org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext Java Examples

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
private RangerHiveAccessRequest createRangerHiveAccessRequest(String userOrGrantor, List<String> roleUsers, HiveOperationType hiveOperationType, HiveAccessType accessType, List<String> roleNames) {
	RangerHiveAccessRequest ret = null;

	HiveAuthzContext.Builder builder	   = new HiveAuthzContext.Builder();
	String					 roleNameStr   = createRoleString(roleNames);
	String 					 userNameStr   = createUserString(roleUsers);
	String					 commandString = getCommandString(hiveOperationType, userNameStr, roleNameStr);
	String 					 cmdStr		   = (commandString != null) ? commandString : StringUtils.EMPTY;
	builder.setCommandString(cmdStr);
	HiveAuthzContext 		hiveAuthzContext = builder.build();

	RangerHiveResource rangerHiveResource	= new RangerHiveResource(HiveObjectType.GLOBAL,"*");
	ret = new RangerHiveAccessRequest(rangerHiveResource, userOrGrantor, null, null, hiveOperationType, accessType, hiveAuthzContext, null);
	ret.setClusterName(hivePlugin.getClusterName());
	ret.setAction(hiveOperationType.name());
	ret.setClientIPAddress(getRemoteIp());
	ret.setRemoteIPAddress(getRemoteIp());

	return ret;
}
 
Example #2
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
private void fetchHiveObj(HiveAuthzContext context) {
	if (context != null) {
		String cmdString = context.getCommandString();
		if (cmdString != null) {
			String[] cmd = cmdString.trim().split("\\s+");
			if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) {
				String dbName = cmd[2];
				if (dbName.contains(".")) {
					String[] result = splitDBName(dbName);
					databaseName = result[0];
					tableName = result[1];
				} else {
					databaseName = dbName;
					tableName = null;
				}
			}
		}
	}
}
 
Example #3
Source File: RangerHiveAccessRequest.java    From ranger with Apache License 2.0 5 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource      resource,
							   String                  user,
							   Set<String>             userGroups,
							   Set<String>             userRoles,
							   String                  hiveOpTypeName,
							   HiveAccessType          accessType,
							   HiveAuthzContext        context,
							   HiveAuthzSessionContext sessionContext) {
	this.setResource(resource);
	this.setUser(user);
	this.setUserGroups(userGroups);
	this.setUserRoles(userRoles);
	this.setAccessTime(new Date());
	this.setAction(hiveOpTypeName);
	this.setHiveAccessType(accessType);

	if(context != null) {
		this.setRequestData(context.getCommandString());
		this.setForwardedAddresses(context.getForwardedAddresses());
		this.setRemoteIPAddress(context.getIpAddress());
	}

	if(sessionContext != null) {
		this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
		this.setSessionId(sessionContext.getSessionString());
	}
	
}
 
Example #4
Source File: RangerHiveAccessRequest.java    From ranger with Apache License 2.0 5 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource      resource,
		   String                  user,
		   Set<String>             userGroups,
		   Set<String>             userRoles,
		   HiveOperationType       hiveOpType,
		   HiveAccessType          accessType,
		   HiveAuthzContext        context,
		   HiveAuthzSessionContext sessionContext) {
	this(resource, user, userGroups, userRoles, hiveOpType.name(), accessType, context, sessionContext);
}
 
Example #5
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException {
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new SemanticException("user information not available");
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")");
	}

	String ret = null;

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		String                  user           = ugi.getShortUserName();
		Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
		Set<String>             roles          = getCurrentRoles();
		HiveObjectType          objectType     = HiveObjectType.TABLE;
		RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName);
		RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

		RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);

		if(isRowFilterEnabled(result)) {
			ret = result.getFilterExpr();
		}
	} finally {
		auditHandler.flushAudit();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret);
	}

	return ret;
}
 
Example #6
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
private String toString(HiveOperationType         hiveOpType,
						List<HivePrivilegeObject> inputHObjs,
						List<HivePrivilegeObject> outputHObjs,
						HiveAuthzContext          context,
						HiveAuthzSessionContext   sessionContext) {
	StringBuilder sb = new StringBuilder();
	
	sb.append("'checkPrivileges':{");
	sb.append("'hiveOpType':").append(hiveOpType);

	sb.append(", 'inputHObjs':[");
	toString(inputHObjs, sb);
	sb.append("]");

	sb.append(", 'outputHObjs':[");
	toString(outputHObjs, sb);
	sb.append("]");

	sb.append(", 'context':{");
	sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
	sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString());
	sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress());
	sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", "));
	sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString());
	sb.append("}");

	sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
	sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
	sb.append("}");

	return sb.toString();
}
 
Example #7
Source File: DefaultSentryValidator.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
    HiveAuthzContext context) {
  if (listObjs != null && listObjs.size() >= 1) {
    HivePrivilegeObjectType pType = listObjs.get(0).getType();
    HiveAuthzBinding hiveAuthzBinding = null;
    try {
      switch (pType) {
        case DATABASE:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
        case TABLE_OR_VIEW:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
      }
    } catch (Exception e) {
      LOG.debug(e.getMessage(),e);
    } finally {
      if (hiveAuthzBinding != null) {
        hiveAuthzBinding.close();
      }
    }
  }
  return listObjs;
}
 
Example #8
Source File: RangerHiveAccessRequest.java    From ranger with Apache License 2.0 4 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, Set<String> roles, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
	this(resource, user, groups, roles, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
}
 
Example #9
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
	List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
	}

	RangerPerfTracer perf = null;

	if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
		perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
	}

	if(CollectionUtils.isNotEmpty(hiveObjs)) {
		for (HivePrivilegeObject hiveObj : hiveObjs) {
			HivePrivilegeObjectType hiveObjType = hiveObj.getType();

			if(hiveObjType == null) {
				hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
			}

			if(LOG.isDebugEnabled()) {
				LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
			}

			boolean needToTransform = false;

			if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
				String database = hiveObj.getDbname();
				String table    = hiveObj.getObjectName();

				String rowFilterExpr = getRowFilterExpression(queryContext, database, table);

				if (StringUtils.isNotBlank(rowFilterExpr)) {
					if(LOG.isDebugEnabled()) {
						LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
					}

					hiveObj.setRowFilterExpression(rowFilterExpr);
					needToTransform = true;
				}

				if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
					List<String> columnTransformers = new ArrayList<String>();

					for (String column : hiveObj.getColumns()) {
						boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);

						if(LOG.isDebugEnabled()) {
							LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
						}

						needToTransform = needToTransform || isColumnTransformed;
					}

					hiveObj.setCellValueTransformers(columnTransformers);
				}
			}

			if (needToTransform) {
				ret.add(hiveObj);
			}
		}
	}

	RangerPerfTracer.log(perf);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
	}

	return ret;
}
 
Example #10
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new SemanticException("user information not available");
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + ")");
	}

	boolean ret = false;
	String columnTransformer = columnName;

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		String                  user           = ugi.getShortUserName();
		Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
		Set<String>             roles          = getCurrentRoles();
		HiveObjectType          objectType     = HiveObjectType.COLUMN;
		RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
		RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

		RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);

		ret = isDataMaskEnabled(result);

		if(ret) {
			String                maskType    = result.getMaskType();
			RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();
			String transformer	= null;
			if (maskTypeDef != null) {
				transformer = maskTypeDef.getTransformer();
			}

			if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
				columnTransformer = "NULL";
			} else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
				String maskedValue = result.getMaskedValue();

				if(maskedValue == null) {
					columnTransformer = "NULL";
				} else {
					columnTransformer = maskedValue.replace("{col}", columnName);
				}

			} else if(StringUtils.isNotEmpty(transformer)) {
				columnTransformer = transformer.replace("{col}", columnName);
			}

			/*
			String maskCondition = result.getMaskCondition();

			if(StringUtils.isNotEmpty(maskCondition)) {
				ret = "if(" + maskCondition + ", " + ret + ", " + columnName + ")";
			}
			*/
		}
	} finally {
		auditHandler.flushAudit();
	}

	columnTransformers.add(columnTransformer);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + "): " + ret);
	}

	return ret;
}
 
Example #11
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
HiveObj(HiveAuthzContext context) {
 fetchHiveObj(context);
}
 
Example #12
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
    List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
    throws HiveAuthzPluginException, HiveAccessControlException {
  authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context);
}
 
Example #13
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
    HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
  return authValidator.filterListCmdObjects(listObjs, context);
}
 
Example #14
Source File: SentryHiveAuthorizationValidator.java    From incubator-sentry with Apache License 2.0 2 votes vote down vote up
/**
 * Check if current user has privileges to perform given operation type hiveOpType on the given
 * input and output objects.
 *
 * @param hiveOpType
 * @param inputHObjs
 * @param outputHObjs
 * @param context
 * @throws HiveAuthzPluginException, HiveAccessControlException
 */
@Override
public abstract void checkPrivileges(HiveOperationType hiveOpType,
    List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs,
    HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException;
 
Example #15
Source File: SentryHiveAuthorizationValidator.java    From incubator-sentry with Apache License 2.0 2 votes vote down vote up
/**
 * Filter the select results according current user's permission. remove the object which current
 * user do not have any privilege on it.
 *
 * @param listObjs
 * @param context
 */
@Override
public abstract List<HivePrivilegeObject> filterListCmdObjects(
    List<HivePrivilegeObject> listObjs, HiveAuthzContext context);