Search in sources :

Example 16 with HiveRoleGrant

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant in project ranger by apache.

the class RangerHivePlugin method getRoleGrantInfoForPrincipal.

@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException {
    LOG.debug("==> RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() for Principal: " + principal);
    List<HiveRoleGrant> ret = new ArrayList<>();
    List<String> principalInfo = null;
    List<String> userNames = null;
    RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
    boolean result = false;
    if (hivePlugin == null) {
        throw new HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal(): HivePlugin initialization failed...");
    }
    UserGroupInformation ugi = getCurrentUserGroupInfo();
    if (ugi == null) {
        throw new HiveAccessControlException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal(): User information not available...");
    }
    String currentUserName = ugi.getShortUserName();
    try {
        String principalName = principal.getName();
        String type = principal.getType().name();
        userNames = Arrays.asList(currentUserName);
        principalInfo = Collections.singletonList(principal.getType() + " " + principalName);
        if (!hivePlugin.isServiceAdmin(currentUserName) && !principalName.equals(currentUserName)) {
            throw new HiveAccessControlException("Permission denied: user information not available");
        }
        Set<RangerRole> roles = hivePlugin.getRangerRoleForPrincipal(principalName, type);
        if (CollectionUtils.isNotEmpty(roles)) {
            for (RangerRole rangerRole : roles) {
                switch(type) {
                    case "USER":
                        RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(principalName, false);
                        ret.add(getHiveRoleGrant(rangerRole, userRoleMember, type));
                        break;
                    case "GROUP":
                        RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(principalName, false);
                        ret.add(getHiveRoleGrant(rangerRole, groupRoleMember, type));
                        break;
                    case "ROLE":
                        RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(principalName, false);
                        ret.add(getHiveRoleGrant(rangerRole, roleRoleMember, type));
                        break;
                }
            }
            result = true;
        }
    } catch (Exception excp) {
        throw new HiveAuthzPluginException(excp);
    } finally {
        RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, principalInfo, result);
        hivePlugin.evalAuditPolicies(accessResult);
        auditHandler.processResult(accessResult);
        auditHandler.flushAudit();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== getRoleGrantInfoForPrincipal(): Principal: " + principal + " Roles: " + ret);
    }
    return ret;
}
Also used : ArrayList(java.util.ArrayList) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) IOException(java.io.IOException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) RangerRole(org.apache.ranger.plugin.model.RangerRole) HiveRoleGrant(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 17 with HiveRoleGrant

use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant in project ranger by apache.

the class RangerHivePlugin method getPrincipalGrantInfoForRole.

@Override
public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for RoleName: " + roleName);
    }
    List<HiveRoleGrant> ret = new ArrayList<>();
    List<String> roleNames = Arrays.asList(roleName);
    List<String> userNames = null;
    RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
    boolean result = false;
    if (hivePlugin == null) {
        throw new HiveAuthzPluginException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole(): HivePlugin initialization failed...");
    }
    UserGroupInformation ugi = getCurrentUserGroupInfo();
    if (ugi == null) {
        throw new HiveAccessControlException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole(): User information not available...");
    }
    String currentUserName = ugi.getShortUserName();
    try {
        if (!hivePlugin.isServiceAdmin(currentUserName)) {
            throw new HiveAccessControlException("Permission denied: User not authorized to perform this operation!");
        }
        userNames = Arrays.asList(currentUserName);
        if (StringUtils.isNotEmpty(roleName)) {
            RangerRole rangerRole = getRangerRoleForRoleName(roleName);
            if (rangerRole != null) {
                for (RangerRole.RoleMember roleMember : rangerRole.getRoles()) {
                    HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, roleMember, HivePrincipal.HivePrincipalType.ROLE.name());
                    ret.add(hiveRoleGrant);
                }
                for (RangerRole.RoleMember group : rangerRole.getGroups()) {
                    HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, group, HivePrincipal.HivePrincipalType.GROUP.name());
                    ret.add(hiveRoleGrant);
                }
                for (RangerRole.RoleMember user : rangerRole.getUsers()) {
                    HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, user, HivePrincipal.HivePrincipalType.USER.name());
                    ret.add(hiveRoleGrant);
                }
                result = true;
            }
        }
    } catch (Exception excp) {
        throw new HiveAuthzPluginException(excp);
    } finally {
        RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames, result);
        hivePlugin.evalAuditPolicies(accessResult);
        auditHandler.processResult(accessResult);
        auditHandler.flushAudit();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for Rolename: " + roleName + " Roles: " + ret);
    }
    return ret;
}
Also used : ArrayList(java.util.ArrayList) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) IOException(java.io.IOException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) RangerRole(org.apache.ranger.plugin.model.RangerRole) HiveRoleGrant(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

HiveRoleGrant (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant)17 ArrayList (java.util.ArrayList)5 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)5 RolePrincipalGrant (org.apache.hadoop.hive.metastore.api.RolePrincipalGrant)4 HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)4 HiveAuthorizer (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer)3 IOException (java.io.IOException)2 MetaException (org.apache.hadoop.hive.metastore.api.MetaException)2 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)2 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2 RangerRole (org.apache.ranger.plugin.model.RangerRole)2 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)2 TException (org.apache.thrift.TException)2 HashMap (java.util.HashMap)1 GetPrincipalsInRoleRequest (org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest)1 GetPrincipalsInRoleResponse (org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse)1 HiveException (org.apache.hadoop.hive.ql.metadata.HiveException)1 RoleDDLDesc (org.apache.hadoop.hive.ql.plan.RoleDDLDesc)1