.hive.ql.metadata.Table)1
HiveAuthzSessionContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)1
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)1
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)1
