Java Code Examples for org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 6 votes vote down vote up
private void initUserRoles() {
	if (LOG.isDebugEnabled()) {
		LOG.debug(" ==> RangerHiveAuthorizer.initUserRoles()");
	}
	// from SQLStdHiveAccessController.initUserRoles()
	// to aid in testing through .q files, authenticator is passed as argument to
	// the interface. this helps in being able to switch the user within a session.
	// so we need to check if the user has changed
	String newUserName = getHiveAuthenticator().getUserName();
	if (Objects.equals(currentUserName, newUserName)) {
		// no need to (re-)initialize the currentUserName, currentRoles fields
		return;
	}
	this.currentUserName = newUserName;
	try {
		currentRoles = getCurrentRoleNamesFromRanger();
	} catch (HiveAuthzPluginException e) {
		LOG.error("Error while fetching roles from ranger for user : " + currentUserName, e);
	}
	LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
}
 
Example 2
Source Project: ranger   Source File: RangerHiveAuthorizerBase.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
	LOG.debug("RangerHiveAuthorizerBase.applyAuthorizationConfigPolicy()");

	// from SQLStdHiveAccessController.applyAuthorizationConfigPolicy()
	if (mSessionContext != null && mSessionContext.getClientType() == CLIENT_TYPE.HIVESERVER2) {
		// Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries
		String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim();
		if (hooks.isEmpty()) {
			hooks = DisallowTransformHook.class.getName();
		} else {
			hooks = hooks + "," + DisallowTransformHook.class.getName();
		}

		hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks);

		SettableConfigUpdater.setHiveConfWhiteList(hiveConf);
	}
}
 
Example 3
Source Project: ranger   Source File: RangerHiveAuthorizerFactory.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
										   HiveConf                   conf,
										   HiveAuthenticationProvider hiveAuthenticator,
										   HiveAuthzSessionContext    sessionContext)
												   throws HiveAuthzPluginException {

	HiveAuthorizer ret = null;

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHiveAuthorizerFactory.createHiveAuthorizer()");
	}
	
	try {
		activatePluginClassLoader();
		ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
	} finally {
		deactivatePluginClassLoader();
	}
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHiveAuthorizerFactory.createHiveAuthorizer()");
	}

	return ret;
}
 
Example 4
Source Project: incubator-sentry   Source File: SentryAuthorizerFactory.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx)
        throws HiveAuthzPluginException {
  HiveAuthzSessionContext sessionContext;
  try {
    this.authzConf = HiveAuthzBindingHook.loadAuthzConf(conf);
    sessionContext = applyTestSettings(ctx, conf);
    assertHiveCliAuthDisabled(conf, sessionContext);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }
  SentryHiveAccessController accessController =
      getAccessController(conf, authzConf, authenticator, sessionContext);
  SentryHiveAuthorizationValidator authzValidator =
      getAuthzValidator(conf, authzConf, authenticator);

  return new SentryHiveAuthorizer(accessController, authzValidator);
}
 
Example 5
Source Project: incubator-sentry   Source File: SentryAuthorizerFactory.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Get instance of SentryAccessController from configuration
 * Default return DefaultSentryAccessController
 *
 * @param conf
 * @param authzConf
 * @param hiveAuthzBinding
 * @param authenticator
 * @throws HiveAuthzPluginException
 */
public static SentryHiveAccessController getAccessController(HiveConf conf,
    HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  Class<? extends SentryHiveAccessController> clazz =
      conf.getClass(HIVE_SENTRY_ACCESS_CONTROLLER, DefaultSentryAccessController.class,
          SentryHiveAccessController.class);

  if (clazz == null) {
    // should not happen as default value is set
    throw new HiveAuthzPluginException("Configuration value " + HIVE_SENTRY_ACCESS_CONTROLLER
        + " is not set to valid SentryAccessController subclass");
  }

  try {
    return new DefaultSentryAccessController(conf, authzConf, authenticator, ctx);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }

}
 
Example 6
Source Project: incubator-sentry   Source File: SentryAuthorizerFactory.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Get instance of SentryAuthorizationValidator from configuration
 * Default return DefaultSentryAuthorizationValidator
 *
 * @param conf
 * @param authzConf
 * @param authenticator
 * @throws HiveAuthzPluginException
 */
public static SentryHiveAuthorizationValidator getAuthzValidator(HiveConf conf,
    HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator)
    throws HiveAuthzPluginException {
  Class<? extends SentryHiveAuthorizationValidator> clazz =
      conf.getClass(HIVE_SENTRY_AUTHORIZATION_CONTROLLER, DefaultSentryValidator.class,
          SentryHiveAuthorizationValidator.class);

  if (clazz == null) {
    // should not happen as default value is set
    throw new HiveAuthzPluginException("Configuration value "
        + HIVE_SENTRY_AUTHORIZATION_CONTROLLER
        + " is not set to valid SentryAuthorizationValidator subclass");
  }

  try {
    return new DefaultSentryValidator(conf, authzConf, authenticator);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }

}
 
Example 7
@Override
public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
  List<String> roles = new ArrayList<String>();
  try {
    sentryClient = getSentryClient();
    hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf);
    ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet();
    if (roleSet.isAll()) {
      roles = convert2RoleList(sentryClient.listUserRoles(authenticator.getUserName()));
    } else {
      roles.addAll(roleSet.getRoles());
    }
  } catch (Exception e) {
    String msg = "Error when sentryClient listUserRoles: " + e.getMessage();
    executeOnErrorHooks(msg, e);
  } finally {
    if (sentryClient != null) {
      sentryClient.close();
    }
    if (hiveAuthzBinding != null) {
      hiveAuthzBinding.close();
    }
  }
  return roles;
}
 
Example 8
Source Project: incubator-sentry   Source File: SimpleSemanticAnalyzer.java    License: Apache License 2.0 6 votes vote down vote up
private void parseShowIndex(String cmd, String regex) throws HiveAuthzPluginException {
  Pattern pattern = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
  Matcher matcher = pattern.matcher(cmd);
  if (matcher.find()) {
    String dbName = matcher.group(matcher.groupCount());
    String tbName = matcher.group(3);
    if (dbName != null) {
      currentDb = dbName;
      currentTb = tbName;
    } else {
      extractDbAndTb(tbName);
    }
  } else {
    throw new HiveAuthzPluginException("this command " + cmd + " is not match show index grammar");
  }
}
 
Example 9
Source Project: beeju   Source File: RelaxedSQLStdHiveAccessController.java    License: Apache License 2.0 5 votes vote down vote up
public RelaxedSQLStdHiveAccessController(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  super(metastoreClientFactory, conf, authenticator, ctx);
}
 
Example 10
Source Project: beeju   Source File: RelaxedSQLStdHiveAuthorizerFactory.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx)
  throws HiveAuthzPluginException {
  RelaxedSQLStdHiveAccessControllerWrapper privilegeManager = new RelaxedSQLStdHiveAccessControllerWrapper(
      metastoreClientFactory, conf, authenticator, ctx);
  return new HiveAuthorizerImpl(privilegeManager,
      new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, privilegeManager, ctx));
}
 
Example 11
public RelaxedSQLStdHiveAccessControllerWrapper(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  super(metastoreClientFactory, conf, authenticator, ctx);
  overrideHiveAccessController(
      new RelaxedSQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx));
}
 
Example 12
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {
	if (hivePlugin == null) {
		throw new HiveAuthzPluginException();
	}
	RangerHivePolicyProvider policyProvider = new RangerHivePolicyProvider(hivePlugin);

	return policyProvider;
}
 
Example 13
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void dropRole(String roleName)
		throws HiveAuthzPluginException, HiveAccessControlException {
	if(LOG.isDebugEnabled()) {
		LOG.debug("RangerHiveAuthorizer.dropRole()");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	UserGroupInformation ugi       = getCurrentUserGroupInfo();
	boolean	             result    = false;
	List<String>	     roleNames = Arrays.asList(roleName);

	if(ugi == null) {
		throw new HiveAccessControlException("Permission denied: user information not available");
	}

	if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) {
		throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " +
				RESERVED_ROLE_NAMES);
	}

	String currentUserName = ugi.getShortUserName();
	List<String> userNames = Arrays.asList(currentUserName);

	try {
		if(LOG.isDebugEnabled()) {
			LOG.debug("<== dropRole(): " + roleName);
		}
		hivePlugin.dropRole(currentUserName, roleName, auditHandler);
		result = true;
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.DROPROLE, HiveAccessType.DROP, roleNames, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}

}
 
Example 14
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
	if (LOG.isDebugEnabled()) {
		LOG.debug("RangerHiveAuthorizer.getCurrentRoleNames()");
	}
	UserGroupInformation ugi = getCurrentUserGroupInfo();
	boolean result = false;
	if (ugi == null) {
		throw new HiveAuthzPluginException("User information not available");
	}
	List<String> ret = new ArrayList<String>();
	String user = ugi.getShortUserName();
	List<String> userNames = Arrays.asList(user);
	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
	try {
		if (LOG.isDebugEnabled()) {
			LOG.debug("<== getCurrentRoleNames() for user " + user);
		}
		for (String role : getCurrentRoles()) {
			ret.add(role);
		}
		result = true;
	} catch (Exception excp) {
		throw new HiveAuthzPluginException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, user, userNames,
				HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, ret, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}
	return ret;
}
 
Example 15
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private Set<String> getCurrentRoleNamesFromRanger() throws HiveAuthzPluginException {
	if (LOG.isDebugEnabled()) {
		LOG.debug("RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
	}
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if (ugi == null) {
		throw new HiveAuthzPluginException("User information not available");
	}
	Set<String> ret = new HashSet<String>();
	String user = ugi.getShortUserName();

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
	try {
		if (LOG.isDebugEnabled()) {
			LOG.debug("<== getCurrentRoleNamesFromRanger() for user " + user);
		}
		Set<String> userRoles = new HashSet<String>(hivePlugin.getUserRoles(user, auditHandler));
		for (String role : userRoles) {
			if (!ROLE_ADMIN.equalsIgnoreCase(role)) {
				ret.add(role);
			} else {
				this.adminRole = role;
			}
		}
	} catch (Exception excp) {
		throw new HiveAuthzPluginException(excp);
	} finally {
		auditHandler.flushAudit();
	}
	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user);
	}
	return ret;
}
 
Example 16
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException {
	// from SQLStdHiveAccessController.setCurrentRole()
	initUserRoles();
	if (ROLE_NONE.equalsIgnoreCase(roleName)) {
		// for set role NONE, clear all roles for current session.
		currentRoles.clear();
		return;
	}
	if (ROLE_ALL.equalsIgnoreCase(roleName)) {
		// for set role ALL, reset roles to default roles.
		currentRoles.clear();
		currentRoles.addAll(getCurrentRoleNamesFromRanger());
		return;
	}
	for (String role : getCurrentRoleNamesFromRanger()) {
		// set to one of the roles user belongs to.
		if (role.equalsIgnoreCase(roleName)) {
			currentRoles.clear();
			currentRoles.add(role);
			return;
		}
	}
	// set to ADMIN role, if user belongs there.
	if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != this.adminRole) {
		currentRoles.clear();
		currentRoles.add(adminRole);
		return;
	}
	LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
	// If we are here it means, user is requesting a role he doesn't belong to.
	throw new HiveAccessControlException(currentUserName + " doesn't belong to role " + roleName);
}
 
Example 17
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getAllRoles()
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizer.getAllRoles()");
	boolean	               result       = false;
	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new HiveAccessControlException("Permission denied: user information not available");
	}
	List<String> ret = null;

	String currentUserName = ugi.getShortUserName();
	List<String> userNames = Arrays.asList(currentUserName);

	try {
		if(LOG.isDebugEnabled()) {
			LOG.debug("<== getAllRoles()");
		}

		ret = hivePlugin.getAllRoles(ugi.getShortUserName(), auditHandler);
		result = true;

	} catch(Exception excp) {
		throw new HiveAuthzPluginException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}

	return ret;
}
 
Example 18
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Grant privileges for principals on the object
 * @param hivePrincipals
 * @param hivePrivileges
 * @param hivePrivObject
 * @param grantorPrincipal
 * @param grantOption
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
							List<HivePrivilege> hivePrivileges,
							HivePrivilegeObject hivePrivObject,
							HivePrincipal       grantorPrincipal,
							boolean             grantOption)
									throws HiveAuthzPluginException, HiveAccessControlException {
	if (LOG.isDebugEnabled()) {
			LOG.debug("grantPrivileges() => HivePrivilegeObject:" + toString(hivePrivObject, new StringBuilder()) + "grantorPrincipal: " + grantorPrincipal + "hivePrincipals" + hivePrincipals + "hivePrivileges" + hivePrivileges);
	}

	if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
		throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
		RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, null, outputs);
		GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

		LOG.info("grantPrivileges(): " + request);
		if(LOG.isDebugEnabled()) {
			LOG.debug("grantPrivileges(): " + request);
		}

		hivePlugin.grantAccess(request, auditHandler);
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		auditHandler.flushAudit();
	}
}
 
Example 19
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Revoke privileges for principals on the object
 * @param hivePrincipals
 * @param hivePrivileges
 * @param hivePrivObject
 * @param grantorPrincipal
 * @param grantOption
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
							 List<HivePrivilege> hivePrivileges,
							 HivePrivilegeObject hivePrivObject,
							 HivePrincipal       grantorPrincipal,
							 boolean             grantOption)
									 throws HiveAuthzPluginException, HiveAccessControlException {
	if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
		throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
		RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, null, outputs);
		GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

		LOG.info("revokePrivileges(): " + request);
		if(LOG.isDebugEnabled()) {
			LOG.debug("revokePrivileges(): " + request);
		}

		hivePlugin.revokeAccess(request, auditHandler);
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		auditHandler.flushAudit();
	}
}
 
Example 20
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private void handleDfsCommand(HiveOperationType         hiveOpType,
							  List<HivePrivilegeObject> inputHObjs,
							  String                    user,
							  RangerHiveAuditHandler    auditHandler)
      throws HiveAuthzPluginException, HiveAccessControlException {

	String dfsCommandParams = null;

	if(inputHObjs != null) {
		for(HivePrivilegeObject hiveObj : inputHObjs) {
			if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
				dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());

				if(! StringUtil.isEmpty(dfsCommandParams)) {
					break;
				}
			}
		}
	}

	int    serviceType = -1;
	String serviceName = null;

	if(hivePlugin != null) {
		serviceType = hivePlugin.getServiceDefId();
		serviceName = hivePlugin.getServiceName();
	}

	auditHandler.logAuditEventForDfs(user, dfsCommandParams, false, serviceType, serviceName);

	throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
										 user, hiveOpType.name()));
}
 
Example 21
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
											  HivePrivilegeObject privObj) throws HiveAuthzPluginException {
	List<HivePrivilegeInfo> ret;

	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHiveAuthorizer.showPrivileges ==>  principal: " +  principal+ "HivePrivilegeObject : " + privObj.getObjectName());
	}

	if ( hivePlugin == null) {
		new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges error: hivePlugin is null");
	}

	try {
		HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);

		if (msObjRef.getObjectName() == null) {
			throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for Hive resources and not user level");
		}

		ret = getHivePrivilegeInfos(principal, privObj);

	} catch (Exception e) {
		LOG.error("RangerHiveAuthorizer.showPrivileges() error", e);
		throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() error: " + e.getMessage(), e);
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHiveAuthorizer.showPrivileges() Result: " + ret);
	}

	return ret;
}
 
Example 22
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
		throws HiveAuthzPluginException {
	try {
		return AuthorizationUtils.getThriftHiveObjectRef(privObj);
	} catch (HiveException e) {
		throw new HiveAuthzPluginException(e);
	}
}
 
Example 23
Source Project: ranger   Source File: RangerHiveAuthorizerFactory.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
										   HiveConf                   conf,
										   HiveAuthenticationProvider hiveAuthenticator,
										   HiveAuthzSessionContext    sessionContext)
												   throws HiveAuthzPluginException {
	return new RangerHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
}
 
Example 24
Source Project: ranger   Source File: RangerHiveAuthorizerBase.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Show privileges for given principal on given object
 * @param principal
 * @param privObj
 * @return
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizerBase.showPrivileges()");

	throwNotImplementedException("showPrivileges");

	return null;
}
 
Example 25
Source Project: ranger   Source File: RangerHiveAuthorizerBase.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizerBase.getRoleGrantInfoForPrincipal()");

	throwNotImplementedException("getRoleGrantInfoForPrincipal");

	return null;
}
 
Example 26
Source Project: incubator-sentry   Source File: SentryAuthorizerFactory.java    License: Apache License 2.0 5 votes vote down vote up
private void assertHiveCliAuthDisabled(HiveConf conf, HiveAuthzSessionContext ctx)
    throws HiveAuthzPluginException {
  if (ctx.getClientType() == CLIENT_TYPE.HIVECLI
      && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
    throw new HiveAuthzPluginException(
        "SQL standards based authorization should not be enabled from hive cli"
            + "Instead the use of storage based authorization in hive metastore is reccomended. Set "
            + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli");
  }
}
 
Example 27
Source Project: incubator-sentry   Source File: SentryAuthorizerFactory.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * just for testing
 */
@VisibleForTesting
protected HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf, HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  SentryHiveAccessController accessController =
      getAccessController(conf, authzConf, authenticator, ctx);
  SentryHiveAuthorizationValidator authzValidator =
      getAuthzValidator(conf, authzConf, authenticator);

  return new SentryHiveAuthorizer(accessController, authzValidator);
}
 
Example 28
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true);
}
 
Example 29
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false);
}
 
Example 30
@Override
public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
  // Apply rest of the configuration only to HiveServer2
  if (ctx.getClientType() != CLIENT_TYPE.HIVESERVER2
      || !hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
    throw new HiveAuthzPluginException("Sentry just support for hiveserver2");
  }
}