Examples with RangerResourceACLs org.apache.ranger.plugin.policyengine.RangerResourceACLs used on opensource projects

Search in sources :

Example 1 with RangerResourceACLs

use of org.apache.ranger.plugin.policyengine.RangerResourceACLs in project ranger by apache.

the class RangerBasePlugin method getResourceACLs.

public RangerResourceACLs getResourceACLs(RangerAccessRequest request, Integer policyType) {
    RangerResourceACLs ret = null;
    RangerPolicyEngine policyEngine = this.policyEngine;
    if (policyEngine != null) {
        ret = policyEngine.getResourceACLs(request, policyType);
    }
    for (RangerChainedPlugin chainedPlugin : chainedPlugins) {
        RangerResourceACLs chainedResourceACLs = chainedPlugin.getResourceACLs(request, policyType);
        if (chainedResourceACLs != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Chained-plugin returned non-null ACLs!!");
            }
            if (chainedPlugin.isAuthorizeOnlyWithChainedPlugin()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Chained-plugin is configured to ignore Base-plugin's ACLs");
                }
                ret = chainedResourceACLs;
                break;
            } else {
                if (ret != null) {
                    ret = getMergedResourceACLs(ret, chainedResourceACLs);
                }
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Chained-plugin returned null ACLs!!");
            }
        }
    }
    return ret;
}
Also used : RangerResourceACLs(org.apache.ranger.plugin.policyengine.RangerResourceACLs) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)

Example 2 with RangerResourceACLs

use of org.apache.ranger.plugin.policyengine.RangerResourceACLs in project ranger by apache.

the class RangerHivePlugin method getRangerResourceACLs.

private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject hiveObject) {
    RangerResourceACLs ret = null;
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]");
    }
    RangerHiveResource hiveResource = createHiveResource(hiveObject, getMetaStoreClient());
    RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
    ret = hivePlugin.getResourceACLs(request);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "], Computed ACLS:[" + ret + "]");
    }
    return ret;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerResourceACLs(org.apache.ranger.plugin.policyengine.RangerResourceACLs)

Example 3 with RangerResourceACLs

use of org.apache.ranger.plugin.policyengine.RangerResourceACLs in project ranger by apache.

the class RangerHivePlugin method getHivePrivilegeInfos.

private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
    List<HivePrivilegeInfo> ret = new ArrayList<>();
    HivePrivilegeObject.HivePrivilegeObjectType objectType = null;
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions = null;
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = null;
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> rolePermissions = null;
    String dbName = null;
    String objectName = null;
    String columnName = null;
    List<String> partValues = null;
    try {
        HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);
        if (msObjRef != null) {
            HivePrivilegeObject hivePrivilegeObject = null;
            if (msObjRef.getDbName() != null) {
                // when resource is specified in the show grants, acl will be for that resource / user / groups
                objectType = getPluginPrivilegeObjType(msObjRef.getObjectType());
                dbName = msObjRef.getDbName();
                objectName = msObjRef.getObjectName();
                columnName = (msObjRef.getColumnName() == null) ? new String() : msObjRef.getColumnName();
                partValues = (msObjRef.getPartValues() == null) ? new ArrayList<>() : msObjRef.getPartValues();
                hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);
                RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject);
                if (rangerResourceACLs != null) {
                    Map<String, Map<String, RangerResourceACLs.AccessResult>> userRangerACLs = rangerResourceACLs.getUserACLs();
                    Map<String, Map<String, RangerResourceACLs.AccessResult>> groupRangerACLs = rangerResourceACLs.getGroupACLs();
                    Map<String, Map<String, RangerResourceACLs.AccessResult>> roleRangerACLs = rangerResourceACLs.getRoleACLs();
                    userPermissions = convertRangerACLsToHiveACLs(userRangerACLs);
                    groupPermissions = convertRangerACLsToHiveACLs(groupRangerACLs);
                    rolePermissions = convertRangerACLsToHiveACLs(roleRangerACLs);
                    if (principal != null) {
                        if (principal.getType() == HivePrincipal.HivePrincipalType.USER) {
                            String user = principal.getName();
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
                            if (userACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
                                for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(userACL, userAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                            Set<String> groups = getPrincipalGroup(user);
                            for (String group : groups) {
                                Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
                                if (groupACLs != null) {
                                    Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
                                    for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
                                        RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
                                        if (policy != null) {
                                            String aclname = getPermission(groupACL, groupAccessResult, policy);
                                            HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                            ret.add(privilegeInfo);
                                        }
                                    }
                                }
                            }
                        } else if (principal.getType() == HivePrincipal.HivePrincipalType.ROLE) {
                            String role = principal.getName();
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
                            if (roleACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
                                for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(roleACL, roleAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                    } else {
                        // Request is for all the ACLs on a resource
                        for (String user : userRangerACLs.keySet()) {
                            HivePrincipal hivePrincipal = new HivePrincipal(user, HivePrincipal.HivePrincipalType.USER);
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
                            if (userACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
                                for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(userACL, userAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                        for (String group : groupRangerACLs.keySet()) {
                            HivePrincipal hivePrincipal = new HivePrincipal(group, HivePrincipal.HivePrincipalType.GROUP);
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
                            if (groupACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
                                for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(groupACL, groupAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                        for (String role : roleRangerACLs.keySet()) {
                            HivePrincipal hivePrincipal = new HivePrincipal(role, HivePrincipal.HivePrincipalType.ROLE);
                            Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
                            if (roleACLs != null) {
                                Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
                                for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
                                    RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
                                    if (policy != null) {
                                        String aclname = getPermission(roleACL, roleAccessResult, policy);
                                        HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
                                        ret.add(privilegeInfo);
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    } catch (Exception e) {
        throw new HiveAuthzPluginException("hive showPrivileges" + ": " + e.getMessage(), e);
    }
    return ret;
}
Also used : HivePrivilegeInfo(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo) HivePrivilegeObjectType(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType) HiveObjectRef(org.apache.hadoop.hive.metastore.api.HiveObjectRef) ArrayList(java.util.ArrayList) HivePrivilegeObject(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject) HiveResourceACLs(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) IOException(java.io.IOException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerResourceACLs(org.apache.ranger.plugin.policyengine.RangerResourceACLs) HivePrincipal(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HivePrivilege(org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege) Map(java.util.Map) HashMap(java.util.HashMap)

Example 4 with RangerResourceACLs

use of org.apache.ranger.plugin.policyengine.RangerResourceACLs in project ranger by apache.

the class RangerHivePolicyProvider method getResourceACLs.

public HiveResourceACLs getResourceACLs(RangerHiveResource hiveResource) {
    HiveResourceACLs ret;
    RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
    RangerResourceACLs acls = rangerPlugin.getResourceACLs(request);
    if (LOG.isDebugEnabled()) {
        LOG.debug("HiveResource:[" + hiveResource.getAsString() + "], Computed ACLS:[" + acls + "]");
    }
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions = convertRangerACLsToHiveACLs(acls.getUserACLs());
    Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = convertRangerACLsToHiveACLs(acls.getGroupACLs());
    ret = new RangerHiveResourceACLs(userPermissions, groupPermissions);
    return ret;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerResourceACLs(org.apache.ranger.plugin.policyengine.RangerResourceACLs) HiveResourceACLs(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs) HashMap(java.util.HashMap) Map(java.util.Map)

Aggregations

RangerResourceACLs (org.apache.ranger.plugin.policyengine.RangerResourceACLs)4 HashMap (java.util.HashMap)2 Map (java.util.Map)2 HiveResourceACLs (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs)2 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)2 IOException (java.io.IOException)1 ArrayList (java.util.ArrayList)1 HiveObjectRef (org.apache.hadoop.hive.metastore.api.HiveObjectRef)1 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)1 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)1 HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)1 HivePrincipal (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal)1 HivePrivilege (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege)1 HivePrivilegeInfo (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo)1 HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)1 HivePrivilegeObjectType (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType)1 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)1 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)1 RangerPolicyEngine (org.apache.ranger.plugin.policyengine.RangerPolicyEngine)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial