org.apache.hadoop.hive.metastore.api.PrincipalType Java Examples

The following examples show how to use org.apache.hadoop.hive.metastore.api.PrincipalType. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * GRANT ... ON TABLE ... TO ROLE ...
 */
@Test
public void testGrantRoleTable() throws Exception {
  DDLWork work = analyze(parse("GRANT " + ALL + " ON TABLE " + TABLE
      + " TO ROLE " + ROLE));
  GrantDesc grantDesc = work.getGrantDesc();
  Assert.assertNotNull("Grant should not be null", grantDesc);
  for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
    Assert.assertEquals(PrincipalType.ROLE, principal.getType());
    Assert.assertEquals(ROLE, principal.getName());
  }
  for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
    Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
  }
  Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc()
      .getTable());
  Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject());
}
 
Example #2
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * GRANT ALL ON SERVER
 */
@Test
public void testGrantServer() throws Exception {
  DDLWork work = analyze(parse("GRANT " + ALL + " ON SERVER " + SERVER
      + " TO ROLE " + ROLE));
  GrantDesc grantDesc = work.getGrantDesc();
  Assert.assertNotNull("Grant should not be null", grantDesc);
  for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
    Assert.assertEquals(PrincipalType.ROLE, principal.getType());
    Assert.assertEquals(ROLE, principal.getName());
  }
  for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
    Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
  }
  SentryHivePrivilegeObjectDesc privilegeDesc =
      (SentryHivePrivilegeObjectDesc)grantDesc.getPrivilegeSubjectDesc();
  Assert.assertTrue("Expected server", privilegeDesc.getServer());
  Assert.assertEquals(SERVER, privilegeDesc.getObject());
}
 
Example #3
Source File: SentryHiveAuthorizationTaskFactoryImpl.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public Task<? extends Serializable> createShowRoleGrantTask(ASTNode ast, Path resultFile,
    HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException {
  ASTNode child = (ASTNode) ast.getChild(0);
  PrincipalType principalType = PrincipalType.USER;
  switch (child.getType()) {
  case HiveParser.TOK_USER:
    principalType = PrincipalType.USER;
    break;
  case HiveParser.TOK_GROUP:
    principalType = PrincipalType.GROUP;
    break;
  case HiveParser.TOK_ROLE:
    principalType = PrincipalType.ROLE;
    break;
  }
  if (principalType != PrincipalType.GROUP) {
    String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType;
    throw new SemanticException(msg);
  }
  String principalName = BaseSemanticAnalyzer.unescapeIdentifier(child.getChild(0).getText());
  RoleDDLDesc roleDesc = new RoleDDLDesc(principalName, principalType,
      RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT, null);
  roleDesc.setResFile(resultFile.toString());
  return createTask(new DDLWork(inputs, outputs,  roleDesc));
}
 
Example #4
Source File: HiveCatalog.java    From flink with Apache License 2.0 6 votes vote down vote up
private static Function instantiateHiveFunction(ObjectPath functionPath, CatalogFunction function) {

		boolean isGeneric = Boolean.valueOf(function.getProperties().get(CatalogConfig.IS_GENERIC));

		// Hive Function does not have properties map
		// thus, use a prefix in class name to distinguish Flink and Hive functions
		String functionClassName = isGeneric ?
			FLINK_FUNCTION_PREFIX + function.getClassName() :
			function.getClassName();

		return new Function(
			// due to https://issues.apache.org/jira/browse/HIVE-22053, we have to normalize function name ourselves
			HiveStringUtils.normalizeIdentifier(functionPath.getObjectName()),
			functionPath.getDatabaseName(),
			functionClassName,
			null,			// Owner name
			PrincipalType.GROUP,	// Temporarily set to GROUP type because it's required by Hive. May change later
			(int) (System.currentTimeMillis() / 1000),
			FunctionType.JAVA,		// FunctionType only has JAVA now
			new ArrayList<>()		// Resource URIs
		);
	}
 
Example #5
Source File: SentryHiveAuthorizationTaskFactoryImpl.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public Task<? extends Serializable> createRevokeTask(ASTNode ast, HashSet<ReadEntity> inputs,
    HashSet<WriteEntity> outputs) throws SemanticException {
  List<PrivilegeDesc> privilegeDesc = analyzePrivilegeListDef((ASTNode) ast.getChild(0));
  List<PrincipalDesc> principalDesc = analyzePrincipalListDef((ASTNode) ast.getChild(1));
  PrivilegeObjectDesc privilegeObj = null;
  if (ast.getChildCount() > 2) {
    ASTNode astChild = (ASTNode) ast.getChild(2);
    privilegeObj = analyzePrivilegeObject(astChild);
  }
  if (privilegeObj != null && privilegeObj.getPartSpec() != null) {
    throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED);
  }
  for (PrincipalDesc princ : principalDesc) {
    if (princ.getType() != PrincipalType.ROLE) {
      String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + princ.getType();
      throw new SemanticException(msg);
    }
  }
  RevokeDesc revokeDesc = new RevokeDesc(privilegeDesc, principalDesc, privilegeObj);
  return createTask(new DDLWork(inputs, outputs, revokeDesc));
}
 
Example #6
Source File: SentryHiveAuthorizationTaskFactoryImpl.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
private Task<? extends Serializable> analyzeGrantRevokeRole(boolean isGrant, ASTNode ast,
    HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException {
  List<PrincipalDesc> principalDesc = analyzePrincipalListDef(
      (ASTNode) ast.getChild(0));

  List<String> roles = new ArrayList<String>();
  for (int i = 1; i < ast.getChildCount(); i++) {
    roles.add(BaseSemanticAnalyzer.unescapeIdentifier(ast.getChild(i).getText()));
  }
  String roleOwnerName = "";
  if (SessionState.get() != null
      && SessionState.get().getAuthenticator() != null) {
    roleOwnerName = SessionState.get().getAuthenticator().getUserName();
  }
  for (PrincipalDesc princ : principalDesc) {
    if (princ.getType() != PrincipalType.GROUP) {
      String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + princ.getType();
      throw new SemanticException(msg);
    }
  }
  GrantRevokeRoleDDL grantRevokeRoleDDL = new GrantRevokeRoleDDL(isGrant,
      roles, principalDesc, roleOwnerName, PrincipalType.USER, false);
  return createTask(new DDLWork(inputs, outputs, grantRevokeRoleDDL));
}
 
Example #7
Source File: ThriftHiveMetastoreClient.java    From presto with Apache License 2.0 6 votes vote down vote up
@Override
public void grantRole(String role, String granteeName, PrincipalType granteeType, String grantorName, PrincipalType grantorType, boolean grantOption)
        throws TException
{
    List<RolePrincipalGrant> grants = listRoleGrants(granteeName, granteeType);
    for (RolePrincipalGrant grant : grants) {
        if (grant.getRoleName().equals(role)) {
            if (grant.isGrantOption() == grantOption) {
                return;
            }
            if (!grant.isGrantOption() && grantOption) {
                revokeRole(role, granteeName, granteeType, false);
                break;
            }
        }
    }
    createGrant(role, granteeName, granteeType, grantorName, grantorType, grantOption);
}
 
Example #8
Source File: SentryHiveAuthorizationTaskFactoryImpl.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Override
public Task<? extends Serializable> createShowRolePrincipalsTask(ASTNode ast, Path resFile,
    HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException {
  String roleName;

  if (ast.getChildCount() == 1) {
    roleName = ast.getChild(0).getText();
  } else {
    // the parser should not allow this
    throw new AssertionError("Unexpected Tokens in SHOW ROLE PRINCIPALS");
  }

  RoleDDLDesc roleDDLDesc = new RoleDDLDesc(roleName, PrincipalType.ROLE,
   RoleDDLDesc.RoleOperation.SHOW_ROLE_PRINCIPALS, null);
  roleDDLDesc.setResFile(resFile.toString());
  return createTask(new DDLWork(inputs, outputs, roleDDLDesc));
  //return TaskFactory.get(new DDLWork(inputs, outputs, roleDDLDesc), conf);
}
 
Example #9
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
@Test
public void testGrantUri() throws Exception {
  String uriPath = "/tmp";
  DDLWork work = analyze(parse("GRANT " + ALL + " ON URI '" + uriPath
      + "' TO ROLE " + ROLE));
  GrantDesc grantDesc = work.getGrantDesc();
  Assert.assertNotNull("Grant should not be null", grantDesc);
  for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
    Assert.assertEquals(PrincipalType.ROLE, principal.getType());
    Assert.assertEquals(ROLE, principal.getName());
  }
  for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
    Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
  }
  SentryHivePrivilegeObjectDesc privilegeDesc = (SentryHivePrivilegeObjectDesc)grantDesc.getPrivilegeSubjectDesc();
  Assert.assertTrue("Expected uri", privilegeDesc.getUri());
  Assert.assertEquals(uriPath, privilegeDesc.getObject());
}
 
Example #10
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * GRANT ... ON TABLE ... TO ROLE ... WITH GRANT OPTION
 */
@Test
public void testGrantRoleTableWithGrantOption() throws Exception {
  DDLWork work = analyze(parse("GRANT " + ALL + " ON TABLE " + TABLE + " TO ROLE " + ROLE +
      " WITH GRANT OPTION"));
  GrantDesc grantDesc = work.getGrantDesc();
  Assert.assertNotNull("Grant should not be null", grantDesc);
  for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
    Assert.assertEquals(PrincipalType.ROLE, principal.getType());
    Assert.assertEquals(ROLE, principal.getName());
  }
  for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
    Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
  }
  Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc()
      .getTable());
  Assert.assertTrue("Expected grantOption is true", grantDesc.isGrantOption());
  Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject());
}
 
Example #11
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * REVOKE ... ON TABLE ... FROM ROLE ...
 */
@Test
public void testRevokeRoleTable() throws Exception {
  DDLWork work = analyze(parse("REVOKE " + ALL + " ON TABLE " + TABLE
      + " FROM ROLE " + ROLE));
  RevokeDesc grantDesc = work.getRevokeDesc();
  Assert.assertNotNull("Revoke should not be null", grantDesc);
  for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
    Assert.assertEquals(PrincipalType.ROLE, principal.getType());
    Assert.assertEquals(ROLE, principal.getName());
  }
  for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
    Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
  }
  Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc()
      .getTable());
  Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject());
}
 
Example #12
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * GRANT ROLE ... TO GROUP ...
 */
@Test
public void testGrantRoleGroup() throws Exception {
  DDLWork work = analyze(parse("GRANT ROLE " + ROLE + " TO GROUP " + GROUP));
  GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
  Assert.assertNotNull("Grant should not be null", grantDesc);
  Assert.assertTrue("Expected grant ", grantDesc.getGrant());
  Assert
  .assertFalse("Grant option should be false", grantDesc.isGrantOption());
  Assert.assertEquals(currentUser, grantDesc.getGrantor());
  Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
  for (String role : assertSize(1, grantDesc.getRoles())) {
    Assert.assertEquals(ROLE, role);
  }
  for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) {
    Assert.assertEquals(PrincipalType.GROUP, principal.getType());
    Assert.assertEquals(GROUP, principal.getName());
  }
}
 
Example #13
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
/**
 * REVOKE ROLE ... FROM GROUP ...
 */
@Test
public void testRevokeRoleGroup() throws Exception {
  DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM GROUP " + GROUP));
  GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
  Assert.assertNotNull("Grant should not be null", grantDesc);
  Assert.assertFalse("Did not expect grant ", grantDesc.getGrant());
  Assert.assertFalse("Grant option is always true ", grantDesc.isGrantOption());
  Assert.assertEquals(currentUser, grantDesc.getGrantor());
  Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
  for (String role : assertSize(1, grantDesc.getRoles())) {
    Assert.assertEquals(ROLE, role);
  }
  for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) {
    Assert.assertEquals(PrincipalType.GROUP, principal.getType());
    Assert.assertEquals(GROUP, principal.getName());
  }
}
 
Example #14
Source File: ThriftHiveMetastoreClient.java    From presto with Apache License 2.0 6 votes vote down vote up
private void createGrant(String role, String granteeName, PrincipalType granteeType, String grantorName, PrincipalType grantorType, boolean grantOption)
        throws TException
{
    GrantRevokeRoleRequest request = new GrantRevokeRoleRequest();
    request.setRequestType(GrantRevokeType.GRANT);
    request.setRoleName(role);
    request.setPrincipalName(granteeName);
    request.setPrincipalType(granteeType);
    request.setGrantor(grantorName);
    request.setGrantorType(grantorType);
    request.setGrantOption(grantOption);
    GrantRevokeRoleResponse response = client.grant_revoke_role(request);
    if (!response.isSetSuccess()) {
        throw new MetaException("GrantRevokeResponse missing success field");
    }
}
 
Example #15
Source File: CatalogToHiveConverter.java    From aws-glue-data-catalog-client-for-apache-hive-metastore with Apache License 2.0 6 votes vote down vote up
public static Function convertFunction(final String dbName,
                                       final com.amazonaws.services.glue.model.UserDefinedFunction catalogFunction) {
  if (catalogFunction ==  null) {
    return null;
  }
  Function hiveFunction = new Function();
  hiveFunction.setClassName(catalogFunction.getClassName());
  hiveFunction.setCreateTime((int)(catalogFunction.getCreateTime().getTime() / 1000));
  hiveFunction.setDbName(dbName);
  hiveFunction.setFunctionName(catalogFunction.getFunctionName());
  hiveFunction.setFunctionType(FunctionType.JAVA);
  hiveFunction.setOwnerName(catalogFunction.getOwnerName());
  hiveFunction.setOwnerType(convertPrincipalType(com.amazonaws.services.glue.model.PrincipalType.fromValue(catalogFunction.getOwnerType())));
  hiveFunction.setResourceUris(convertResourceUriList(catalogFunction.getResourceUris()));
  return hiveFunction;
}
 
Example #16
Source File: ThriftHiveMetastoreClient.java    From presto with Apache License 2.0 6 votes vote down vote up
@Override
public void revokeRole(String role, String granteeName, PrincipalType granteeType, boolean grantOption)
        throws TException
{
    List<RolePrincipalGrant> grants = listRoleGrants(granteeName, granteeType);
    RolePrincipalGrant currentGrant = null;
    for (RolePrincipalGrant grant : grants) {
        if (grant.getRoleName().equals(role)) {
            currentGrant = grant;
            break;
        }
    }

    if (currentGrant == null) {
        return;
    }

    if (!currentGrant.isGrantOption() && grantOption) {
        return;
    }

    removeGrant(role, granteeName, granteeType, grantOption);
}
 
Example #17
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * SHOW CURRENT ROLE
 */
@Test
public void testShowCurrentRole() throws Exception {
  DDLWork work = analyze(parse("SHOW CURRENT ROLES"));
  RoleDDLDesc roleDDLDesc = work.getRoleDDLDesc();
  Assert.assertEquals(PrincipalType.USER, roleDDLDesc.getPrincipalType());
  Assert.assertEquals(RoleOperation.SHOW_CURRENT_ROLE, roleDDLDesc.getOperation());
}
 
Example #18
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * SHOW GRANT ROLE ... ON TABLE ...
 */
@Test
public void testShowGrantRoleOnTable() throws Exception {
  DDLWork work = analyze(parse("SHOW GRANT ROLE " + ROLE + " ON TABLE " + TABLE));
  ShowGrantDesc grantDesc = work.getShowGrantDesc();
  Assert.assertNotNull("Show grant should not be null", grantDesc);
  Assert.assertEquals(PrincipalType.ROLE, grantDesc.getPrincipalDesc().getType());
  Assert.assertEquals(ROLE, grantDesc.getPrincipalDesc().getName());
  Assert.assertTrue("Expected table", grantDesc.getHiveObj().getTable());
  Assert.assertEquals(TABLE, grantDesc.getHiveObj().getObject());
  Assert.assertTrue("Expected table", grantDesc.getHiveObj().getTable());
}
 
Example #19
Source File: HiveCatalog.java    From flink with Apache License 2.0 5 votes vote down vote up
private static Function instantiateHiveFunction(ObjectPath functionPath, CatalogFunction function) {

		boolean isGeneric = function.isGeneric();

		// Hive Function does not have properties map
		// thus, use a prefix in class name to distinguish Flink and Hive functions
		String functionClassName;
		if (function.getFunctionLanguage().equals(FunctionLanguage.JAVA)) {
			functionClassName = isGeneric ?
				FLINK_FUNCTION_PREFIX + function.getClassName() :
				function.getClassName();
		} else if (function.getFunctionLanguage().equals(FunctionLanguage.PYTHON)) {
			functionClassName = FLINK_PYTHON_FUNCTION_PREFIX + function.getClassName();
		} else {
			throw new UnsupportedOperationException("HiveCatalog supports only creating" +
				" JAVA or PYTHON based function for now");
		}

		return new Function(
			// due to https://issues.apache.org/jira/browse/HIVE-22053, we have to normalize function name ourselves
			functionPath.getObjectName().trim().toLowerCase(),
			functionPath.getDatabaseName(),
			functionClassName,
			null,			// Owner name
			PrincipalType.GROUP,	// Temporarily set to GROUP type because it's required by Hive. May change later
			(int) (System.currentTimeMillis() / 1000),
			FunctionType.JAVA,		// FunctionType only has JAVA now
			new ArrayList<>()		// Resource URIs
		);
	}
 
Example #20
Source File: TestSentryHiveAuthorizationTaskFactory.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * SHOW ROLE GRANT GROUP ...
 */
@Test
public void testShowRoleGrantGroup() throws Exception {
  DDLWork work = analyze(parse("SHOW ROLE GRANT GROUP " + GROUP));
  RoleDDLDesc roleDesc = work.getRoleDDLDesc();
  Assert.assertNotNull("Role should not be null", roleDesc);
  Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation());
  Assert.assertEquals(PrincipalType.GROUP, roleDesc.getPrincipalType());
  Assert.assertEquals(GROUP, roleDesc.getName());
}
 
Example #21
Source File: SentryHiveAuthorizationTaskFactoryImpl.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
private List<PrincipalDesc> analyzePrincipalListDef(ASTNode node) {
  List<PrincipalDesc> principalList = new ArrayList<PrincipalDesc>();
  for (int i = 0; i < node.getChildCount(); i++) {
    ASTNode child = (ASTNode) node.getChild(i);
    PrincipalType type = null;
    switch (child.getType()) {
    case 880:
      type = PrincipalType.USER;
      break;
    case HiveParser.TOK_USER:
      type = PrincipalType.USER;
      break;
    case 685:
      type = PrincipalType.GROUP;
      break;
    case HiveParser.TOK_GROUP:
      type = PrincipalType.GROUP;
      break;
    case 782:
      type = PrincipalType.ROLE;
      break;
    case HiveParser.TOK_ROLE:
      type = PrincipalType.ROLE;
      break;
    }
    String principalName = BaseSemanticAnalyzer.unescapeIdentifier(child.getChild(0).getText());
    PrincipalDesc principalDesc = new PrincipalDesc(principalName, type);
    LOG.debug("## Principal : [ " + principalName + ", " + type + "]");
    principalList.add(principalDesc);
  }
  return principalList;
}
 
Example #22
Source File: SentryHiveAuthorizationTaskFactoryImpl.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public Task<? extends Serializable> createShowGrantTask(ASTNode ast, Path resultFile, HashSet<ReadEntity> inputs,
    HashSet<WriteEntity> outputs) throws SemanticException {
  SentryHivePrivilegeObjectDesc privHiveObj = null;

  ASTNode principal = (ASTNode) ast.getChild(0);
  PrincipalType type = PrincipalType.USER;
  switch (principal.getType()) {
  case HiveParser.TOK_USER:
    type = PrincipalType.USER;
    break;
  case HiveParser.TOK_GROUP:
    type = PrincipalType.GROUP;
    break;
  case HiveParser.TOK_ROLE:
    type = PrincipalType.ROLE;
    break;
  }
  if (type != PrincipalType.ROLE) {
    String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + type;
    throw new SemanticException(msg);
  }
  String principalName = BaseSemanticAnalyzer.unescapeIdentifier(principal.getChild(0).getText());
  PrincipalDesc principalDesc = new PrincipalDesc(principalName, type);

  // Partition privileges are not supported by Sentry
  if (ast.getChildCount() > 1) {
    ASTNode child = (ASTNode) ast.getChild(1);
    if (child.getToken().getType() == HiveParser.TOK_PRIV_OBJECT_COL) {
      privHiveObj = analyzePrivilegeObject(child);
    } else {
      throw new SemanticException("Unrecognized Token: " + child.getToken().getType());
    }
  }

  ShowGrantDesc showGrant = new ShowGrantDesc(resultFile.toString(),
      principalDesc, privHiveObj);
  return createTask(new DDLWork(inputs, outputs, showGrant));
}
 
Example #23
Source File: SentryAuthorizerUtil.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * Convert TSentryRole to HiveRoleGrant
 *
 * @param role
 */
public static HiveRoleGrant convert2HiveRoleGrant(TSentryRole role) {
  HiveRoleGrant hiveRoleGrant = new HiveRoleGrant();
  hiveRoleGrant.setRoleName(role.getRoleName());
  hiveRoleGrant.setPrincipalName(role.getRoleName());
  hiveRoleGrant.setPrincipalType(PrincipalType.ROLE.name());
  hiveRoleGrant.setGrantOption(false);
  hiveRoleGrant.setGrantor(role.getGrantorPrincipal());
  hiveRoleGrant.setGrantorType(PrincipalType.USER.name());
  return hiveRoleGrant;
}
 
Example #24
Source File: SentryHiveAuthorizationTaskFactoryImpl.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Override
public Task<? extends Serializable> createGrantTask(ASTNode ast, HashSet<ReadEntity> inputs,
    HashSet<WriteEntity> outputs) throws SemanticException {
  List<PrivilegeDesc> privilegeDesc = analyzePrivilegeListDef(
      (ASTNode) ast.getChild(0));
  List<PrincipalDesc> principalDesc = analyzePrincipalListDef(
      (ASTNode) ast.getChild(1));
  SentryHivePrivilegeObjectDesc privilegeObj = null;
  boolean grantOption = false;
  if (ast.getChildCount() > 2) {
    for (int i = 2; i < ast.getChildCount(); i++) {
      ASTNode astChild = (ASTNode) ast.getChild(i);
      if (astChild.getType() == HiveParser.TOK_GRANT_WITH_OPTION) {
        grantOption = true;
      } else if (astChild.getType() == HiveParser.TOK_PRIV_OBJECT) {
        privilegeObj = analyzePrivilegeObject(astChild);
      }
    }
  }
  String userName = null;
  if (SessionState.get() != null
      && SessionState.get().getAuthenticator() != null) {
    userName = SessionState.get().getAuthenticator().getUserName();
  }
  Preconditions.checkNotNull(privilegeObj, "privilegeObj is null for " + ast.dump());
  if (privilegeObj.getPartSpec() != null) {
    throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED);
  }
  for (PrincipalDesc princ : principalDesc) {
    if (princ.getType() != PrincipalType.ROLE) {
      String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + princ.getType();
      throw new SemanticException(msg);
    }
  }
  GrantDesc grantDesc = new GrantDesc(privilegeObj, privilegeDesc,
      principalDesc, userName, PrincipalType.USER, grantOption);
  return createTask(new DDLWork(inputs, outputs, grantDesc));
}
 
Example #25
Source File: HiveStubs.java    From waggle-dance with Apache License 2.0 5 votes vote down vote up
public static Function newFunction(String databaseName, String functionName) {
  List<ResourceUri> resourceUris = Lists
      .newArrayList(new ResourceUri(ResourceType.JAR, "hdfs://path/to/my/jar/my.jar"));
  Function function = new Function(functionName, databaseName, "com.hotels.hive.FN", "hadoop", PrincipalType.USER, 0,
      FunctionType.JAVA, resourceUris);
  return function;
}
 
Example #26
Source File: FederatedHMSHandler.java    From waggle-dance with Apache License 2.0 5 votes vote down vote up
@Override
@Loggable(value = Loggable.DEBUG, skipResult = true, name = INVOCATION_LOG_NAME)
public List<HiveObjectPrivilege> list_privileges(
    String principal_name,
    PrincipalType principal_type,
    HiveObjectRef hiveObject)
    throws MetaException, TException {
  DatabaseMapping mapping = databaseMappingService.databaseMapping(hiveObject.getDbName());
  List<HiveObjectPrivilege> privileges = mapping
      .getClient()
      .list_privileges(principal_name, principal_type, mapping.transformInboundHiveObjectRef(hiveObject));
  return mapping.transformOutboundHiveObjectPrivileges(privileges);
}
 
Example #27
Source File: FederatedHMSHandler.java    From waggle-dance with Apache License 2.0 5 votes vote down vote up
@Override
@Loggable(value = Loggable.DEBUG, skipResult = true, name = INVOCATION_LOG_NAME)
public boolean grant_role(
    String role_name,
    String principal_name,
    PrincipalType principal_type,
    String grantor,
    PrincipalType grantorType,
    boolean grant_option)
    throws MetaException, TException {
  return getPrimaryClient().grant_role(role_name, principal_name, principal_type, grantor, grantorType, grant_option);
}
 
Example #28
Source File: WaggleDanceIntegrationTest.java    From waggle-dance with Apache License 2.0 5 votes vote down vote up
@Test
public void typicalGetAllFunctions() throws Exception {
  runner = WaggleDanceRunner
      .builder(configLocation)
      .databaseResolution(DatabaseResolution.PREFIXED)
      .primary("primary", localServer.getThriftConnectionUri(), READ_ONLY)
      .withPrimaryPrefix("primary_")
      .federate(SECONDARY_METASTORE_NAME, remoteServer.getThriftConnectionUri(), REMOTE_DATABASE)
      .build();

  runWaggleDance(runner);
  HiveMetaStoreClient proxy = getWaggleDanceClient();
  List<ResourceUri> resourceUris = Lists
      .newArrayList(new ResourceUri(ResourceType.JAR, "hdfs://path/to/my/jar/my.jar"));
  Function localFunction = new Function("fn1", LOCAL_DATABASE, "com.hotels.hive.FN1", "hadoop", PrincipalType.USER, 0,
      FunctionType.JAVA, resourceUris);
  localServer.client().createFunction(localFunction);
  Function remoteFunction = new Function("fn2", REMOTE_DATABASE, "com.hotels.hive.FN1", "hadoop", PrincipalType.USER,
      0, FunctionType.JAVA, resourceUris);
  remoteServer.client().createFunction(remoteFunction);

  GetAllFunctionsResponse allFunctions = proxy.getAllFunctions();
  List<Function> functions = allFunctions.getFunctions();
  assertThat(functions.size(), is(3));
  assertThat(functions.get(0).getFunctionName(), is("fn1"));
  assertThat(functions.get(0).getDbName(), is("primary_" + LOCAL_DATABASE));
  assertThat(functions.get(1).getFunctionName(), is("fn1"));
  assertThat(functions.get(1).getDbName(), is(LOCAL_DATABASE));
  assertThat(functions.get(2).getFunctionName(), is("fn2"));
  assertThat(functions.get(2).getDbName(), is(PREFIXED_REMOTE_DATABASE));
}
 
Example #29
Source File: MockThriftMetastoreClient.java    From presto with Apache License 2.0 5 votes vote down vote up
@Override
public List<RolePrincipalGrant> listRoleGrants(String name, PrincipalType principalType)
{
    accessCount.incrementAndGet();
    if (throwException) {
        throw new IllegalStateException();
    }
    return TEST_ROLE_GRANTS;
}
 
Example #30
Source File: InMemoryThriftMetastore.java    From presto with Apache License 2.0 5 votes vote down vote up
public PrincipalTableKey(String principalName, PrincipalType principalType, String table, String database)
{
    this.principalName = requireNonNull(principalName, "principalName is null");
    this.principalType = requireNonNull(principalType, "principalType is null");
    this.table = requireNonNull(table, "table is null");
    this.database = requireNonNull(database, "database is null");
}