org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext Java Examples

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * initialize authenticator and hiveAuthzBinding.
 */
protected void initilize(HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
  Preconditions.checkNotNull(conf, "HiveConf cannot be null");
  Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null");
  Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null");
  Preconditions.checkNotNull(ctx, "HiveAuthzSessionContext cannot be null");

  this.conf = conf;
  this.authzConf = authzConf;
  this.authenticator = authenticator;
  this.ctx = ctx;
  this.serverName =
      Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()),
          REQUIRED_AUTHZ_SERVER_NAME);
}
 
Example #2
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * Get instance of SentryAccessController from configuration
 * Default return DefaultSentryAccessController
 *
 * @param conf
 * @param authzConf
 * @param hiveAuthzBinding
 * @param authenticator
 * @throws HiveAuthzPluginException
 */
public static SentryHiveAccessController getAccessController(HiveConf conf,
    HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  Class<? extends SentryHiveAccessController> clazz =
      conf.getClass(HIVE_SENTRY_ACCESS_CONTROLLER, DefaultSentryAccessController.class,
          SentryHiveAccessController.class);

  if (clazz == null) {
    // should not happen as default value is set
    throw new HiveAuthzPluginException("Configuration value " + HIVE_SENTRY_ACCESS_CONTROLLER
        + " is not set to valid SentryAccessController subclass");
  }

  try {
    return new DefaultSentryAccessController(conf, authzConf, authenticator, ctx);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }

}
 
Example #3
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx)
        throws HiveAuthzPluginException {
  HiveAuthzSessionContext sessionContext;
  try {
    this.authzConf = HiveAuthzBindingHook.loadAuthzConf(conf);
    sessionContext = applyTestSettings(ctx, conf);
    assertHiveCliAuthDisabled(conf, sessionContext);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }
  SentryHiveAccessController accessController =
      getAccessController(conf, authzConf, authenticator, sessionContext);
  SentryHiveAuthorizationValidator authzValidator =
      getAuthzValidator(conf, authzConf, authenticator);

  return new SentryHiveAuthorizer(accessController, authzValidator);
}
 
Example #4
Source File: RangerHiveAuthorizerFactory.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
										   HiveConf                   conf,
										   HiveAuthenticationProvider hiveAuthenticator,
										   HiveAuthzSessionContext    sessionContext)
												   throws HiveAuthzPluginException {

	HiveAuthorizer ret = null;

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHiveAuthorizerFactory.createHiveAuthorizer()");
	}
	
	try {
		activatePluginClassLoader();
		ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
	} finally {
		deactivatePluginClassLoader();
	}
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHiveAuthorizerFactory.createHiveAuthorizer()");
	}

	return ret;
}
 
Example #5
Source File: RangerHiveAuthorizerBase.java    From ranger with Apache License 2.0 6 votes vote down vote up
public RangerHiveAuthorizerBase(HiveMetastoreClientFactory metastoreClientFactory,
								  HiveConf                   hiveConf,
								  HiveAuthenticationProvider hiveAuthenticator,
								  HiveAuthzSessionContext    context) {
	mMetastoreClientFactory = metastoreClientFactory;
	mHiveConf               = hiveConf;
	mHiveAuthenticator      = hiveAuthenticator;
	mSessionContext         = context;

	String userName = mHiveAuthenticator == null ? null : mHiveAuthenticator.getUserName();

	mUgi = userName == null ? null : UserGroupInformation.createRemoteUser(userName);

	if(mHiveAuthenticator == null) {
		LOG.warn("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): hiveAuthenticator is null");
	} else if(StringUtil.isEmpty(userName)) {
		LOG.warn("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): hiveAuthenticator.getUserName() returned null/empty");
	} else if(mUgi == null) {
		LOG.warn(String.format("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): UserGroupInformation.createRemoteUser(%s) returned null", userName));
	}
}
 
Example #6
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
private String toString(HiveOperationType         hiveOpType,
						List<HivePrivilegeObject> inputHObjs,
						List<HivePrivilegeObject> outputHObjs,
						HiveAuthzContext          context,
						HiveAuthzSessionContext   sessionContext) {
	StringBuilder sb = new StringBuilder();
	
	sb.append("'checkPrivileges':{");
	sb.append("'hiveOpType':").append(hiveOpType);

	sb.append(", 'inputHObjs':[");
	toString(inputHObjs, sb);
	sb.append("]");

	sb.append(", 'outputHObjs':[");
	toString(outputHObjs, sb);
	sb.append("]");

	sb.append(", 'context':{");
	sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
	sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString());
	sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress());
	sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", "));
	sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString());
	sb.append("}");

	sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
	sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
	sb.append("}");

	return sb.toString();
}
 
Example #7
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * just for testing
 */
@VisibleForTesting
protected HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf, HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  SentryHiveAccessController accessController =
      getAccessController(conf, authzConf, authenticator, ctx);
  SentryHiveAuthorizationValidator authzValidator =
      getAuthzValidator(conf, authzConf, authenticator);

  return new SentryHiveAuthorizer(accessController, authzValidator);
}
 
Example #8
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
private void assertHiveCliAuthDisabled(HiveConf conf, HiveAuthzSessionContext ctx)
    throws HiveAuthzPluginException {
  if (ctx.getClientType() == CLIENT_TYPE.HIVECLI
      && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
    throw new HiveAuthzPluginException(
        "SQL standards based authorization should not be enabled from hive cli"
            + "Instead the use of storage based authorization in hive metastore is reccomended. Set "
            + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli");
  }
}
 
Example #9
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) {
  if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE)
      && ctx.getClientType() == CLIENT_TYPE.HIVECLI) {
    // create new session ctx object with HS2 as client type
    HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx);
    ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2);
    return ctxBuilder.build();
  }
  return ctx;
}
 
Example #10
Source File: RangerHiveAuthorizerFactory.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
										   HiveConf                   conf,
										   HiveAuthenticationProvider hiveAuthenticator,
										   HiveAuthzSessionContext    sessionContext)
												   throws HiveAuthzPluginException {
	return new RangerHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
}
 
Example #11
Source File: RelaxedSQLStdHiveAccessController.java    From beeju with Apache License 2.0 5 votes vote down vote up
public RelaxedSQLStdHiveAccessController(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  super(metastoreClientFactory, conf, authenticator, ctx);
}
 
Example #12
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException {
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new SemanticException("user information not available");
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")");
	}

	String ret = null;

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		String                  user           = ugi.getShortUserName();
		Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
		Set<String>             roles          = getCurrentRoles();
		HiveObjectType          objectType     = HiveObjectType.TABLE;
		RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName);
		RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

		RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);

		if(isRowFilterEnabled(result)) {
			ret = result.getFilterExpr();
		}
	} finally {
		auditHandler.flushAudit();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret);
	}

	return ret;
}
 
Example #13
Source File: RangerHiveAccessRequest.java    From ranger with Apache License 2.0 5 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource      resource,
		   String                  user,
		   Set<String>             userGroups,
		   Set<String>             userRoles,
		   HiveOperationType       hiveOpType,
		   HiveAccessType          accessType,
		   HiveAuthzContext        context,
		   HiveAuthzSessionContext sessionContext) {
	this(resource, user, userGroups, userRoles, hiveOpType.name(), accessType, context, sessionContext);
}
 
Example #14
Source File: RangerHiveAccessRequest.java    From ranger with Apache License 2.0 5 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource      resource,
							   String                  user,
							   Set<String>             userGroups,
							   Set<String>             userRoles,
							   String                  hiveOpTypeName,
							   HiveAccessType          accessType,
							   HiveAuthzContext        context,
							   HiveAuthzSessionContext sessionContext) {
	this.setResource(resource);
	this.setUser(user);
	this.setUserGroups(userGroups);
	this.setUserRoles(userRoles);
	this.setAccessTime(new Date());
	this.setAction(hiveOpTypeName);
	this.setHiveAccessType(accessType);

	if(context != null) {
		this.setRequestData(context.getCommandString());
		this.setForwardedAddresses(context.getForwardedAddresses());
		this.setRemoteIPAddress(context.getIpAddress());
	}

	if(sessionContext != null) {
		this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
		this.setSessionId(sessionContext.getSessionString());
	}
	
}
 
Example #15
Source File: RelaxedSQLStdHiveAccessControllerWrapper.java    From beeju with Apache License 2.0 5 votes vote down vote up
public RelaxedSQLStdHiveAccessControllerWrapper(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  super(metastoreClientFactory, conf, authenticator, ctx);
  overrideHiveAccessController(
      new RelaxedSQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx));
}
 
Example #16
Source File: RelaxedSQLStdHiveAuthorizerFactory.java    From beeju with Apache License 2.0 5 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx)
  throws HiveAuthzPluginException {
  RelaxedSQLStdHiveAccessControllerWrapper privilegeManager = new RelaxedSQLStdHiveAccessControllerWrapper(
      metastoreClientFactory, conf, authenticator, ctx);
  return new HiveAuthorizerImpl(privilegeManager,
      new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, privilegeManager, ctx));
}
 
Example #17
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new SemanticException("user information not available");
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + ")");
	}

	boolean ret = false;
	String columnTransformer = columnName;

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		String                  user           = ugi.getShortUserName();
		Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
		Set<String>             roles          = getCurrentRoles();
		HiveObjectType          objectType     = HiveObjectType.COLUMN;
		RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
		RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

		RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);

		ret = isDataMaskEnabled(result);

		if(ret) {
			String                maskType    = result.getMaskType();
			RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();
			String transformer	= null;
			if (maskTypeDef != null) {
				transformer = maskTypeDef.getTransformer();
			}

			if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
				columnTransformer = "NULL";
			} else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
				String maskedValue = result.getMaskedValue();

				if(maskedValue == null) {
					columnTransformer = "NULL";
				} else {
					columnTransformer = maskedValue.replace("{col}", columnName);
				}

			} else if(StringUtils.isNotEmpty(transformer)) {
				columnTransformer = transformer.replace("{col}", columnName);
			}

			/*
			String maskCondition = result.getMaskCondition();

			if(StringUtils.isNotEmpty(maskCondition)) {
				ret = "if(" + maskCondition + ", " + ret + ", " + columnName + ")";
			}
			*/
		}
	} finally {
		auditHandler.flushAudit();
	}

	columnTransformers.add(columnTransformer);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + "): " + ret);
	}

	return ret;
}
 
Example #18
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
private GrantRevokeRequest createGrantRevokeData(RangerHiveResource  resource,
												 List<HivePrincipal> hivePrincipals,
												 List<HivePrivilege> hivePrivileges,
												 HivePrincipal       grantorPrincipal,
												 boolean             grantOption)
													  throws HiveAccessControlException {
	if(resource == null ||
	  ! (   resource.getObjectType() == HiveObjectType.DATABASE
	     || resource.getObjectType() == HiveObjectType.TABLE
	     || resource.getObjectType() == HiveObjectType.VIEW
	     || resource.getObjectType() == HiveObjectType.COLUMN
	   )
	  ) {
		throw new HiveAccessControlException("grant/revoke: unexpected object type '" + (resource == null ? null : resource.getObjectType().name()));
	}

	GrantRevokeRequest ret = new GrantRevokeRequest();

	ret.setGrantor(getGrantorUsername(grantorPrincipal));
	ret.setGrantorGroups(getGrantorGroupNames(grantorPrincipal));
	ret.setDelegateAdmin(grantOption ? Boolean.TRUE : Boolean.FALSE);
	ret.setEnableAudit(Boolean.TRUE);
	ret.setReplaceExistingPermissions(Boolean.FALSE);

	String database = StringUtils.isEmpty(resource.getDatabase()) ? "*" : resource.getDatabase();
	String table    = StringUtils.isEmpty(resource.getTable()) ? "*" : resource.getTable();
	String column   = StringUtils.isEmpty(resource.getColumn()) ? "*" : resource.getColumn();

	Map<String, String> mapResource = new HashMap<String, String>();
	mapResource.put(RangerHiveResource.KEY_DATABASE, database);
	mapResource.put(RangerHiveResource.KEY_TABLE, table);
	mapResource.put(RangerHiveResource.KEY_COLUMN, column);
	ret.setOwnerUser(resource.getOwnerUser());
	ret.setResource(mapResource);

	SessionState ss = SessionState.get();
	if(ss != null) {
		ret.setClientIPAddress(ss.getUserIpAddress());
		ret.setSessionId(ss.getSessionId());

		HiveConf hiveConf = ss.getConf();

		if(hiveConf != null) {
			ret.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
		}
	}

	HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
	if(sessionContext != null) {
		ret.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
	}

	for(HivePrincipal principal : hivePrincipals) {
		switch(principal.getType()) {
			case USER:
				ret.getUsers().add(principal.getName());
			break;

			case GROUP:
				ret.getGroups().add(principal.getName());
				break;

			case ROLE:
				ret.getRoles().add(principal.getName());
				break;

			case UNKNOWN:
			break;
		}
	}

	for(HivePrivilege privilege : hivePrivileges) {
		String privName = privilege.getName();
		
		if(StringUtils.equalsIgnoreCase(privName, HiveAccessType.ALL.name()) ||
		   StringUtils.equalsIgnoreCase(privName, HiveAccessType.ALTER.name()) ||
		   StringUtils.equalsIgnoreCase(privName, HiveAccessType.CREATE.name()) ||
		   StringUtils.equalsIgnoreCase(privName, HiveAccessType.DROP.name()) ||
		   StringUtils.equalsIgnoreCase(privName, HiveAccessType.INDEX.name()) ||
		   StringUtils.equalsIgnoreCase(privName, HiveAccessType.LOCK.name()) ||
		   StringUtils.equalsIgnoreCase(privName, HiveAccessType.SELECT.name()) ||
		   StringUtils.equalsIgnoreCase(privName, HiveAccessType.UPDATE.name())) {
			ret.getAccessTypes().add(privName.toLowerCase());
		} else if (StringUtils.equalsIgnoreCase(privName, "Insert") ||
						StringUtils.equalsIgnoreCase(privName, "Delete")) {
			// Mapping Insert/Delete to Update
			ret.getAccessTypes().add(HiveAccessType.UPDATE.name().toLowerCase());
		} else {
			LOG.warn("grant/revoke: unexpected privilege type '" + privName + "'. Ignored");
		}
	}

	return ret;
}
 
Example #19
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
					   boolean grantOption, HivePrincipal grantorPrinc)
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizerBase.revokeRole()");

	boolean result = false;

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	String 		  grantorUserName = getGrantorUsername(grantorPrinc);
	List<String>  principals      = new ArrayList<>();

	try {
		GrantRevokeRoleRequest request  = new GrantRevokeRoleRequest();
		request.setGrantor(grantorUserName);
		request.setGrantorGroups(getGrantorGroupNames(grantorPrinc));
		Set<String> userList = new HashSet<>();
		Set<String> roleList = new HashSet<>();
		Set<String> groupList = new HashSet<>();
		for(HivePrincipal principal : hivePrincipals) {
			String principalName = null;
			switch(principal.getType()) {
				case USER:
					principalName = principal.getName();
					userList.add(principalName);
					principals.add("USER " + principalName);
					break;

				case GROUP:
					principalName = principal.getName();
					groupList.add(principalName);
					principals.add("GROUP " + principalName);
					break;
				case ROLE:
					principalName = principal.getName();
					roleList.add(principalName);
					principals.add("ROLE " + principalName);
					break;

				case UNKNOWN:
					break;
			}
		}

		request.setUsers(userList);
		request.setGroups(groupList);
		request.setRoles(roleList);
		request.setGrantOption(grantOption);
		request.setTargetRoles(new HashSet<>(roles));
		SessionState ss = SessionState.get();
		if(ss != null) {
			request.setClientIPAddress(ss.getUserIpAddress());
			request.setSessionId(ss.getSessionId());

			HiveConf hiveConf = ss.getConf();

			if(hiveConf != null) {
				request.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
			}
		}

		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		if(sessionContext != null) {
			request.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
		}

		LOG.info("revokeRole(): " + request);
		if(LOG.isDebugEnabled()) {
			LOG.debug("revokeRole(): " + request);
		}
		hivePlugin.revokeRole(request, auditHandler);
		result = true;
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, grantorUserName, principals, HiveOperationType.REVOKE_ROLE, HiveAccessType.ALTER, roles, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}
}
 
Example #20
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
					  boolean grantOption, HivePrincipal grantorPrinc)
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizerBase.grantRole()");

	boolean	               result       = false;
	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
	String 				   username     = getGrantorUsername(grantorPrinc);
	List<String> 		   principals   = new ArrayList<>();
	try {
		GrantRevokeRoleRequest request  = new GrantRevokeRoleRequest();
		request.setGrantor(username);
		request.setGrantorGroups(getGrantorGroupNames(grantorPrinc));
		Set<String> userList = new HashSet<>();
		Set<String> roleList = new HashSet<>();
		Set<String> groupList = new HashSet<>();
		for(HivePrincipal principal : hivePrincipals) {
			String  name = null;
			switch(principal.getType()) {
				case USER:
					name = principal.getName();
					userList.add(name);
					principals.add("USER " + name);
					break;

				case GROUP:
					name = principal.getName();
					groupList.add(name);
					principals.add("GROUP " + name);
					break;

				case ROLE:
					name = principal.getName();
					roleList.add(name);
					principals.add("ROLE "+ name);
					break;

				case UNKNOWN:
					break;
			}
		}
		request.setUsers(userList);
		request.setGroups(groupList);
		request.setRoles(roleList);
		request.setGrantOption(grantOption);
		request.setTargetRoles(new HashSet<>(roles));
		SessionState ss = SessionState.get();
		if(ss != null) {
			request.setClientIPAddress(ss.getUserIpAddress());
			request.setSessionId(ss.getSessionId());

			HiveConf hiveConf = ss.getConf();

			if(hiveConf != null) {
				request.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
			}
		}

		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		if(sessionContext != null) {
			request.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
		}


		hivePlugin.grantRole(request, auditHandler);
		result = true;
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER, roles, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}
}
 
Example #21
Source File: RangerHiveAuthorizerBase.java    From ranger with Apache License 2.0 4 votes vote down vote up
public HiveAuthzSessionContext getHiveAuthzSessionContext() {
	return mSessionContext;
}
 
Example #22
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
							  HiveConf                   hiveConf,
							  HiveAuthenticationProvider hiveAuthenticator,
							  HiveAuthzSessionContext    sessionContext) {
	super(metastoreClientFactory, hiveConf, hiveAuthenticator, sessionContext);

	LOG.debug("RangerHiveAuthorizer.RangerHiveAuthorizer()");

	RangerHivePlugin plugin = hivePlugin;
	
	if(plugin == null) {
		synchronized(RangerHiveAuthorizer.class) {
			plugin = hivePlugin;

			if(plugin == null) {
				String appType = "unknown";

				if(sessionContext != null) {
					switch(sessionContext.getClientType()) {
						case HIVECLI:
							appType = "hiveCLI";
						break;

						case HIVESERVER2:
							appType = "hiveServer2";
						break;

						/*
						case HIVEMETASTORE:
							appType = "hiveMetastore";
							break;

						case OTHER:
							appType = "other";
							break;

						 */
					}
				}

				plugin = new RangerHivePlugin(appType);
				plugin.init();

				hivePlugin = plugin;
			}
		}
	}
}
 
Example #23
Source File: HiveAuthzBindingSessionHook.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(
    HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf,
    HiveAuthenticationProvider hiveAuthenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  return new SentryHiveAuthorizerImpl(null, null);    }
 
Example #24
Source File: RangerHiveAccessRequest.java    From ranger with Apache License 2.0 4 votes vote down vote up
public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, Set<String> roles, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
	this(resource, user, groups, roles, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
}
 
Example #25
Source File: HiveAuthorizationHelper.java    From dremio-oss with Apache License 2.0 4 votes vote down vote up
public HiveAuthorizationHelper(final IMetaStoreClient mClient, final HiveConf hiveConf, final String user) {
  authzEnabled = hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED);
  if (!authzEnabled) {
    authorizerV2 = null;
    return;
  }

  try (final ContextClassLoaderSwapper cls = ContextClassLoaderSwapper.newInstance()) {
    final HiveConf hiveConfCopy = new HiveConf(hiveConf);
    hiveConfCopy.set("user.name", user);
    hiveConfCopy.set("proxy.user.name", user);

    final HiveAuthenticationProvider authenticator = HiveUtils.getAuthenticator(hiveConfCopy,
        HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER);

    // This must be retrieved before creating the session state, because creation of the
    // session state changes the given HiveConf's classloader to a UDF ClassLoader.
    final HiveAuthorizerFactory authorizerFactory =
      HiveUtils.getAuthorizerFactory(hiveConfCopy, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);

    SessionState ss = new SessionState(hiveConfCopy, user);
    authenticator.setSessionState(ss);

    HiveAuthzSessionContext.Builder authzContextBuilder = new HiveAuthzSessionContext.Builder();
    authzContextBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); // Dremio is emulating HS2 here

    authorizerV2 = authorizerFactory.createHiveAuthorizer(
        new HiveMetastoreClientFactory() {
          @Override
          public IMetaStoreClient getHiveMetastoreClient() throws HiveAuthzPluginException {
            return mClient;
          }
        },
        hiveConf, authenticator, authzContextBuilder.build());

    authorizerV2.applyAuthorizationConfigPolicy(hiveConfCopy);
  } catch (final HiveException e) {
    throw new RuntimeException("Failed to initialize Hive authorization components: " + e.getMessage(), e);
  }

  logger.trace("Hive authorization enabled");
}
 
Example #26
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public DefaultSentryAccessController(HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
  initilize(conf, authzConf, authenticator, ctx);
  this.hiveHook = HiveHook.HiveServer2;
}
 
Example #27
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public DefaultSentryAccessController(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
  initilize(conf, authzConf, authenticator, ctx);
  this.hiveHook = hiveHook;
}