Java Code Examples for org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 6 votes vote down vote up
private RangerHiveAccessRequest createRangerHiveAccessRequest(String userOrGrantor, List<String> roleUsers, HiveOperationType hiveOperationType, HiveAccessType accessType, List<String> roleNames) {
	RangerHiveAccessRequest ret = null;

	HiveAuthzContext.Builder builder	   = new HiveAuthzContext.Builder();
	String					 roleNameStr   = createRoleString(roleNames);
	String 					 userNameStr   = createUserString(roleUsers);
	String					 commandString = getCommandString(hiveOperationType, userNameStr, roleNameStr);
	String 					 cmdStr		   = (commandString != null) ? commandString : StringUtils.EMPTY;
	builder.setCommandString(cmdStr);
	HiveAuthzContext 		hiveAuthzContext = builder.build();

	RangerHiveResource rangerHiveResource	= new RangerHiveResource(HiveObjectType.GLOBAL,"*");
	ret = new RangerHiveAccessRequest(rangerHiveResource, userOrGrantor, null, null, hiveOperationType, accessType, hiveAuthzContext, null);
	ret.setClusterName(hivePlugin.getClusterName());
	ret.setAction(hiveOperationType.name());
	ret.setClientIPAddress(getRemoteIp());
	ret.setRemoteIPAddress(getRemoteIp());

	return ret;
}
 
Example 2
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 6 votes vote down vote up
private void fetchHiveObj(HiveAuthzContext context) {
	if (context != null) {
		String cmdString = context.getCommandString();
		if (cmdString != null) {
			String[] cmd = cmdString.trim().split("\\s+");
			if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) {
				String dbName = cmd[2];
				if (dbName.contains(".")) {
					String[] result = splitDBName(dbName);
					databaseName = result[0];
					tableName = result[1];
				} else {
					databaseName = dbName;
					tableName = null;
				}
			}
		}
	}
}
 
Example 3
Source Project: ranger   Source File: RangerHiveAccessRequest.java    License: Apache License 2.0 5 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource      resource,
							   String                  user,
							   Set<String>             userGroups,
							   Set<String>             userRoles,
							   String                  hiveOpTypeName,
							   HiveAccessType          accessType,
							   HiveAuthzContext        context,
							   HiveAuthzSessionContext sessionContext) {
	this.setResource(resource);
	this.setUser(user);
	this.setUserGroups(userGroups);
	this.setUserRoles(userRoles);
	this.setAccessTime(new Date());
	this.setAction(hiveOpTypeName);
	this.setHiveAccessType(accessType);

	if(context != null) {
		this.setRequestData(context.getCommandString());
		this.setForwardedAddresses(context.getForwardedAddresses());
		this.setRemoteIPAddress(context.getIpAddress());
	}

	if(sessionContext != null) {
		this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
		this.setSessionId(sessionContext.getSessionString());
	}
	
}
 
Example 4
Source Project: ranger   Source File: RangerHiveAccessRequest.java    License: Apache License 2.0 5 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource      resource,
		   String                  user,
		   Set<String>             userGroups,
		   Set<String>             userRoles,
		   HiveOperationType       hiveOpType,
		   HiveAccessType          accessType,
		   HiveAuthzContext        context,
		   HiveAuthzSessionContext sessionContext) {
	this(resource, user, userGroups, userRoles, hiveOpType.name(), accessType, context, sessionContext);
}
 
Example 5
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException {
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new SemanticException("user information not available");
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")");
	}

	String ret = null;

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		String                  user           = ugi.getShortUserName();
		Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
		Set<String>             roles          = getCurrentRoles();
		HiveObjectType          objectType     = HiveObjectType.TABLE;
		RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName);
		RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

		RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);

		if(isRowFilterEnabled(result)) {
			ret = result.getFilterExpr();
		}
	} finally {
		auditHandler.flushAudit();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret);
	}

	return ret;
}
 
Example 6
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private String toString(HiveOperationType         hiveOpType,
						List<HivePrivilegeObject> inputHObjs,
						List<HivePrivilegeObject> outputHObjs,
						HiveAuthzContext          context,
						HiveAuthzSessionContext   sessionContext) {
	StringBuilder sb = new StringBuilder();
	
	sb.append("'checkPrivileges':{");
	sb.append("'hiveOpType':").append(hiveOpType);

	sb.append(", 'inputHObjs':[");
	toString(inputHObjs, sb);
	sb.append("]");

	sb.append(", 'outputHObjs':[");
	toString(outputHObjs, sb);
	sb.append("]");

	sb.append(", 'context':{");
	sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
	sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString());
	sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress());
	sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", "));
	sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString());
	sb.append("}");

	sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
	sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
	sb.append("}");

	return sb.toString();
}
 
Example 7
Source Project: incubator-sentry   Source File: DefaultSentryValidator.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
    HiveAuthzContext context) {
  if (listObjs != null && listObjs.size() >= 1) {
    HivePrivilegeObjectType pType = listObjs.get(0).getType();
    HiveAuthzBinding hiveAuthzBinding = null;
    try {
      switch (pType) {
        case DATABASE:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
        case TABLE_OR_VIEW:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
      }
    } catch (Exception e) {
      LOG.debug(e.getMessage(),e);
    } finally {
      if (hiveAuthzBinding != null) {
        hiveAuthzBinding.close();
      }
    }
  }
  return listObjs;
}
 
Example 8
Source Project: ranger   Source File: RangerHiveAccessRequest.java    License: Apache License 2.0 4 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, Set<String> roles, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
	this(resource, user, groups, roles, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
}
 
Example 9
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
	List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
	}

	RangerPerfTracer perf = null;

	if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
		perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
	}

	if(CollectionUtils.isNotEmpty(hiveObjs)) {
		for (HivePrivilegeObject hiveObj : hiveObjs) {
			HivePrivilegeObjectType hiveObjType = hiveObj.getType();

			if(hiveObjType == null) {
				hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
			}

			if(LOG.isDebugEnabled()) {
				LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
			}

			boolean needToTransform = false;

			if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
				String database = hiveObj.getDbname();
				String table    = hiveObj.getObjectName();

				String rowFilterExpr = getRowFilterExpression(queryContext, database, table);

				if (StringUtils.isNotBlank(rowFilterExpr)) {
					if(LOG.isDebugEnabled()) {
						LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
					}

					hiveObj.setRowFilterExpression(rowFilterExpr);
					needToTransform = true;
				}

				if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
					List<String> columnTransformers = new ArrayList<String>();

					for (String column : hiveObj.getColumns()) {
						boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);

						if(LOG.isDebugEnabled()) {
							LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
						}

						needToTransform = needToTransform || isColumnTransformed;
					}

					hiveObj.setCellValueTransformers(columnTransformers);
				}
			}

			if (needToTransform) {
				ret.add(hiveObj);
			}
		}
	}

	RangerPerfTracer.log(perf);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
	}

	return ret;
}
 
Example 10
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new SemanticException("user information not available");
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + ")");
	}

	boolean ret = false;
	String columnTransformer = columnName;

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		String                  user           = ugi.getShortUserName();
		Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
		Set<String>             roles          = getCurrentRoles();
		HiveObjectType          objectType     = HiveObjectType.COLUMN;
		RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
		RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

		RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);

		ret = isDataMaskEnabled(result);

		if(ret) {
			String                maskType    = result.getMaskType();
			RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();
			String transformer	= null;
			if (maskTypeDef != null) {
				transformer = maskTypeDef.getTransformer();
			}

			if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
				columnTransformer = "NULL";
			} else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
				String maskedValue = result.getMaskedValue();

				if(maskedValue == null) {
					columnTransformer = "NULL";
				} else {
					columnTransformer = maskedValue.replace("{col}", columnName);
				}

			} else if(StringUtils.isNotEmpty(transformer)) {
				columnTransformer = transformer.replace("{col}", columnName);
			}

			/*
			String maskCondition = result.getMaskCondition();

			if(StringUtils.isNotEmpty(maskCondition)) {
				ret = "if(" + maskCondition + ", " + ret + ", " + columnName + ")";
			}
			*/
		}
	} finally {
		auditHandler.flushAudit();
	}

	columnTransformers.add(columnTransformer);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + "): " + ret);
	}

	return ret;
}
 
Example 11
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
HiveObj(HiveAuthzContext context) {
 fetchHiveObj(context);
}
 
Example 12
Source Project: incubator-sentry   Source File: SentryHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
    List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
    throws HiveAuthzPluginException, HiveAccessControlException {
  authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context);
}
 
Example 13
Source Project: incubator-sentry   Source File: SentryHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
    HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
  return authValidator.filterListCmdObjects(listObjs, context);
}
 
Example 14
/**
 * Check if current user has privileges to perform given operation type hiveOpType on the given
 * input and output objects.
 *
 * @param hiveOpType
 * @param inputHObjs
 * @param outputHObjs
 * @param context
 * @throws HiveAuthzPluginException, HiveAccessControlException
 */
@Override
public abstract void checkPrivileges(HiveOperationType hiveOpType,
    List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs,
    HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException;
 
Example 15
/**
 * Filter the select results according current user's permission. remove the object which current
 * user do not have any privilege on it.
 *
 * @param listObjs
 * @param context
 */
@Override
public abstract List<HivePrivilegeObject> filterListCmdObjects(
    List<HivePrivilegeObject> listObjs, HiveAuthzContext context);