Search in sources :

Example 36 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.

the class Driver method doAuthorizationV2.

private static void doAuthorizationV2(SessionState ss, HiveOperation op, Set<ReadEntity> inputs, Set<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException {
    /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I
    pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects,
    since the insert will get passed the columns from the select.
     */
    HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder();
    authzContextBuilder.setUserIpAddress(ss.getUserIpAddress());
    authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses());
    authzContextBuilder.setCommandString(command);
    HiveOperationType hiveOpType = getHiveOperationType(op);
    List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols);
    List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols);
    ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build());
}
Also used : HiveAuthzContext(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext) HiveOperationType(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 37 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project drill by apache.

the class HiveAuthorizationHelper method authorizeShowTables.

/**
   * Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
   * for illegal access.
   * @param dbName
   */
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
    if (!authzEnabled) {
        return;
    }
    final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);
    authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject>emptyList(), "SHOW TABLES");
}
Also used : HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 38 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.

the class DDLTask method grantOrRevokePrivileges.

private int grantOrRevokePrivileges(Hive db, List<PrincipalDesc> principals, List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException {
    HiveAuthorizer authorizer = getSessionAuthorizer(db);
    // Convert to object types used by the authorization plugin interface
    List<HivePrincipal> hivePrincipals = AuthorizationUtils.getHivePrincipals(principals, getAuthorizationTranslator(authorizer));
    List<HivePrivilege> hivePrivileges = AuthorizationUtils.getHivePrivileges(privileges, getAuthorizationTranslator(authorizer));
    HivePrivilegeObject hivePrivObject = getAuthorizationTranslator(authorizer).getHivePrivilegeObject(privSubjectDesc);
    HivePrincipal grantorPrincipal = new HivePrincipal(grantor, AuthorizationUtils.getHivePrincipalType(grantorType));
    if (isGrant) {
        authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
    } else {
        authorizer.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
    }
    // no exception thrown, so looks good
    return 0;
}
Also used : HiveAuthorizer(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 39 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.

the class DDLTask method writeGrantInfo.

static String writeGrantInfo(List<HivePrivilegeInfo> privileges, boolean testMode) {
    if (privileges == null || privileges.isEmpty()) {
        return "";
    }
    StringBuilder builder = new StringBuilder();
    // sort the list to get sorted (deterministic) output (for ease of testing)
    Collections.sort(privileges, new Comparator<HivePrivilegeInfo>() {

        @Override
        public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) {
            int compare = o1.getObject().compareTo(o2.getObject());
            if (compare == 0) {
                compare = o1.getPrincipal().compareTo(o2.getPrincipal());
            }
            if (compare == 0) {
                compare = o1.getPrivilege().compareTo(o2.getPrivilege());
            }
            return compare;
        }
    });
    for (HivePrivilegeInfo privilege : privileges) {
        HivePrincipal principal = privilege.getPrincipal();
        HivePrivilegeObject resource = privilege.getObject();
        HivePrincipal grantor = privilege.getGrantorPrincipal();
        appendNonNull(builder, resource.getDbname(), true);
        appendNonNull(builder, resource.getObjectName());
        appendNonNull(builder, resource.getPartKeys());
        appendNonNull(builder, resource.getColumns());
        appendNonNull(builder, principal.getName());
        appendNonNull(builder, principal.getType());
        appendNonNull(builder, privilege.getPrivilege().getName());
        appendNonNull(builder, privilege.isGrantOption());
        appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L);
        appendNonNull(builder, grantor.getName());
    }
    return builder.toString();
}
Also used : HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)

Example 40 with HivePrivilegeObject

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.

the class Driver method getHivePrivObjects.

private static List<HivePrivilegeObject> getHivePrivObjects(Set<? extends Entity> privObjects, Map<String, List<String>> tableName2Cols) {
    List<HivePrivilegeObject> hivePrivobjs = new ArrayList<HivePrivilegeObject>();
    if (privObjects == null) {
        return hivePrivobjs;
    }
    for (Entity privObject : privObjects) {
        HivePrivilegeObjectType privObjType = AuthorizationUtils.getHivePrivilegeObjectType(privObject.getType());
        if (privObject.isDummy()) {
            // do not authorize dummy readEntity or writeEntity
            continue;
        }
        if (privObject instanceof ReadEntity && !((ReadEntity) privObject).isDirect()) {
            // See description of the isDirect in ReadEntity
            continue;
        }
        if (privObject instanceof WriteEntity && ((WriteEntity) privObject).isTempURI()) {
            // do not authorize temporary uris
            continue;
        }
        // support for authorization on partitions needs to be added
        String dbname = null;
        String objName = null;
        List<String> partKeys = null;
        List<String> columns = null;
        String className = null;
        switch(privObject.getType()) {
            case DATABASE:
                dbname = privObject.getDatabase().getName();
                break;
            case TABLE:
                dbname = privObject.getTable().getDbName();
                objName = privObject.getTable().getTableName();
                columns = tableName2Cols == null ? null : tableName2Cols.get(Table.getCompleteName(dbname, objName));
                break;
            case DFS_DIR:
            case LOCAL_DIR:
                objName = privObject.getD().toString();
                break;
            case FUNCTION:
                if (privObject.getDatabase() != null) {
                    dbname = privObject.getDatabase().getName();
                }
                objName = privObject.getFunctionName();
                className = privObject.getClassName();
                break;
            case DUMMYPARTITION:
            case PARTITION:
                // not currently handled
                continue;
            case SERVICE_NAME:
                objName = privObject.getServiceName();
                break;
            default:
                throw new AssertionError("Unexpected object type");
        }
        HivePrivObjectActionType actionType = AuthorizationUtils.getActionType(privObject);
        HivePrivilegeObject hPrivObject = new HivePrivilegeObject(privObjType, dbname, objName, partKeys, columns, actionType, null, className);
        hivePrivobjs.add(hPrivObject);
    }
    return hivePrivobjs;
}
Also used : ReadEntity(org.apache.hadoop.hive.ql.hooks.ReadEntity) WriteEntity(org.apache.hadoop.hive.ql.hooks.WriteEntity) ReadEntity(org.apache.hadoop.hive.ql.hooks.ReadEntity) Entity(org.apache.hadoop.hive.ql.hooks.Entity) HivePrivObjectActionType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType) ArrayList(java.util.ArrayList) HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject) WriteEntity(org.apache.hadoop.hive.ql.hooks.WriteEntity)

Aggregations

HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)68 ArrayList (java.util.ArrayList)39 Table (org.apache.hadoop.hive.metastore.api.Table)11 HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)10 IOException (java.io.IOException)9 HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)9 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)8 HiveAuthzContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext)8 HivePrivilegeObjectType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)8 HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)7 Table (org.apache.hadoop.hive.ql.metadata.Table)6 HiveAuthorizer (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer)6 HivePrivilegeInfo (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)6 MetaException (org.apache.hadoop.hive.metastore.api.MetaException)5 IMetaStoreClient (org.apache.hadoop.hive.metastore.IMetaStoreClient)4 Database (org.apache.hadoop.hive.metastore.api.Database)4 InvalidOperationException (org.apache.hadoop.hive.metastore.api.InvalidOperationException)4 NoSuchObjectException (org.apache.hadoop.hive.metastore.api.NoSuchObjectException)4 HiveOperationType (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType)4 HivePrivObjectActionType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType)4