org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider Java Examples

The following examples show how to use org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * initialize authenticator and hiveAuthzBinding.
 */
protected void initilize(HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
  Preconditions.checkNotNull(conf, "HiveConf cannot be null");
  Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null");
  Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null");
  Preconditions.checkNotNull(ctx, "HiveAuthzSessionContext cannot be null");

  this.conf = conf;
  this.authzConf = authzConf;
  this.authenticator = authenticator;
  this.ctx = ctx;
  this.serverName =
      Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()),
          REQUIRED_AUTHZ_SERVER_NAME);
}
 
Example #2
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * Get instance of SentryAuthorizationValidator from configuration
 * Default return DefaultSentryAuthorizationValidator
 *
 * @param conf
 * @param authzConf
 * @param authenticator
 * @throws HiveAuthzPluginException
 */
public static SentryHiveAuthorizationValidator getAuthzValidator(HiveConf conf,
    HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator)
    throws HiveAuthzPluginException {
  Class<? extends SentryHiveAuthorizationValidator> clazz =
      conf.getClass(HIVE_SENTRY_AUTHORIZATION_CONTROLLER, DefaultSentryValidator.class,
          SentryHiveAuthorizationValidator.class);

  if (clazz == null) {
    // should not happen as default value is set
    throw new HiveAuthzPluginException("Configuration value "
        + HIVE_SENTRY_AUTHORIZATION_CONTROLLER
        + " is not set to valid SentryAuthorizationValidator subclass");
  }

  try {
    return new DefaultSentryValidator(conf, authzConf, authenticator);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }

}
 
Example #3
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * Get instance of SentryAccessController from configuration
 * Default return DefaultSentryAccessController
 *
 * @param conf
 * @param authzConf
 * @param hiveAuthzBinding
 * @param authenticator
 * @throws HiveAuthzPluginException
 */
public static SentryHiveAccessController getAccessController(HiveConf conf,
    HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  Class<? extends SentryHiveAccessController> clazz =
      conf.getClass(HIVE_SENTRY_ACCESS_CONTROLLER, DefaultSentryAccessController.class,
          SentryHiveAccessController.class);

  if (clazz == null) {
    // should not happen as default value is set
    throw new HiveAuthzPluginException("Configuration value " + HIVE_SENTRY_ACCESS_CONTROLLER
        + " is not set to valid SentryAccessController subclass");
  }

  try {
    return new DefaultSentryAccessController(conf, authzConf, authenticator, ctx);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }

}
 
Example #4
Source File: RangerHiveAuthorizerBase.java    From ranger with Apache License 2.0 6 votes vote down vote up
public RangerHiveAuthorizerBase(HiveMetastoreClientFactory metastoreClientFactory,
								  HiveConf                   hiveConf,
								  HiveAuthenticationProvider hiveAuthenticator,
								  HiveAuthzSessionContext    context) {
	mMetastoreClientFactory = metastoreClientFactory;
	mHiveConf               = hiveConf;
	mHiveAuthenticator      = hiveAuthenticator;
	mSessionContext         = context;

	String userName = mHiveAuthenticator == null ? null : mHiveAuthenticator.getUserName();

	mUgi = userName == null ? null : UserGroupInformation.createRemoteUser(userName);

	if(mHiveAuthenticator == null) {
		LOG.warn("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): hiveAuthenticator is null");
	} else if(StringUtil.isEmpty(userName)) {
		LOG.warn("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): hiveAuthenticator.getUserName() returned null/empty");
	} else if(mUgi == null) {
		LOG.warn(String.format("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): UserGroupInformation.createRemoteUser(%s) returned null", userName));
	}
}
 
Example #5
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx)
        throws HiveAuthzPluginException {
  HiveAuthzSessionContext sessionContext;
  try {
    this.authzConf = HiveAuthzBindingHook.loadAuthzConf(conf);
    sessionContext = applyTestSettings(ctx, conf);
    assertHiveCliAuthDisabled(conf, sessionContext);
  } catch (Exception e) {
    throw new HiveAuthzPluginException(e);
  }
  SentryHiveAccessController accessController =
      getAccessController(conf, authzConf, authenticator, sessionContext);
  SentryHiveAuthorizationValidator authzValidator =
      getAuthzValidator(conf, authzConf, authenticator);

  return new SentryHiveAuthorizer(accessController, authzValidator);
}
 
Example #6
Source File: RangerHiveAuthorizerFactory.java    From ranger with Apache License 2.0 6 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
										   HiveConf                   conf,
										   HiveAuthenticationProvider hiveAuthenticator,
										   HiveAuthzSessionContext    sessionContext)
												   throws HiveAuthzPluginException {

	HiveAuthorizer ret = null;

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerHiveAuthorizerFactory.createHiveAuthorizer()");
	}
	
	try {
		activatePluginClassLoader();
		ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
	} finally {
		deactivatePluginClassLoader();
	}
	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerHiveAuthorizerFactory.createHiveAuthorizer()");
	}

	return ret;
}
 
Example #7
Source File: DefaultSentryValidator.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * initialize authenticator and hiveAuthzBinding.
 */
protected void initilize(HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator) throws Exception {
  Preconditions.checkNotNull(conf, "HiveConf cannot be null");
  Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null");
  Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null");
  this.conf = conf;
  this.authzConf = authzConf;
  this.authenticator = authenticator;
}
 
Example #8
Source File: RelaxedSQLStdHiveAccessController.java    From beeju with Apache License 2.0 5 votes vote down vote up
public RelaxedSQLStdHiveAccessController(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  super(metastoreClientFactory, conf, authenticator, ctx);
}
 
Example #9
Source File: SentryAuthorizerFactory.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * just for testing
 */
@VisibleForTesting
protected HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf, HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  SentryHiveAccessController accessController =
      getAccessController(conf, authzConf, authenticator, ctx);
  SentryHiveAuthorizationValidator authzValidator =
      getAuthzValidator(conf, authzConf, authenticator);

  return new SentryHiveAuthorizer(accessController, authzValidator);
}
 
Example #10
Source File: RangerHiveAuthorizerFactory.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
										   HiveConf                   conf,
										   HiveAuthenticationProvider hiveAuthenticator,
										   HiveAuthzSessionContext    sessionContext)
												   throws HiveAuthzPluginException {
	return new RangerHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
}
 
Example #11
Source File: RelaxedSQLStdHiveAccessControllerWrapper.java    From beeju with Apache License 2.0 5 votes vote down vote up
public RelaxedSQLStdHiveAccessControllerWrapper(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  super(metastoreClientFactory, conf, authenticator, ctx);
  overrideHiveAccessController(
      new RelaxedSQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx));
}
 
Example #12
Source File: RelaxedSQLStdHiveAuthorizerFactory.java    From beeju with Apache License 2.0 5 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(
    HiveMetastoreClientFactory metastoreClientFactory,
    HiveConf conf,
    HiveAuthenticationProvider authenticator,
    HiveAuthzSessionContext ctx)
  throws HiveAuthzPluginException {
  RelaxedSQLStdHiveAccessControllerWrapper privilegeManager = new RelaxedSQLStdHiveAccessControllerWrapper(
      metastoreClientFactory, conf, authenticator, ctx);
  return new HiveAuthorizerImpl(privilegeManager,
      new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, privilegeManager, ctx));
}
 
Example #13
Source File: HiveAuthzBindingSessionHook.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public HiveAuthorizer createHiveAuthorizer(
    HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf,
    HiveAuthenticationProvider hiveAuthenticator,
    HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
  return new SentryHiveAuthorizerImpl(null, null);    }
 
Example #14
Source File: RangerHiveAuthorizerBase.java    From ranger with Apache License 2.0 4 votes vote down vote up
public HiveAuthenticationProvider getHiveAuthenticator() {
	return mHiveAuthenticator;
}
 
Example #15
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
							  HiveConf                   hiveConf,
							  HiveAuthenticationProvider hiveAuthenticator,
							  HiveAuthzSessionContext    sessionContext) {
	super(metastoreClientFactory, hiveConf, hiveAuthenticator, sessionContext);

	LOG.debug("RangerHiveAuthorizer.RangerHiveAuthorizer()");

	RangerHivePlugin plugin = hivePlugin;
	
	if(plugin == null) {
		synchronized(RangerHiveAuthorizer.class) {
			plugin = hivePlugin;

			if(plugin == null) {
				String appType = "unknown";

				if(sessionContext != null) {
					switch(sessionContext.getClientType()) {
						case HIVECLI:
							appType = "hiveCLI";
						break;

						case HIVESERVER2:
							appType = "hiveServer2";
						break;

						/*
						case HIVEMETASTORE:
							appType = "hiveMetastore";
							break;

						case OTHER:
							appType = "other";
							break;

						 */
					}
				}

				plugin = new RangerHivePlugin(appType);
				plugin.init();

				hivePlugin = plugin;
			}
		}
	}
}
 
Example #16
Source File: HiveAuthorizationHelper.java    From dremio-oss with Apache License 2.0 4 votes vote down vote up
public HiveAuthorizationHelper(final IMetaStoreClient mClient, final HiveConf hiveConf, final String user) {
  authzEnabled = hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED);
  if (!authzEnabled) {
    authorizerV2 = null;
    return;
  }

  try (final ContextClassLoaderSwapper cls = ContextClassLoaderSwapper.newInstance()) {
    final HiveConf hiveConfCopy = new HiveConf(hiveConf);
    hiveConfCopy.set("user.name", user);
    hiveConfCopy.set("proxy.user.name", user);

    final HiveAuthenticationProvider authenticator = HiveUtils.getAuthenticator(hiveConfCopy,
        HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER);

    // This must be retrieved before creating the session state, because creation of the
    // session state changes the given HiveConf's classloader to a UDF ClassLoader.
    final HiveAuthorizerFactory authorizerFactory =
      HiveUtils.getAuthorizerFactory(hiveConfCopy, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);

    SessionState ss = new SessionState(hiveConfCopy, user);
    authenticator.setSessionState(ss);

    HiveAuthzSessionContext.Builder authzContextBuilder = new HiveAuthzSessionContext.Builder();
    authzContextBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); // Dremio is emulating HS2 here

    authorizerV2 = authorizerFactory.createHiveAuthorizer(
        new HiveMetastoreClientFactory() {
          @Override
          public IMetaStoreClient getHiveMetastoreClient() throws HiveAuthzPluginException {
            return mClient;
          }
        },
        hiveConf, authenticator, authzContextBuilder.build());

    authorizerV2.applyAuthorizationConfigPolicy(hiveConfCopy);
  } catch (final HiveException e) {
    throw new RuntimeException("Failed to initialize Hive authorization components: " + e.getMessage(), e);
  }

  logger.trace("Hive authorization enabled");
}
 
Example #17
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public DefaultSentryAccessController(HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
  initilize(conf, authzConf, authenticator, ctx);
  this.hiveHook = HiveHook.HiveServer2;
}
 
Example #18
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public DefaultSentryAccessController(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
  initilize(conf, authzConf, authenticator, ctx);
  this.hiveHook = hiveHook;
}
 
Example #19
Source File: DefaultSentryValidator.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public DefaultSentryValidator(HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator) throws Exception {
  initilize(conf, authzConf, authenticator);
  this.hiveHook = HiveHook.HiveServer2;
}
 
Example #20
Source File: DefaultSentryValidator.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public DefaultSentryValidator(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf,
    HiveAuthenticationProvider authenticator) throws Exception {
  initilize(conf, authzConf, authenticator);
  this.hiveHook = hiveHook;
}