use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.
the class Driver method doAuthorizationV2.
private static void doAuthorizationV2(SessionState ss, HiveOperation op, Set<ReadEntity> inputs, Set<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException {
/* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I
pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects,
since the insert will get passed the columns from the select.
*/
HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder();
authzContextBuilder.setUserIpAddress(ss.getUserIpAddress());
authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses());
authzContextBuilder.setCommandString(command);
HiveOperationType hiveOpType = getHiveOperationType(op);
List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols);
List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols);
ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build());
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project drill by apache.
the class HiveAuthorizationHelper method authorizeShowTables.
/**
* Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
* for illegal access.
* @param dbName
*/
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
if (!authzEnabled) {
return;
}
final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);
authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject>emptyList(), "SHOW TABLES");
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.
the class DDLTask method grantOrRevokePrivileges.
private int grantOrRevokePrivileges(Hive db, List<PrincipalDesc> principals, List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException {
HiveAuthorizer authorizer = getSessionAuthorizer(db);
// Convert to object types used by the authorization plugin interface
List<HivePrincipal> hivePrincipals = AuthorizationUtils.getHivePrincipals(principals, getAuthorizationTranslator(authorizer));
List<HivePrivilege> hivePrivileges = AuthorizationUtils.getHivePrivileges(privileges, getAuthorizationTranslator(authorizer));
HivePrivilegeObject hivePrivObject = getAuthorizationTranslator(authorizer).getHivePrivilegeObject(privSubjectDesc);
HivePrincipal grantorPrincipal = new HivePrincipal(grantor, AuthorizationUtils.getHivePrincipalType(grantorType));
if (isGrant) {
authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
} else {
authorizer.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption);
}
// no exception thrown, so looks good
return 0;
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.
the class DDLTask method writeGrantInfo.
static String writeGrantInfo(List<HivePrivilegeInfo> privileges, boolean testMode) {
if (privileges == null || privileges.isEmpty()) {
return "";
}
StringBuilder builder = new StringBuilder();
// sort the list to get sorted (deterministic) output (for ease of testing)
Collections.sort(privileges, new Comparator<HivePrivilegeInfo>() {
@Override
public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) {
int compare = o1.getObject().compareTo(o2.getObject());
if (compare == 0) {
compare = o1.getPrincipal().compareTo(o2.getPrincipal());
}
if (compare == 0) {
compare = o1.getPrivilege().compareTo(o2.getPrivilege());
}
return compare;
}
});
for (HivePrivilegeInfo privilege : privileges) {
HivePrincipal principal = privilege.getPrincipal();
HivePrivilegeObject resource = privilege.getObject();
HivePrincipal grantor = privilege.getGrantorPrincipal();
appendNonNull(builder, resource.getDbname(), true);
appendNonNull(builder, resource.getObjectName());
appendNonNull(builder, resource.getPartKeys());
appendNonNull(builder, resource.getColumns());
appendNonNull(builder, principal.getName());
appendNonNull(builder, principal.getType());
appendNonNull(builder, privilege.getPrivilege().getName());
appendNonNull(builder, privilege.isGrantOption());
appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L);
appendNonNull(builder, grantor.getName());
}
return builder.toString();
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject in project hive by apache.
the class Driver method getHivePrivObjects.
private static List<HivePrivilegeObject> getHivePrivObjects(Set<? extends Entity> privObjects, Map<String, List<String>> tableName2Cols) {
List<HivePrivilegeObject> hivePrivobjs = new ArrayList<HivePrivilegeObject>();
if (privObjects == null) {
return hivePrivobjs;
}
for (Entity privObject : privObjects) {
HivePrivilegeObjectType privObjType = AuthorizationUtils.getHivePrivilegeObjectType(privObject.getType());
if (privObject.isDummy()) {
// do not authorize dummy readEntity or writeEntity
continue;
}
if (privObject instanceof ReadEntity && !((ReadEntity) privObject).isDirect()) {
// See description of the isDirect in ReadEntity
continue;
}
if (privObject instanceof WriteEntity && ((WriteEntity) privObject).isTempURI()) {
// do not authorize temporary uris
continue;
}
// support for authorization on partitions needs to be added
String dbname = null;
String objName = null;
List<String> partKeys = null;
List<String> columns = null;
String className = null;
switch(privObject.getType()) {
case DATABASE:
dbname = privObject.getDatabase().getName();
break;
case TABLE:
dbname = privObject.getTable().getDbName();
objName = privObject.getTable().getTableName();
columns = tableName2Cols == null ? null : tableName2Cols.get(Table.getCompleteName(dbname, objName));
break;
case DFS_DIR:
case LOCAL_DIR:
objName = privObject.getD().toString();
break;
case FUNCTION:
if (privObject.getDatabase() != null) {
dbname = privObject.getDatabase().getName();
}
objName = privObject.getFunctionName();
className = privObject.getClassName();
break;
case DUMMYPARTITION:
case PARTITION:
// not currently handled
continue;
case SERVICE_NAME:
objName = privObject.getServiceName();
break;
default:
throw new AssertionError("Unexpected object type");
}
HivePrivObjectActionType actionType = AuthorizationUtils.getActionType(privObject);
HivePrivilegeObject hPrivObject = new HivePrivilegeObject(privObjType, dbname, objName, partKeys, columns, actionType, null, className);
hivePrivobjs.add(hPrivObject);
}
return hivePrivobjs;
}
Aggregations