org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException Java Examples

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RangerHiveAuthorizerBase.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * Show privileges for given principal on given object
 * @param principal
 * @param privObj
 * @return
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizerBase.showPrivileges()");

	throwNotImplementedException("showPrivileges");

	return null;
}
 
Example #2
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false);
}
 
Example #3
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true);
}
 
Example #4
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
private void executeOnFailureHooks(HiveOperation hiveOp, SentryAccessDeniedException e)
    throws HiveAccessControlException {
  SentryOnFailureHookContext hookCtx =
      new SentryOnFailureHookContextImpl(SessionState.get().getCmd(), null, null, hiveOp, null,
          null, null, null, authenticator.getUserName(), null, new AuthorizationException(e),
          authzConf);
  SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf);
  throw new HiveAccessControlException(e.getMessage(), e);
}
 
Example #5
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
      grantorPrincipal, grantOption);
}
 
Example #6
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
    List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
    HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
    HiveAccessControlException {
  accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
      grantorPrincipal, grantOption);
}
 
Example #7
Source File: RangerHiveAuthorizerBase.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizerBase.getRoleGrantInfoForPrincipal()");

	throwNotImplementedException("getRoleGrantInfoForPrincipal");

	return null;
}
 
Example #8
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
private void handleDfsCommand(HiveOperationType         hiveOpType,
							  List<HivePrivilegeObject> inputHObjs,
							  String                    user,
							  RangerHiveAuditHandler    auditHandler)
      throws HiveAuthzPluginException, HiveAccessControlException {

	String dfsCommandParams = null;

	if(inputHObjs != null) {
		for(HivePrivilegeObject hiveObj : inputHObjs) {
			if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
				dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());

				if(! StringUtil.isEmpty(dfsCommandParams)) {
					break;
				}
			}
		}
	}

	int    serviceType = -1;
	String serviceName = null;

	if(hivePlugin != null) {
		serviceType = hivePlugin.getServiceDefId();
		serviceName = hivePlugin.getServiceName();
	}

	auditHandler.logAuditEventForDfs(user, dfsCommandParams, false, serviceType, serviceName);

	throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
										 user, hiveOpType.name()));
}
 
Example #9
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * Revoke privileges for principals on the object
 * @param hivePrincipals
 * @param hivePrivileges
 * @param hivePrivObject
 * @param grantorPrincipal
 * @param grantOption
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
							 List<HivePrivilege> hivePrivileges,
							 HivePrivilegeObject hivePrivObject,
							 HivePrincipal       grantorPrincipal,
							 boolean             grantOption)
									 throws HiveAuthzPluginException, HiveAccessControlException {
	if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
		throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
		RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, null, outputs);
		GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

		LOG.info("revokePrivileges(): " + request);
		if(LOG.isDebugEnabled()) {
			LOG.debug("revokePrivileges(): " + request);
		}

		hivePlugin.revokeAccess(request, auditHandler);
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		auditHandler.flushAudit();
	}
}
 
Example #10
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
/**
 * Grant privileges for principals on the object
 * @param hivePrincipals
 * @param hivePrivileges
 * @param hivePrivObject
 * @param grantorPrincipal
 * @param grantOption
 * @throws HiveAuthzPluginException
 * @throws HiveAccessControlException
 */
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
							List<HivePrivilege> hivePrivileges,
							HivePrivilegeObject hivePrivObject,
							HivePrincipal       grantorPrincipal,
							boolean             grantOption)
									throws HiveAuthzPluginException, HiveAccessControlException {
	if (LOG.isDebugEnabled()) {
			LOG.debug("grantPrivileges() => HivePrivilegeObject:" + toString(hivePrivObject, new StringBuilder()) + "grantorPrincipal: " + grantorPrincipal + "hivePrincipals" + hivePrincipals + "hivePrivileges" + hivePrivileges);
	}

	if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
		throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	try {
		List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
		RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, null, outputs);
		GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

		LOG.info("grantPrivileges(): " + request);
		if(LOG.isDebugEnabled()) {
			LOG.debug("grantPrivileges(): " + request);
		}

		hivePlugin.grantAccess(request, auditHandler);
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		auditHandler.flushAudit();
	}
}
 
Example #11
Source File: HiveAuthorizationHelper.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up
/**
 * Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 * @param dbName
 */
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);

  authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "SHOW TABLES");
}
 
Example #12
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getAllRoles()
		throws HiveAuthzPluginException, HiveAccessControlException {
	LOG.debug("RangerHiveAuthorizer.getAllRoles()");
	boolean	               result       = false;
	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
	UserGroupInformation ugi = getCurrentUserGroupInfo();

	if(ugi == null) {
		throw new HiveAccessControlException("Permission denied: user information not available");
	}
	List<String> ret = null;

	String currentUserName = ugi.getShortUserName();
	List<String> userNames = Arrays.asList(currentUserName);

	try {
		if(LOG.isDebugEnabled()) {
			LOG.debug("<== getAllRoles()");
		}

		ret = hivePlugin.getAllRoles(ugi.getShortUserName(), auditHandler);
		result = true;

	} catch(Exception excp) {
		throw new HiveAuthzPluginException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}

	return ret;
}
 
Example #13
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException {
	// from SQLStdHiveAccessController.setCurrentRole()
	initUserRoles();
	if (ROLE_NONE.equalsIgnoreCase(roleName)) {
		// for set role NONE, clear all roles for current session.
		currentRoles.clear();
		return;
	}
	if (ROLE_ALL.equalsIgnoreCase(roleName)) {
		// for set role ALL, reset roles to default roles.
		currentRoles.clear();
		currentRoles.addAll(getCurrentRoleNamesFromRanger());
		return;
	}
	for (String role : getCurrentRoleNamesFromRanger()) {
		// set to one of the roles user belongs to.
		if (role.equalsIgnoreCase(roleName)) {
			currentRoles.clear();
			currentRoles.add(role);
			return;
		}
	}
	// set to ADMIN role, if user belongs there.
	if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != this.adminRole) {
		currentRoles.clear();
		currentRoles.add(adminRole);
		return;
	}
	LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
	// If we are here it means, user is requesting a role he doesn't belong to.
	throw new HiveAccessControlException(currentUserName + " doesn't belong to role " + roleName);
}
 
Example #14
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
@Override
public void dropRole(String roleName)
		throws HiveAuthzPluginException, HiveAccessControlException {
	if(LOG.isDebugEnabled()) {
		LOG.debug("RangerHiveAuthorizer.dropRole()");
	}

	RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

	UserGroupInformation ugi       = getCurrentUserGroupInfo();
	boolean	             result    = false;
	List<String>	     roleNames = Arrays.asList(roleName);

	if(ugi == null) {
		throw new HiveAccessControlException("Permission denied: user information not available");
	}

	if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) {
		throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " +
				RESERVED_ROLE_NAMES);
	}

	String currentUserName = ugi.getShortUserName();
	List<String> userNames = Arrays.asList(currentUserName);

	try {
		if(LOG.isDebugEnabled()) {
			LOG.debug("<== dropRole(): " + roleName);
		}
		hivePlugin.dropRole(currentUserName, roleName, auditHandler);
		result = true;
	} catch(Exception excp) {
		throw new HiveAccessControlException(excp);
	} finally {
		RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.DROPROLE, HiveAccessType.DROP, roleNames, result);
		auditHandler.processResult(accessResult);
		auditHandler.flushAudit();
	}

}
 
Example #15
Source File: HiveAuthorizationHelper.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up
/**
 * Check authorization for "READ TABLE" for given db.table. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 * @param dbName
 * @param tableName
 */
public void authorizeReadTable(final String dbName, final String tableName) throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, dbName, tableName);
  authorize(HiveOperationType.QUERY, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "READ TABLE");
}
 
Example #16
Source File: HiveAuthorizationHelper.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up
/**
 * Check authorization for "SHOW DATABASES" command. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 */
public void authorizeShowDatabases() throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  authorize(HiveOperationType.SHOWDATABASES, Collections.<HivePrivilegeObject> emptyList(), Collections.<HivePrivilegeObject> emptyList(), "SHOW DATABASES");
}
 
Example #17
Source File: HiveClientWithAuthz.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getDatabases(boolean ignoreAuthzErrors) throws TException {
  try {
    authorizer.authorizeShowDatabases();
  } catch (final HiveAccessControlException e) {
    if (ignoreAuthzErrors) {
      return Collections.emptyList();
    }
    throw UserException.permissionError(e).build(logger);
  }

  return super.getDatabases(ignoreAuthzErrors);
}
 
Example #18
Source File: HiveClientWithAuthz.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up
@Override
public List<String> getTableNames(final String dbName, boolean ignoreAuthzErrors) throws TException {
  try {
    authorizer.authorizeShowTables(dbName);
  } catch (final HiveAccessControlException e) {
    if (ignoreAuthzErrors) {
      return Collections.emptyList();
    }
    throw UserException.permissionError(e).build(logger);
  }

  return super.getTableNames(dbName, ignoreAuthzErrors);
}
 
Example #19
Source File: HiveClientWithAuthz.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up
@Override
public Table getTable(final String dbName, final String tableName, boolean ignoreAuthzErrors) throws TException {
  try {
    authorizer.authorizeReadTable(dbName, tableName);
  } catch (final HiveAccessControlException e) {
    if (!ignoreAuthzErrors) {
      throw UserException.permissionError(e).build(logger);
    } else {
      return null;
    }
  }
  return super.getTable(dbName, tableName, ignoreAuthzErrors);
}
 
Example #20
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
    HiveAccessControlException {
  accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
}
 
Example #21
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, true);
}
 
Example #22
Source File: DefaultSentryAccessController.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
    HiveAccessControlException {
  grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, false);
}
 
Example #23
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void createRole(String roleName, HivePrincipal adminGrantor)
    throws HiveAuthzPluginException, HiveAccessControlException {
  accessController.createRole(roleName, adminGrantor);
}
 
Example #24
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
  accessController.dropRole(roleName);
}
 
Example #25
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
    HiveAccessControlException {
  accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
}
 
Example #26
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
    throws HiveAuthzPluginException, HiveAccessControlException {
  return accessController.getRoleGrantInfoForPrincipal(principal);
}
 
Example #27
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
    List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
    throws HiveAuthzPluginException, HiveAccessControlException {
  authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context);
}
 
Example #28
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
  return accessController.getAllRoles();
}
 
Example #29
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
    throws HiveAuthzPluginException, HiveAccessControlException {
  return accessController.showPrivileges(principal, privObj);
}
 
Example #30
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
    HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
  return authValidator.filterListCmdObjects(listObjs, context);
}