Java Code Examples for org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject#getObjectName()
The following examples show how to use
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject#getObjectName() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
RangerHiveResource resource = null;
HivePrivilegeObjectType objectType = privilegeObject.getType();
String objectName = privilegeObject.getObjectName();
String dbName = privilegeObject.getDbname();
switch(objectType) {
case DATABASE:
resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
break;
case TABLE_OR_VIEW:
resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
//resource.setOwnerUser(privilegeObject.getOwnerName());
break;
case COLUMN:
List<String> columns = privilegeObject.getColumns();
int numOfColumns = columns == null ? 0 : columns.size();
if (numOfColumns == 1) {
resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
//resource.setOwnerUser(privilegeObject.getOwnerName());
} else {
LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType);
}
break;
default:
LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType);
}
if (resource != null) {
resource.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
}
return resource;
}
Example 2
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();
if(LOG.isDebugEnabled()) {
LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
}
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
}
if(CollectionUtils.isNotEmpty(hiveObjs)) {
for (HivePrivilegeObject hiveObj : hiveObjs) {
HivePrivilegeObjectType hiveObjType = hiveObj.getType();
if(hiveObjType == null) {
hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
}
if(LOG.isDebugEnabled()) {
LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
}
boolean needToTransform = false;
if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
String database = hiveObj.getDbname();
String table = hiveObj.getObjectName();
String rowFilterExpr = getRowFilterExpression(queryContext, database, table);
if (StringUtils.isNotBlank(rowFilterExpr)) {
if(LOG.isDebugEnabled()) {
LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
}
hiveObj.setRowFilterExpression(rowFilterExpr);
needToTransform = true;
}
if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
List<String> columnTransformers = new ArrayList<String>();
for (String column : hiveObj.getColumns()) {
boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);
if(LOG.isDebugEnabled()) {
LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
}
needToTransform = needToTransform || isColumnTransformed;
}
hiveObj.setCellValueTransformers(columnTransformers);
}
}
if (needToTransform) {
ret.add(hiveObj);
}
}
}
RangerPerfTracer.log(perf);
if(LOG.isDebugEnabled()) {
LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
}
return ret;
}
Example 3
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
private RangerHiveResource getHiveResource(HiveOperationType hiveOpType,
HivePrivilegeObject hiveObj,
List<HivePrivilegeObject> inputs,
List<HivePrivilegeObject> outputs) {
RangerHiveResource ret = null;
HiveObjectType objectType = getObjectType(hiveObj, hiveOpType);
switch(objectType) {
case DATABASE:
ret = new RangerHiveResource(objectType, hiveObj.getDbname());
/*
if (!isCreateOperation(hiveOpType)) {
ret.setOwnerUser(hiveObj.getOwnerName());
}
*/
break;
case TABLE:
case VIEW:
case FUNCTION:
ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
// To suppress PMD violations
if (LOG.isDebugEnabled()) {
LOG.debug("Size of inputs = [" + (CollectionUtils.isNotEmpty(inputs) ? inputs.size() : 0) +
", Size of outputs = [" + (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]");
}
/*
String ownerName = hiveObj.getOwnerName();
if (isCreateOperation(hiveOpType)) {
HivePrivilegeObject dbObject = getDatabaseObject(hiveObj.getDbname(), inputs, outputs);
if (dbObject != null) {
ownerName = dbObject.getOwnerName();
}
}
ret.setOwnerUser(ownerName);
*/
break;
case PARTITION:
case INDEX:
ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
break;
case COLUMN:
ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName(), StringUtils.join(hiveObj.getColumns(), COLUMN_SEP));
//ret.setOwnerUser(hiveObj.getOwnerName());
break;
case URI:
case SERVICE_NAME:
ret = new RangerHiveResource(objectType, hiveObj.getObjectName());
break;
case GLOBAL:
ret = new RangerHiveResource(objectType,hiveObj.getObjectName());
break;
case NONE:
break;
}
if (ret != null) {
ret.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
}
return ret;
}
Example 4
| Source File: DefaultSentryValidator.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
private List<HivePrivilegeObject> filterShowTables(List<HivePrivilegeObject> listObjs,
String userName, HiveAuthzBinding hiveAuthzBinding) {
List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
Subject subject = new Subject(userName);
HiveAuthzPrivileges tableMetaDataPrivilege =
new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
.addInputObjectPriviledge(AuthorizableType.Column,
EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT))
.setOperationScope(HiveOperationScope.TABLE)
.setOperationType(
org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.INFO)
.build();
for (HivePrivilegeObject obj : listObjs) {
// if user has privileges on table, add to filtered list, else discard
Table table = new Table(obj.getObjectName());
Database database;
database = new Database(obj.getDbname());
List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<DBModelAuthorizable> externalAuthorizableHierarchy =
new ArrayList<DBModelAuthorizable>();
externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
externalAuthorizableHierarchy.add(database);
externalAuthorizableHierarchy.add(table);
externalAuthorizableHierarchy.add(Column.ALL);
inputHierarchy.add(externalAuthorizableHierarchy);
try {
hiveAuthzBinding.authorize(HiveOperation.SHOWTABLES, tableMetaDataPrivilege, subject,
inputHierarchy, outputHierarchy);
filteredResult.add(obj);
} catch (AuthorizationException e) {
// squash the exception, user doesn't have privileges, so the table is
// not added to
// filtered list.
}
}
return filteredResult;
}
Example 5
| Source File: DefaultSentryValidator.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
private List<HivePrivilegeObject> filterShowDatabases(List<HivePrivilegeObject> listObjs,
String userName, HiveAuthzBinding hiveAuthzBinding) {
List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
Subject subject = new Subject(userName);
HiveAuthzPrivileges anyPrivilege =
new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
.addInputObjectPriviledge(
AuthorizableType.Column,
EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT, DBModelAction.ALTER,
DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.INDEX,
DBModelAction.LOCK))
.setOperationScope(HiveOperationScope.CONNECT)
.setOperationType(
org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.QUERY)
.build();
for (HivePrivilegeObject obj : listObjs) {
// if user has privileges on database, add to filtered list, else discard
Database database = null;
// if default is not restricted, continue
if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(obj.getObjectName())
&& "false".equalsIgnoreCase(hiveAuthzBinding.getAuthzConf().get(
HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false"))) {
filteredResult.add(obj);
continue;
}
database = new Database(obj.getObjectName());
List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<DBModelAuthorizable> externalAuthorizableHierarchy =
new ArrayList<DBModelAuthorizable>();
externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
externalAuthorizableHierarchy.add(database);
externalAuthorizableHierarchy.add(Table.ALL);
externalAuthorizableHierarchy.add(Column.ALL);
inputHierarchy.add(externalAuthorizableHierarchy);
try {
hiveAuthzBinding.authorize(HiveOperation.SHOWDATABASES, anyPrivilege, subject,
inputHierarchy, outputHierarchy);
filteredResult.add(obj);
} catch (AuthorizationException e) {
// squash the exception, user doesn't have privileges, so the table is
// not added to
// filtered list.
}
}
return filteredResult;
}
Example 6
| Source File: SentryAuthorizerUtil.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
/**
* Convert HivePrivilegeObject to DBModelAuthorizable list Now hive 0.13 don't support column
* level
*
* @param server
* @param privilege
*/
public static List<List<DBModelAuthorizable>> getAuthzHierarchy(Server server,
HivePrivilegeObject privilege) {
List<DBModelAuthorizable> baseHierarchy = new ArrayList<DBModelAuthorizable>();
List<List<DBModelAuthorizable>> objectHierarchy = new ArrayList<List<DBModelAuthorizable>>();
boolean isLocal = false;
if (privilege.getType() != null) {
switch (privilege.getType()) {
case GLOBAL:
baseHierarchy.add(new Server(privilege.getObjectName()));
objectHierarchy.add(baseHierarchy);
break;
case DATABASE:
baseHierarchy.add(server);
baseHierarchy.add(new Database(privilege.getDbname()));
objectHierarchy.add(baseHierarchy);
break;
case TABLE_OR_VIEW:
baseHierarchy.add(server);
baseHierarchy.add(new Database(privilege.getDbname()));
baseHierarchy.add(new Table(privilege.getObjectName()));
if (privilege.getColumns() != null) {
for (String columnName : privilege.getColumns()) {
List<DBModelAuthorizable> columnHierarchy =
new ArrayList<DBModelAuthorizable>(baseHierarchy);
columnHierarchy.add(new Column(columnName));
objectHierarchy.add(columnHierarchy);
}
} else {
objectHierarchy.add(baseHierarchy);
}
break;
case LOCAL_URI:
isLocal = true;
case DFS_URI:
if (privilege.getObjectName() == null) {
break;
}
try {
baseHierarchy.add(server);
baseHierarchy.add(parseURI(privilege.getObjectName(), isLocal));
objectHierarchy.add(baseHierarchy);
} catch (Exception e) {
throw new AuthorizationException("Failed to get File URI", e);
}
break;
case FUNCTION:
case PARTITION:
case COLUMN:
case COMMAND_PARAMS:
// not support these type
break;
default:
break;
}
}
return objectHierarchy;
}
