Java Code Examples for org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: ranger   Source File: RangerHivePolicyProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Override
  public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject) {

   HiveResourceACLs ret;

   RangerPerfTracer perf = null;

   if (RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEACLPROVIDER_REQUEST_LOG)) {
    perf = RangerPerfTracer.getPerfTracer(PERF_HIVEACLPROVIDER_REQUEST_LOG, "RangerHivePolicyProvider.getResourceACLS()");
   }
   // Extract and build RangerHiveResource from inputObject
   RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject);
   ret = getResourceACLs(hiveResource);
   RangerPerfTracer.log(perf);
return ret;
  }
 
Example 2
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 6 votes vote down vote up
static RangerHiveResource createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) {
	RangerHiveResource resource = null;

	HivePrivilegeObjectType objectType = privilegeObject.getType();

	switch(objectType) {
		case DATABASE:
		case TABLE_OR_VIEW:
			resource = createHiveResource(privilegeObject);
			break;
		default:
			LOG.warn("RangerHiveAuthorizer.getHiveResourceForFiltering: unexpected objectType:" + objectType);
	}

	return resource;
}
 
Example 3
Source Project: dremio-oss   Source File: HiveAuthorizationHelper.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Check authorization for "SHOW DATABASES" command. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 */
public void authorizeShowDatabases() throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  authorize(HiveOperationType.SHOWDATABASES, Collections.<HivePrivilegeObject> emptyList(), Collections.<HivePrivilegeObject> emptyList(), "SHOW DATABASES");
}
 
Example 4
Source Project: dremio-oss   Source File: HiveAuthorizationHelper.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 * @param dbName
 */
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);

  authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "SHOW TABLES");
}
 
Example 5
Source Project: dremio-oss   Source File: HiveAuthorizationHelper.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Check authorization for "READ TABLE" for given db.table. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 * @param dbName
 * @param tableName
 */
public void authorizeReadTable(final String dbName, final String tableName) throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, dbName, tableName);
  authorize(HiveOperationType.QUERY, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "READ TABLE");
}
 
Example 6
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Grant privileges for principals on the object
 * @param hivePrincipals
 * @param hivePrivileges
 * @param hivePrivObject
 * @param grantorPrincipal
 * @param grantOption
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
							List<HivePrivilege> hivePrivileges,
							HivePrivilegeObject hivePrivObject,
							HivePrincipal       grantorPrincipal,
							boolean             grantOption)
									throws HiveAuthzPluginException, HiveAccessControlException {
	if (LOG.isDebugEnabled()) {
			LOG.debug("grantPrivileges() => HivePrivilegeObject:" + toString(hivePrivObject, new StringBuilder()) + "grantorPrincipal: " + grantorPrincipal + "hivePrincipals" + hivePrincipals + "hivePrivileges" + hivePrivileges);
	}

	if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
		throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
		RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, null, outputs);
		GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

		LOG.info("grantPrivileges(): " + request);
		if(LOG.isDebugEnabled()) {
			LOG.debug("grantPrivileges(): " + request);
		}

		hivePlugin.grantAccess(request, auditHandler);
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		auditHandler.flushAudit();
	}
}
 
Example 7
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Revoke privileges for principals on the object
 * @param hivePrincipals
 * @param hivePrivileges
 * @param hivePrivObject
 * @param grantorPrincipal
 * @param grantOption
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
							 List<HivePrivilege> hivePrivileges,
							 HivePrivilegeObject hivePrivObject,
							 HivePrincipal       grantorPrincipal,
							 boolean             grantOption)
									 throws HiveAuthzPluginException, HiveAccessControlException {
	if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
		throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
		RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, null, outputs);
		GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

		LOG.info("revokePrivileges(): " + request);
		if(LOG.isDebugEnabled()) {
			LOG.debug("revokePrivileges(): " + request);
		}

		hivePlugin.revokeAccess(request, auditHandler);
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		auditHandler.flushAudit();
	}
}
 
Example 8
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
	RangerHiveResource resource = null;

	HivePrivilegeObjectType objectType = privilegeObject.getType();
	String objectName = privilegeObject.getObjectName();
	String dbName = privilegeObject.getDbname();

	switch(objectType) {
		case DATABASE:
			resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
			break;
		case TABLE_OR_VIEW:
			resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
			//resource.setOwnerUser(privilegeObject.getOwnerName());
			break;
		case COLUMN:
			List<String> columns = privilegeObject.getColumns();
			int numOfColumns = columns == null ? 0 : columns.size();
			if (numOfColumns == 1) {
				resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
				//resource.setOwnerUser(privilegeObject.getOwnerName());
			} else {
				LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType);
			}
			break;
		default:
			LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType);
	}

	if (resource != null) {
		resource.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
	}

	return resource;
}
 
Example 9
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private void handleDfsCommand(HiveOperationType         hiveOpType,
							  List<HivePrivilegeObject> inputHObjs,
							  String                    user,
							  RangerHiveAuditHandler    auditHandler)
      throws HiveAuthzPluginException, HiveAccessControlException {

	String dfsCommandParams = null;

	if(inputHObjs != null) {
		for(HivePrivilegeObject hiveObj : inputHObjs) {
			if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
				dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());

				if(! StringUtil.isEmpty(dfsCommandParams)) {
					break;
				}
			}
		}
	}

	int    serviceType = -1;
	String serviceName = null;

	if(hivePlugin != null) {
		serviceType = hivePlugin.getServiceDefId();
		serviceName = hivePlugin.getServiceName();
	}

	auditHandler.logAuditEventForDfs(user, dfsCommandParams, false, serviceType, serviceName);

	throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
										 user, hiveOpType.name()));
}
 
Example 10
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
											  HivePrivilegeObject privObj) throws HiveAuthzPluginException {
	List<HivePrivilegeInfo> ret;

	if (LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHiveAuthorizer.showPrivileges ==>  principal: " +  principal+ "HivePrivilegeObject : " + privObj.getObjectName());
	}

	if ( hivePlugin == null) {
		new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges error: hivePlugin is null");
	}

	try {
		HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);

		if (msObjRef.getObjectName() == null) {
			throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for Hive resources and not user level");
		}

		ret = getHivePrivilegeInfos(principal, privObj);

	} catch (Exception e) {
		LOG.error("RangerHiveAuthorizer.showPrivileges() error", e);
		throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() error: " + e.getMessage(), e);
	}

	if (LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHiveAuthorizer.showPrivileges() Result: " + ret);
	}

	return ret;
}
 
Example 11
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
		throws HiveAuthzPluginException {
	try {
		return AuthorizationUtils.getThriftHiveObjectRef(privObj);
	} catch (HiveException e) {
		throw new HiveAuthzPluginException(e);
	}
}
 
Example 12
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private boolean isTempUDFOperation(String hiveOpTypeName, HivePrivilegeObject hiveObj) {
	boolean ret = false;
	if ((hiveOpTypeName.contains("createfunction") || hiveOpTypeName.contains("dropfunction")) &&
			StringUtils.isEmpty(hiveObj.getDbname())) {
		// This happens for temp udf function and will use
		// global resource policy in ranger for auth
		ret = true;
	}
	return ret;
}
 
Example 13
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal,
												  HivePrivilegeObject.HivePrivilegeObjectType objectType,
												  String dbName,
												  String objectName,
												  String columnName,
												  List<String> partValues,
												  String aclName,
												  RangerPolicy policy) {
	HivePrivilegeInfo ret = null;
	int     creationDate  = 0;
	boolean delegateAdmin = false;

	for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
		List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
		List<String> users = policyItem.getUsers();
		List<String> groups = policyItem.getGroups();
		List<String> accessTypes = new ArrayList<>();

		for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
			accessTypes.add(policyItemAccess.getType());
		}

		if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName())
				|| groups.contains(hivePrincipal.getName()))) {
			creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000);
			delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
		}
	}

	HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
	HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
	HivePrivilege privilege = new HivePrivilege(aclName, null);
	ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);

	return ret;
}
 
Example 14
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private String toString(HiveOperationType         hiveOpType,
						List<HivePrivilegeObject> inputHObjs,
						List<HivePrivilegeObject> outputHObjs,
						HiveAuthzContext          context,
						HiveAuthzSessionContext   sessionContext) {
	StringBuilder sb = new StringBuilder();
	
	sb.append("'checkPrivileges':{");
	sb.append("'hiveOpType':").append(hiveOpType);

	sb.append(", 'inputHObjs':[");
	toString(inputHObjs, sb);
	sb.append("]");

	sb.append(", 'outputHObjs':[");
	toString(outputHObjs, sb);
	sb.append("]");

	sb.append(", 'context':{");
	sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
	sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString());
	sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress());
	sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", "));
	sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString());
	sb.append("}");

	sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
	sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
	sb.append("}");

	return sb.toString();
}
 
Example 15
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private StringBuilder toString(List<HivePrivilegeObject> privObjs, StringBuilder sb) {
	if(privObjs != null && privObjs.size() > 0) {
		toString(privObjs.get(0), sb);
		for(int i = 1; i < privObjs.size(); i++) {
			sb.append(",");
			toString(privObjs.get(i), sb);
		}
	}
	
	return sb;
}
 
Example 16
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
private StringBuilder toString(HivePrivilegeObject privObj, StringBuilder sb) {
	sb.append("'HivePrivilegeObject':{");
	sb.append("'type':").append(privObj.getType().toString());
	sb.append(", 'dbName':").append(privObj.getDbname());
	sb.append(", 'objectType':").append(privObj.getType());
	sb.append(", 'objectName':").append(privObj.getObjectName());
	sb.append(", 'columns':[").append(StringUtil.toString(privObj.getColumns())).append("]");
	sb.append(", 'partKeys':[").append(StringUtil.toString(privObj.getPartKeys())).append("]");
	sb.append(", 'commandParams':[").append(StringUtil.toString(privObj.getCommandParams())).append("]");
	sb.append(", 'actionType':").append(privObj.getActionType().toString());
	//sb.append(", 'owner':").append(privObj.getOwnerName());
	sb.append("}");

	return sb;
}
 
Example 17
Source Project: ranger   Source File: RangerHiveAuthorizerBase.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Show privileges for given principal on given object
 * @param principal
 * @param privObj
 * @return
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizerBase.showPrivileges()");

	throwNotImplementedException("showPrivileges");

	return null;
}
 
Example 18
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true);
}
 
Example 19
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false);
}
 
Example 20
Source Project: incubator-sentry   Source File: DefaultSentryValidator.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
    HiveAuthzContext context) {
  if (listObjs != null && listObjs.size() >= 1) {
    HivePrivilegeObjectType pType = listObjs.get(0).getType();
    HiveAuthzBinding hiveAuthzBinding = null;
    try {
      switch (pType) {
        case DATABASE:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
        case TABLE_OR_VIEW:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
      }
    } catch (Exception e) {
      LOG.debug(e.getMessage(),e);
    } finally {
      if (hiveAuthzBinding != null) {
        hiveAuthzBinding.close();
      }
    }
  }
  return listObjs;
}
 
Example 21
Source Project: incubator-sentry   Source File: SentryHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
      grantorPrincipal, grantOption);
}
 
Example 22
Source Project: incubator-sentry   Source File: SentryHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
      grantorPrincipal, grantOption);
}
 
Example 23
Source Project: incubator-sentry   Source File: SentryHiveAuthorizer.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
    throws HiveException {
  if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
    SentryHivePrivilegeObjectDesc sPrivSubjectDesc =
        (SentryHivePrivilegeObjectDesc) privSubjectDesc;
    if (sPrivSubjectDesc.isSentryPrivObjectDesc()) {
      HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
      return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
    }
  }
  return super.getHivePrivilegeObject(privSubjectDesc);
}
 
Example 24
Source Project: incubator-sentry   Source File: SentryAuthorizerUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Convert HivePrivilegeObject list to List<List<DBModelAuthorizable>>
 *
 * @param server
 * @param privilges
 */
public static List<List<DBModelAuthorizable>> convert2SentryPrivilegeList(Server server,
    List<HivePrivilegeObject> privilges) {
  List<List<DBModelAuthorizable>> hierarchyList = new ArrayList<List<DBModelAuthorizable>>();
  if (privilges != null && !privilges.isEmpty()) {
    for (HivePrivilegeObject p : privilges) {
      hierarchyList.addAll(getAuthzHierarchy(server, p));
    }
  }
  return hierarchyList;
}
 
Example 25
Source Project: incubator-sentry   Source File: SentryAuthorizerUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Convert TSentryPrivilege to HivePrivilegeInfo
 *
 * @param tPrivilege
 * @param principal
 */
public static HivePrivilegeInfo convert2HivePrivilegeInfo(TSentryPrivilege tPrivilege,
    HivePrincipal principal) {
  HivePrivilege hivePrivilege = convert2HivePrivilege(tPrivilege.getAction());
  HivePrivilegeObject hivePrivilegeObject = convert2HivePrivilegeObject(tPrivilege);
  // now sentry don't show grantor of a privilege
  HivePrincipal grantor = new HivePrincipal(UNKONWN_GRANTOR, HivePrincipalType.ROLE);
  boolean grantOption =
      tPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
  return new HivePrivilegeInfo(principal, hivePrivilege, hivePrivilegeObject, grantor,
      grantOption, (int) tPrivilege.getCreateTime());
}
 
Example 26
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
	List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
	}

	RangerPerfTracer perf = null;

	if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
		perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
	}

	if(CollectionUtils.isNotEmpty(hiveObjs)) {
		for (HivePrivilegeObject hiveObj : hiveObjs) {
			HivePrivilegeObjectType hiveObjType = hiveObj.getType();

			if(hiveObjType == null) {
				hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
			}

			if(LOG.isDebugEnabled()) {
				LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
			}

			boolean needToTransform = false;

			if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
				String database = hiveObj.getDbname();
				String table    = hiveObj.getObjectName();

				String rowFilterExpr = getRowFilterExpression(queryContext, database, table);

				if (StringUtils.isNotBlank(rowFilterExpr)) {
					if(LOG.isDebugEnabled()) {
						LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
					}

					hiveObj.setRowFilterExpression(rowFilterExpr);
					needToTransform = true;
				}

				if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
					List<String> columnTransformers = new ArrayList<String>();

					for (String column : hiveObj.getColumns()) {
						boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);

						if(LOG.isDebugEnabled()) {
							LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
						}

						needToTransform = needToTransform || isColumnTransformed;
					}

					hiveObj.setCellValueTransformers(columnTransformers);
				}
			}

			if (needToTransform) {
				ret.add(hiveObj);
			}
		}
	}

	RangerPerfTracer.log(perf);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
	}

	return ret;
}
 
Example 27
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
private RangerHiveResource getHiveResource(HiveOperationType   hiveOpType,
										   HivePrivilegeObject hiveObj,
										   List<HivePrivilegeObject> inputs,
										   List<HivePrivilegeObject> outputs) {
	RangerHiveResource ret = null;

	HiveObjectType objectType = getObjectType(hiveObj, hiveOpType);

	switch(objectType) {
		case DATABASE:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname());
			/*
			if (!isCreateOperation(hiveOpType)) {
				ret.setOwnerUser(hiveObj.getOwnerName());
			}

			 */
		break;

		case TABLE:
		case VIEW:
		case FUNCTION:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
			// To suppress PMD violations
			if (LOG.isDebugEnabled()) {
				LOG.debug("Size of inputs = [" + (CollectionUtils.isNotEmpty(inputs) ? inputs.size() : 0) +
						", Size of outputs = [" + (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]");
			}

			/*
			String ownerName = hiveObj.getOwnerName();

			if (isCreateOperation(hiveOpType)) {
				HivePrivilegeObject dbObject = getDatabaseObject(hiveObj.getDbname(), inputs, outputs);
				if (dbObject != null) {
					ownerName = dbObject.getOwnerName();
				}
			}

			ret.setOwnerUser(ownerName);

			 */

		break;

		case PARTITION:
		case INDEX:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
		break;

		case COLUMN:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName(), StringUtils.join(hiveObj.getColumns(), COLUMN_SEP));
			//ret.setOwnerUser(hiveObj.getOwnerName());
		break;

           case URI:
		case SERVICE_NAME:
			ret = new RangerHiveResource(objectType, hiveObj.getObjectName());
           break;

		case GLOBAL:
			ret = new RangerHiveResource(objectType,hiveObj.getObjectName());
		break;

		case NONE:
		break;
	}

	if (ret != null) {
		ret.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
	}

	return ret;
}
 
Example 28
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
private HiveObjectType getObjectType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType) {
	HiveObjectType objType = HiveObjectType.NONE;
	String hiveOpTypeName  = hiveOpType.name().toLowerCase();

	if (hiveObj.getType() == null) {
		return HiveObjectType.DATABASE;
	}

	switch(hiveObj.getType()) {
		case DATABASE:
			objType = HiveObjectType.DATABASE;
		break;

		case PARTITION:
			objType = HiveObjectType.PARTITION;
		break;

		case TABLE_OR_VIEW:
			if(hiveOpTypeName.contains("index")) {
				objType = HiveObjectType.INDEX;
			} else if(! StringUtil.isEmpty(hiveObj.getColumns())) {
				objType = HiveObjectType.COLUMN;
			} else if(hiveOpTypeName.contains("view")) {
				objType = HiveObjectType.VIEW;
			} else {
				objType = HiveObjectType.TABLE;
			}
		break;

		case FUNCTION:
			objType = HiveObjectType.FUNCTION;
			if (isTempUDFOperation(hiveOpTypeName, hiveObj)) {
				objType = HiveObjectType.GLOBAL;
			}
		break;

		case DFS_URI:
		case LOCAL_URI:
               objType = HiveObjectType.URI;
           break;

		case COMMAND_PARAMS:
		case GLOBAL:
			if ( "add".equals(hiveOpTypeName) || "compile".equals(hiveOpTypeName)) {
				objType = HiveObjectType.GLOBAL;
			}
		break;

		case SERVICE_NAME:
			objType = HiveObjectType.SERVICE_NAME;
		break;

		case COLUMN:
			// Thejas: this value is unused in Hive; the case should not be hit.
		break;
	}

	return objType;
}
 
Example 29
Source Project: ranger   Source File: RangerHiveAuthorizer.java    License: Apache License 2.0 4 votes vote down vote up
private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject hiveObject) {

		RangerResourceACLs ret = null;

		if (LOG.isDebugEnabled()) {
			LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]");
		}

		RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject);
		RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);

		ret = hivePlugin.getResourceACLs(request);

		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "], Computed ACLS:[" + ret + "]");
		}

		return ret;
	}
 
Example 30
Source Project: incubator-sentry   Source File: DefaultSentryValidator.java    License: Apache License 2.0 4 votes vote down vote up
private List<HivePrivilegeObject> filterShowTables(List<HivePrivilegeObject> listObjs,
    String userName, HiveAuthzBinding hiveAuthzBinding) {
  List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
  Subject subject = new Subject(userName);
  HiveAuthzPrivileges tableMetaDataPrivilege =
      new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
          .addInputObjectPriviledge(AuthorizableType.Column,
              EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT))
          .setOperationScope(HiveOperationScope.TABLE)
          .setOperationType(
              org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.INFO)
          .build();

  for (HivePrivilegeObject obj : listObjs) {
    // if user has privileges on table, add to filtered list, else discard
    Table table = new Table(obj.getObjectName());
    Database database;
    database = new Database(obj.getDbname());

    List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
    List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
    List<DBModelAuthorizable> externalAuthorizableHierarchy =
        new ArrayList<DBModelAuthorizable>();
    externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
    externalAuthorizableHierarchy.add(database);
    externalAuthorizableHierarchy.add(table);
    externalAuthorizableHierarchy.add(Column.ALL);
    inputHierarchy.add(externalAuthorizableHierarchy);

    try {
      hiveAuthzBinding.authorize(HiveOperation.SHOWTABLES, tableMetaDataPrivilege, subject,
          inputHierarchy, outputHierarchy);
      filteredResult.add(obj);
    } catch (AuthorizationException e) {
      // squash the exception, user doesn't have privileges, so the table is
      // not added to
      // filtered list.
    }
  }
  return filteredResult;
}