use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant in project ranger by apache.
the class RangerHivePlugin method getRoleGrantInfoForPrincipal.
@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException {
LOG.debug("==> RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() for Principal: " + principal);
List<HiveRoleGrant> ret = new ArrayList<>();
List<String> principalInfo = null;
List<String> userNames = null;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
boolean result = false;
if (hivePlugin == null) {
throw new HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal(): HivePlugin initialization failed...");
}
UserGroupInformation ugi = getCurrentUserGroupInfo();
if (ugi == null) {
throw new HiveAccessControlException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal(): User information not available...");
}
String currentUserName = ugi.getShortUserName();
try {
String principalName = principal.getName();
String type = principal.getType().name();
userNames = Arrays.asList(currentUserName);
principalInfo = Collections.singletonList(principal.getType() + " " + principalName);
if (!hivePlugin.isServiceAdmin(currentUserName) && !principalName.equals(currentUserName)) {
throw new HiveAccessControlException("Permission denied: user information not available");
}
Set<RangerRole> roles = hivePlugin.getRangerRoleForPrincipal(principalName, type);
if (CollectionUtils.isNotEmpty(roles)) {
for (RangerRole rangerRole : roles) {
switch(type) {
case "USER":
RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(principalName, false);
ret.add(getHiveRoleGrant(rangerRole, userRoleMember, type));
break;
case "GROUP":
RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(principalName, false);
ret.add(getHiveRoleGrant(rangerRole, groupRoleMember, type));
break;
case "ROLE":
RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(principalName, false);
ret.add(getHiveRoleGrant(rangerRole, roleRoleMember, type));
break;
}
}
result = true;
}
} catch (Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, principalInfo, result);
hivePlugin.evalAuditPolicies(accessResult);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== getRoleGrantInfoForPrincipal(): Principal: " + principal + " Roles: " + ret);
}
return ret;
}
use of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant in project ranger by apache.
the class RangerHivePlugin method getPrincipalGrantInfoForRole.
@Override
public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for RoleName: " + roleName);
}
List<HiveRoleGrant> ret = new ArrayList<>();
List<String> roleNames = Arrays.asList(roleName);
List<String> userNames = null;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
boolean result = false;
if (hivePlugin == null) {
throw new HiveAuthzPluginException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole(): HivePlugin initialization failed...");
}
UserGroupInformation ugi = getCurrentUserGroupInfo();
if (ugi == null) {
throw new HiveAccessControlException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole(): User information not available...");
}
String currentUserName = ugi.getShortUserName();
try {
if (!hivePlugin.isServiceAdmin(currentUserName)) {
throw new HiveAccessControlException("Permission denied: User not authorized to perform this operation!");
}
userNames = Arrays.asList(currentUserName);
if (StringUtils.isNotEmpty(roleName)) {
RangerRole rangerRole = getRangerRoleForRoleName(roleName);
if (rangerRole != null) {
for (RangerRole.RoleMember roleMember : rangerRole.getRoles()) {
HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, roleMember, HivePrincipal.HivePrincipalType.ROLE.name());
ret.add(hiveRoleGrant);
}
for (RangerRole.RoleMember group : rangerRole.getGroups()) {
HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, group, HivePrincipal.HivePrincipalType.GROUP.name());
ret.add(hiveRoleGrant);
}
for (RangerRole.RoleMember user : rangerRole.getUsers()) {
HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, user, HivePrincipal.HivePrincipalType.USER.name());
ret.add(hiveRoleGrant);
}
result = true;
}
}
} catch (Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames, result);
hivePlugin.evalAuditPolicies(accessResult);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for Rolename: " + roleName + " Roles: " + ret);
}
return ret;
}
Aggregations