Search in sources :

Example 6 with HivePrivilegeObjectType

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType in project hive by apache.

the class TableFilterContext method getInputHObjs.

private List<HivePrivilegeObject> getInputHObjs() {
    LOG.debug("==> TableFilterContext.getOutputHObjs()");
    List<HivePrivilegeObject> ret = new ArrayList<>();
    if (tables != null) {
        for (Table table : tables) {
            HivePrivilegeObjectType type = HivePrivilegeObjectType.TABLE_OR_VIEW;
            HivePrivObjectActionType objectActionType = HivePrivilegeObject.HivePrivObjectActionType.OTHER;
            HivePrivilegeObject hivePrivilegeObject = new HivePrivilegeObject(type, table.getDbName(), table.getTableName(), null, null, objectActionType, null, null, table.getOwner(), table.getOwnerType());
            ret.add(hivePrivilegeObject);
        }
    } else {
        for (String tableName : tableNames) {
            HivePrivilegeObjectType type = HivePrivilegeObjectType.TABLE_OR_VIEW;
            HivePrivObjectActionType objectActionType = HivePrivilegeObject.HivePrivObjectActionType.OTHER;
            HivePrivilegeObject hivePrivilegeObject = new HivePrivilegeObject(type, dbName, tableName, null, null, objectActionType, null, null);
            ret.add(hivePrivilegeObject);
        }
    }
    LOG.debug("<== TableFilterContext.getOutputHObjs(): ret=" + ret);
    return ret;
}
Also used : Table(org.apache.hadoop.hive.metastore.api.Table) HivePrivObjectActionType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType) ArrayList(java.util.ArrayList) HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 7 with HivePrivilegeObjectType

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType in project hive by apache.

the class CommandAuthorizerV2 method addHivePrivObject.

private static void addHivePrivObject(Entity privObject, Map<String, List<String>> tableName2Cols, List<HivePrivilegeObject> hivePrivObjs, HiveOperationType hiveOpType) throws HiveException {
    HivePrivilegeObjectType privObjType = AuthorizationUtils.getHivePrivilegeObjectType(privObject.getType());
    HivePrivObjectActionType actionType = AuthorizationUtils.getActionType(privObject);
    HivePrivilegeObject hivePrivObject = null;
    switch(privObject.getType()) {
        case DATABASE:
            Database database = privObject.getDatabase();
            hivePrivObject = new HivePrivilegeObject(privObjType, database.getName(), null, null, null, actionType, null, null, database.getOwnerName(), database.getOwnerType());
            break;
        case TABLE:
            Table table = privObject.getTable();
            List<String> columns = tableName2Cols == null ? null : tableName2Cols.get(Table.getCompleteName(table.getDbName(), table.getTableName()));
            hivePrivObject = new HivePrivilegeObject(privObjType, table.getDbName(), table.getTableName(), null, columns, actionType, null, null, table.getOwner(), table.getOwnerType());
            if (table.getStorageHandler() != null) {
                // TODO: add hive privilege object for storage based handlers for create and alter table commands.
                if (hiveOpType == HiveOperationType.CREATETABLE || hiveOpType == HiveOperationType.ALTERTABLE_PROPERTIES || hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT) {
                    try {
                        String storageUri = table.getStorageHandler().getURIForAuth(table.getTTable()).toString();
                        hivePrivObjs.add(new HivePrivilegeObject(HivePrivilegeObjectType.STORAGEHANDLER_URI, null, storageUri, null, null, actionType, null, table.getStorageHandler().getClass().getName(), table.getOwner(), table.getOwnerType()));
                    } catch (Exception ex) {
                        LOG.error("Exception occurred while getting the URI from storage handler: " + ex.getMessage(), ex);
                        throw new HiveException("Exception occurred while getting the URI from storage handler: " + ex.getMessage());
                    }
                }
            }
            break;
        case DFS_DIR:
        case LOCAL_DIR:
            hivePrivObject = new HivePrivilegeObject(privObjType, null, privObject.getD().toString(), null, null, actionType, null, null, null, null);
            break;
        case FUNCTION:
            String dbName = privObject.getDatabase() != null ? privObject.getDatabase().getName() : null;
            hivePrivObject = new HivePrivilegeObject(privObjType, dbName, privObject.getFunctionName(), null, null, actionType, null, privObject.getClassName(), null, null);
            break;
        case DUMMYPARTITION:
        case PARTITION:
            // TODO: not currently handled
            return;
        case SERVICE_NAME:
            hivePrivObject = new HivePrivilegeObject(privObjType, null, privObject.getServiceName(), null, null, actionType, null, null, null, null);
            break;
        case DATACONNECTOR:
            DataConnector connector = privObject.getDataConnector();
            hivePrivObject = new HivePrivilegeObject(privObjType, null, connector.getName(), null, null, actionType, null, null, connector.getOwnerName(), connector.getOwnerType());
            break;
        default:
            throw new AssertionError("Unexpected object type");
    }
    hivePrivObjs.add(hivePrivObject);
}
Also used : Table(org.apache.hadoop.hive.ql.metadata.Table) HiveException(org.apache.hadoop.hive.ql.metadata.HiveException) HivePrivObjectActionType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType) Database(org.apache.hadoop.hive.metastore.api.Database) HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject) DataConnector(org.apache.hadoop.hive.metastore.api.DataConnector) HiveException(org.apache.hadoop.hive.ql.metadata.HiveException)

Example 8 with HivePrivilegeObjectType

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType in project ranger by apache.

the class RangerHivePlugin method createHiveResource.

static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject, IMetaStoreClient metaStoreClient) {
    RangerHiveResource resource = null;
    HivePrivilegeObjectType objectType = privilegeObject.getType();
    String objectName = privilegeObject.getObjectName();
    String dbName = privilegeObject.getDbname();
    switch(objectType) {
        case DATABASE:
            resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
            break;
        case TABLE_OR_VIEW:
            resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
            setOwnerUser(resource, privilegeObject, metaStoreClient);
            break;
        case COLUMN:
            List<String> columns = privilegeObject.getColumns();
            int numOfColumns = columns == null ? 0 : columns.size();
            if (numOfColumns == 1) {
                resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
                setOwnerUser(resource, privilegeObject, metaStoreClient);
            } else {
                LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType);
            }
            break;
        default:
            LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType);
    }
    if (resource != null) {
        resource.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
    }
    return resource;
}
Also used : HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)

Example 9 with HivePrivilegeObjectType

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType in project ranger by apache.

the class RangerHivePlugin method filterListCmdObjects.

/**
 * Check if user has privileges to do this action on these objects
 * @param objs
 * @param context
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
// Commented out to avoid build errors until this interface is stable in Hive Branch
// @Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> objs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
    if (LOG.isDebugEnabled()) {
        LOG.debug(String.format("==> filterListCmdObjects(%s, %s)", objs, context));
    }
    RangerPerfTracer perf = null;
    RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.filterListCmdObjects()");
    }
    List<HivePrivilegeObject> ret = null;
    // bail out early if nothing is there to validate!
    if (objs == null) {
        LOG.debug("filterListCmdObjects: meta objects list was null!");
    } else if (objs.isEmpty()) {
        LOG.debug("filterListCmdObjects: meta objects list was empty!");
        ret = objs;
    } else if (getCurrentUserGroupInfo() == null) {
        /*
			 * This is null for metastore and there doesn't seem to be a way to tell if one is running as metastore or hiveserver2!
			 */
        LOG.warn("filterListCmdObjects: user information not available");
        ret = objs;
    } else {
        if (LOG.isDebugEnabled()) {
            LOG.debug("filterListCmdObjects: number of input objects[" + objs.size() + "]");
        }
        // get user/group info
        // we know this can't be null since we checked it above!
        UserGroupInformation ugi = getCurrentUserGroupInfo();
        HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
        String user = ugi.getShortUserName();
        Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
        Set<String> roles = getCurrentRolesForUser(user, groups);
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("filterListCmdObjects: user[%s], groups[%s], roles[%s] ", user, groups, roles));
        }
        if (ret == null) {
            // if we got any items to filter then we can't return back a null.  We must return back a list even if its empty.
            ret = new ArrayList<HivePrivilegeObject>(objs.size());
        }
        for (HivePrivilegeObject privilegeObject : objs) {
            if (LOG.isDebugEnabled()) {
                HivePrivObjectActionType actionType = privilegeObject.getActionType();
                HivePrivilegeObjectType objectType = privilegeObject.getType();
                String objectName = privilegeObject.getObjectName();
                String dbName = privilegeObject.getDbname();
                List<String> columns = privilegeObject.getColumns();
                List<String> partitionKeys = privilegeObject.getPartKeys();
                String commandString = context == null ? null : context.getCommandString();
                String ipAddress = context == null ? null : context.getIpAddress();
                final String format = "filterListCmdObjects: actionType[%s], objectType[%s], objectName[%s], dbName[%s], columns[%s], partitionKeys[%s]; context: commandString[%s], ipAddress[%s]";
                LOG.debug(String.format(format, actionType, objectType, objectName, dbName, columns, partitionKeys, commandString, ipAddress));
            }
            RangerHiveResource resource = createHiveResourceForFiltering(privilegeObject);
            if (resource == null) {
                LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null");
            } else {
                RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, context, sessionContext);
                RangerAccessResult result = hivePlugin.isAccessAllowed(request, auditHandler);
                if (result == null) {
                    LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!");
                } else if (!result.getIsAllowed()) {
                    if (LOG.isDebugEnabled()) {
                        String path = resource.getAsString();
                        LOG.debug(String.format("filterListCmdObjects: Permission denied: user [%s] does not have [%s] privilege on [%s]. resource[%s], request[%s], result[%s]", user, request.getHiveAccessType().name(), path, resource, request, result));
                    }
                } else {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("filterListCmdObjects: access allowed. resource[%s], request[%s], result[%s]", resource, request, result));
                    }
                    ret.add(privilegeObject);
                }
            }
        }
    }
    auditHandler.flushAudit();
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        int count = ret == null ? 0 : ret.size();
        LOG.debug(String.format("<== filterListCmdObjects: count[%d], ret[%s]", count, ret));
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) HivePrivObjectActionType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject) HiveAuthzSessionContext(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext) HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 10 with HivePrivilegeObjectType

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType in project ranger by apache.

the class RangerHivePlugin method applyRowFilterAndColumnMasking.

@Override
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
    List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
    }
    if (CollectionUtils.isNotEmpty(hiveObjs)) {
        for (HivePrivilegeObject hiveObj : hiveObjs) {
            HivePrivilegeObjectType hiveObjType = hiveObj.getType();
            if (hiveObjType == null) {
                hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
            }
            boolean needToTransform = false;
            if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
                String database = hiveObj.getDbname();
                String table = hiveObj.getObjectName();
                String rowFilterExpr = getRowFilterExpression(queryContext, database, table);
                if (StringUtils.isNotBlank(rowFilterExpr)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
                    }
                    hiveObj.setRowFilterExpression(rowFilterExpr);
                    needToTransform = true;
                }
                if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
                    List<String> columnTransformers = new ArrayList<String>();
                    for (String column : hiveObj.getColumns()) {
                        boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
                        }
                        needToTransform = needToTransform || isColumnTransformed;
                    }
                    hiveObj.setCellValueTransformers(columnTransformers);
                }
            }
            if (needToTransform) {
                ret.add(hiveObj);
            }
        }
    }
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) ArrayList(java.util.ArrayList) HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Aggregations

HivePrivilegeObjectType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)10 HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)7 HivePrivObjectActionType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType)5 ArrayList (java.util.ArrayList)4 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)2 DataConnector (org.apache.hadoop.hive.metastore.api.DataConnector)1 Database (org.apache.hadoop.hive.metastore.api.Database)1 Table (org.apache.hadoop.hive.metastore.api.Table)1 Entity (org.apache.hadoop.hive.ql.hooks.Entity)1 ReadEntity (org.apache.hadoop.hive.ql.hooks.ReadEntity)1 WriteEntity (org.apache.hadoop.hive.ql.hooks.WriteEntity)1 HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)1 Table (org.apache.hadoop.hive.ql.metadata.Table)1 HiveAuthzSessionContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)1 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)1