Search in sources :

Example 11 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.

the class CommandUtil method authorizeCommandThrowEx.

/**
 * Authorize command. Throws exception if the check fails
 * @param ss
 * @param type
 * @param command
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException {
    HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command);
    HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder();
    ctxBuilder.setCommandString(Joiner.on(' ').join(command));
    ctxBuilder.setUserIpAddress(ss.getUserIpAddress());
    ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses());
    ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build());
}
Also used : HiveAuthzContext(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 12 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project drill by axbaretto.

the class HiveAuthorizationHelper method authorizeShowTables.

/**
 * Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 * @param dbName
 */
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
    if (!authzEnabled) {
        return;
    }
    final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);
    authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject>emptyList(), "SHOW TABLES");
}
Also used : HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 13 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.

the class Driver method doAuthorizationV2.

private static void doAuthorizationV2(SessionState ss, HiveOperation op, Set<ReadEntity> inputs, Set<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException {
    /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I
    pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects,
    since the insert will get passed the columns from the select.
     */
    HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder();
    authzContextBuilder.setUserIpAddress(ss.getUserIpAddress());
    authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses());
    authzContextBuilder.setCommandString(command);
    HiveOperationType hiveOpType = getHiveOperationType(op);
    List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols);
    List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols);
    ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build());
}
Also used : HiveAuthzContext(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext) HiveOperationType(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 14 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project drill by apache.

the class HiveAuthorizationHelper method authorizeShowTables.

/**
   * Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
   * for illegal access.
   * @param dbName
   */
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
    if (!authzEnabled) {
        return;
    }
    final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);
    authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject>emptyList(), "SHOW TABLES");
}
Also used : HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 15 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.

the class SQLStdHiveAuthorizationValidatorForTest method applyRowFilterAndColumnMasking.

// Please take a look at the instructions in HiveAuthorizer.java before
// implementing applyRowFilterAndColumnMasking
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException {
    List<HivePrivilegeObject> needRewritePrivObjs = new ArrayList<>();
    for (HivePrivilegeObject privObj : privObjs) {
        if (privObj.getObjectName().equals("masking_test")) {
            privObj.setRowFilterExpression("key % 2 = 0 and key < 10");
            List<String> cellValueTransformers = new ArrayList<>();
            for (String columnName : privObj.getColumns()) {
                if (columnName.equals("value")) {
                    cellValueTransformers.add("reverse(value)");
                } else {
                    cellValueTransformers.add(columnName);
                }
            }
            privObj.setCellValueTransformers(cellValueTransformers);
            needRewritePrivObjs.add(privObj);
        } else if (privObj.getObjectName().equals("masking_test_view")) {
            privObj.setRowFilterExpression("key > 6");
            List<String> cellValueTransformers = new ArrayList<>();
            for (String columnName : privObj.getColumns()) {
                if (columnName.equals("key")) {
                    cellValueTransformers.add("key / 2");
                } else {
                    cellValueTransformers.add(columnName);
                }
            }
            privObj.setCellValueTransformers(cellValueTransformers);
            needRewritePrivObjs.add(privObj);
        } else if (privObj.getObjectName().equals("masking_test_subq")) {
            privObj.setRowFilterExpression("key in (select key from src where src.key = masking_test_subq.key)");
            needRewritePrivObjs.add(privObj);
        } else if (privObj.getObjectName().equals("masking_acid_no_masking")) {
            // testing acid usage when no masking/filtering is present
            needRewritePrivObjs.add(privObj);
        }
    }
    return needRewritePrivObjs;
}
Also used : ArrayList(java.util.ArrayList) ArrayList(java.util.ArrayList) List(java.util.List) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Aggregations

HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)26 ArrayList (java.util.ArrayList)10 IMetaStoreClient (org.apache.hadoop.hive.metastore.IMetaStoreClient)5 HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)5 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)4 HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)4 HivePrivilegeInfo (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)4 HiveObjectPrivilege (org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege)3 HiveObjectRef (org.apache.hadoop.hive.metastore.api.HiveObjectRef)3 PrivilegeGrantInfo (org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo)3 HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)3 HivePrivilegeObjectType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)3 HiveSQLException (org.apache.hive.service.cli.HiveSQLException)3 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)3 LinkedHashMap (java.util.LinkedHashMap)2 LinkedList (java.util.LinkedList)2 List (java.util.List)2 RelNode (org.apache.calcite.rel.RelNode)2 FieldSchema (org.apache.hadoop.hive.metastore.api.FieldSchema)2 PrincipalType (org.apache.hadoop.hive.metastore.api.PrincipalType)2