Example 31 with HivePrivilegeObject
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.
the class GetTablesOperation method runInternal.
@Override
public void runInternal() throws HiveSQLException {
setState(OperationState.RUNNING);
LOG.info("Fetching table metadata");
try {
IMetaStoreClient metastoreClient = getParentSession().getMetaStoreClient();
String schemaPattern = convertSchemaPattern(schemaName);
List<String> matchingDbs = metastoreClient.getDatabases(schemaPattern);
if (isAuthV2Enabled()) {
List<HivePrivilegeObject> privObjs = HivePrivilegeObjectUtils.getHivePrivDbObjects(matchingDbs);
String cmdStr = "catalog : " + catalogName + ", schemaPattern : " + schemaName;
authorizeMetaGets(HiveOperationType.GET_TABLES, privObjs, cmdStr);
}
String tablePattern = convertIdentifierPattern(tableName, true);
for (String dbName : metastoreClient.getDatabases(schemaPattern)) {
for (TableMeta tableMeta : metastoreClient.getTableMeta(dbName, tablePattern, tableTypeList)) {
String tableType = tableTypeMapping.mapToClientType(tableMeta.getTableType());
rowSet.addRow(new Object[] { DEFAULT_HIVE_CATALOG, tableMeta.getDbName(), tableMeta.getTableName(), tableType, tableMeta.getComments(), null, null, null, null, null });
if (LOG.isDebugEnabled()) {
String debugMessage = getDebugMessage("table", RESULT_SET_SCHEMA);
LOG.debug(debugMessage, DEFAULT_HIVE_CATALOG, tableMeta.getDbName(), tableMeta.getTableName(), tableType, tableMeta.getComments());
}
}
if (LOG.isDebugEnabled() && rowSet.numRows() == 0) {
LOG.debug("No table metadata has been returned.");
}
}
setState(OperationState.FINISHED);
LOG.info("Fetching table metadata has been successfully finished");
} catch (Exception e) {
setState(OperationState.ERROR);
throw new HiveSQLException(e);
}
}
Also used :
HiveSQLException(org.apache.hive.service.cli.HiveSQLException)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
TableMeta(org.apache.hadoop.hive.metastore.api.TableMeta)
IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient)
HiveSQLException(org.apache.hive.service.cli.HiveSQLException)
Example 32 with HivePrivilegeObject
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.
the class GetColumnsOperation method runInternal.
@Override
public void runInternal() throws HiveSQLException {
setState(OperationState.RUNNING);
LOG.info("Fetching column metadata");
try {
IMetaStoreClient metastoreClient = getParentSession().getMetaStoreClient();
String schemaPattern = convertSchemaPattern(schemaName);
String tablePattern = convertIdentifierPattern(tableName, true);
Pattern columnPattern = null;
if (columnName != null) {
columnPattern = Pattern.compile(convertIdentifierPattern(columnName, false));
}
List<String> dbNames = metastoreClient.getDatabases(schemaPattern);
Collections.sort(dbNames);
Map<String, List<String>> db2Tabs = new HashMap<>();
for (String dbName : dbNames) {
List<String> tableNames = metastoreClient.getTables(dbName, tablePattern);
Collections.sort(tableNames);
db2Tabs.put(dbName, tableNames);
}
if (isAuthV2Enabled()) {
List<HivePrivilegeObject> privObjs = getPrivObjs(db2Tabs);
String cmdStr = "catalog : " + catalogName + ", schemaPattern : " + schemaName + ", tablePattern : " + tableName;
authorizeMetaGets(HiveOperationType.GET_COLUMNS, privObjs, cmdStr);
}
int maxBatchSize = SessionState.get().getConf().getIntVar(ConfVars.METASTORE_BATCH_RETRIEVE_MAX);
for (Entry<String, List<String>> dbTabs : db2Tabs.entrySet()) {
String dbName = dbTabs.getKey();
List<String> tableNames = dbTabs.getValue();
for (Table table : new TableIterable(metastoreClient, dbName, tableNames, maxBatchSize)) {
TableSchema schema = new TableSchema(metastoreClient.getSchema(dbName, table.getTableName()));
List<SQLPrimaryKey> primaryKeys = metastoreClient.getPrimaryKeys(new PrimaryKeysRequest(dbName, table.getTableName()));
Set<String> pkColNames = new HashSet<>();
for (SQLPrimaryKey key : primaryKeys) {
pkColNames.add(key.getColumn_name().toLowerCase());
}
for (ColumnDescriptor column : schema.getColumnDescriptors()) {
if (columnPattern != null && !columnPattern.matcher(column.getName()).matches()) {
continue;
}
Object[] rowData = new Object[] { // TABLE_CAT
null, // TABLE_SCHEM
table.getDbName(), // TABLE_NAME
table.getTableName(), // COLUMN_NAME
column.getName(), // DATA_TYPE
column.getType().toJavaSQLType(), // TYPE_NAME
column.getTypeName(), // COLUMN_SIZE
column.getTypeDescriptor().getColumnSize(), // BUFFER_LENGTH, unused
null, // DECIMAL_DIGITS
column.getTypeDescriptor().getDecimalDigits(), // NUM_PREC_RADIX
column.getType().getNumPrecRadix(), pkColNames.contains(column.getName().toLowerCase()) ? DatabaseMetaData.columnNoNulls : // NULLABLE
DatabaseMetaData.columnNullable, // REMARKS
column.getComment(), // COLUMN_DEF
null, // SQL_DATA_TYPE
null, // SQL_DATETIME_SUB
null, // CHAR_OCTET_LENGTH
null, // ORDINAL_POSITION
column.getOrdinalPosition(), // IS_NULLABLE
pkColNames.contains(column.getName().toLowerCase()) ? "NO" : "YES", // SCOPE_CATALOG
null, // SCOPE_SCHEMA
null, // SCOPE_TABLE
null, // SOURCE_DATA_TYPE
null, // IS_AUTO_INCREMENT
"NO" };
rowSet.addRow(rowData);
if (LOG.isDebugEnabled()) {
String debugMessage = getDebugMessage("column", RESULT_SET_SCHEMA);
LOG.debug(debugMessage, rowData);
}
}
}
}
if (LOG.isDebugEnabled() && rowSet.numRows() == 0) {
LOG.debug("No column metadata has been returned.");
}
setState(OperationState.FINISHED);
LOG.info("Fetching column metadata has been successfully finished");
} catch (Exception e) {
setState(OperationState.ERROR);
throw new HiveSQLException(e);
}
}
Also used :
Pattern(java.util.regex.Pattern)
SQLPrimaryKey(org.apache.hadoop.hive.metastore.api.SQLPrimaryKey)
Table(org.apache.hadoop.hive.metastore.api.Table)
TableSchema(org.apache.hive.service.cli.TableSchema)
HashMap(java.util.HashMap)
ColumnDescriptor(org.apache.hive.service.cli.ColumnDescriptor)
HiveSQLException(org.apache.hive.service.cli.HiveSQLException)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
TableIterable(org.apache.hadoop.hive.metastore.TableIterable)
IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient)
HiveSQLException(org.apache.hive.service.cli.HiveSQLException)
PrimaryKeysRequest(org.apache.hadoop.hive.metastore.api.PrimaryKeysRequest)
ArrayList(java.util.ArrayList)
List(java.util.List)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
HashSet(java.util.HashSet)
Example 33 with HivePrivilegeObject
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.
the class GetFunctionsOperation method runInternal.
@Override
public void runInternal() throws HiveSQLException {
setState(OperationState.RUNNING);
LOG.info("Fetching function metadata");
if (isAuthV2Enabled()) {
// get databases for schema pattern
IMetaStoreClient metastoreClient = getParentSession().getMetaStoreClient();
String schemaPattern = convertSchemaPattern(schemaName);
List<String> matchingDbs;
try {
matchingDbs = metastoreClient.getDatabases(schemaPattern);
} catch (TException e) {
setState(OperationState.ERROR);
throw new HiveSQLException(e);
}
// authorize this call on the schema objects
List<HivePrivilegeObject> privObjs = HivePrivilegeObjectUtils.getHivePrivDbObjects(matchingDbs);
String cmdStr = "catalog : " + catalogName + ", schemaPattern : " + schemaName;
authorizeMetaGets(HiveOperationType.GET_FUNCTIONS, privObjs, cmdStr);
}
try {
if ((null == catalogName || "".equals(catalogName)) && (null == schemaName || "".equals(schemaName))) {
Set<String> functionNames = FunctionRegistry.getFunctionNames(CLIServiceUtils.patternToRegex(functionName));
for (String functionName : functionNames) {
FunctionInfo functionInfo = FunctionRegistry.getFunctionInfo(functionName);
Object[] rowData = new Object[] { // FUNCTION_CAT
null, // FUNCTION_SCHEM
null, // FUNCTION_NAME
functionInfo.getDisplayName(), // REMARKS
"", (functionInfo.isGenericUDTF() ? DatabaseMetaData.functionReturnsTable : // FUNCTION_TYPE
DatabaseMetaData.functionNoTable), functionInfo.getClass().getCanonicalName() };
rowSet.addRow(rowData);
if (LOG.isDebugEnabled()) {
String debugMessage = getDebugMessage("function", RESULT_SET_SCHEMA);
LOG.debug(debugMessage, rowData);
}
}
}
if (LOG.isDebugEnabled() && rowSet.numRows() == 0) {
LOG.debug("No function metadata has been returned");
}
setState(OperationState.FINISHED);
LOG.info("Fetching function metadata has been successfully finished");
} catch (Exception e) {
setState(OperationState.ERROR);
throw new HiveSQLException(e);
}
}
Also used :
TException(org.apache.thrift.TException)
HiveSQLException(org.apache.hive.service.cli.HiveSQLException)
FunctionInfo(org.apache.hadoop.hive.ql.exec.FunctionInfo)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
IMetaStoreClient(org.apache.hadoop.hive.metastore.IMetaStoreClient)
HiveSQLException(org.apache.hive.service.cli.HiveSQLException)
TException(org.apache.thrift.TException)
Example 34 with HivePrivilegeObject
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project ranger by apache.
the class RangerHivePlugin method revokePrivileges.
/**
* Revoke privileges for principals on the object
* @param hivePrincipals
* @param hivePrivileges
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
* @throws HiveAuthzPluginException
* @throws HiveAccessControlException
*/
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
if (!RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
}
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, null, outputs);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
LOG.info("revokePrivileges(): " + request);
if (LOG.isDebugEnabled()) {
LOG.debug("revokePrivileges(): " + request);
}
hivePlugin.revokeAccess(request, auditHandler);
} catch (Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
auditHandler.flushAudit();
}
}
Also used :
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
ArrayList(java.util.ArrayList)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
IOException(java.io.IOException)
Example 35 with HivePrivilegeObject
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project ranger by apache.
the class RangerHivePlugin method grantPrivileges.
/**
* Grant privileges for principals on the object
* @param hivePrincipals
* @param hivePrivileges
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
* @throws HiveAuthzPluginException
* @throws HiveAccessControlException
*/
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
LOG.debug("grantPrivileges() => HivePrivilegeObject:" + toString(hivePrivObject, new StringBuilder()) + "grantorPrincipal: " + grantorPrincipal + "hivePrincipals" + hivePrincipals + "hivePrivileges" + hivePrivileges);
}
if (!RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
}
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
try {
List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, null, outputs);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
LOG.info("grantPrivileges(): " + request);
if (LOG.isDebugEnabled()) {
LOG.debug("grantPrivileges(): " + request);
}
hivePlugin.grantAccess(request, auditHandler);
} catch (Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
auditHandler.flushAudit();
}
}
Also used :
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
ArrayList(java.util.ArrayList)
HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
GrantRevokeRequest(org.apache.ranger.plugin.util.GrantRevokeRequest)
SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
IOException(java.io.IOException)
Aggregations
HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)68
ArrayList (java.util.ArrayList)39
Table (org.apache.hadoop.hive.metastore.api.Table)11
HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)10
IOException (java.io.IOException)9
HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)9
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)8
HiveAuthzContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext)8
HivePrivilegeObjectType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)8
HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)7
Table (org.apache.hadoop.hive.ql.metadata.Table)6
HiveAuthorizer (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer)6
HivePrivilegeInfo (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)6
MetaException (org.apache.hadoop.hive.metastore.api.MetaException)5
IMetaStoreClient (org.apache.hadoop.hive.metastore.IMetaStoreClient)4
Database (org.apache.hadoop.hive.metastore.api.Database)4
InvalidOperationException (org.apache.hadoop.hive.metastore.api.InvalidOperationException)4
NoSuchObjectException (org.apache.hadoop.hive.metastore.api.NoSuchObjectException)4
HiveOperationType (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType)4
HivePrivObjectActionType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType)4
