org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException Java Examples
The following examples show how to use
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RangerHiveAuthorizerBase.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
LOG.debug("RangerHiveAuthorizerBase.applyAuthorizationConfigPolicy()");
// from SQLStdHiveAccessController.applyAuthorizationConfigPolicy()
if (mSessionContext != null && mSessionContext.getClientType() == CLIENT_TYPE.HIVESERVER2) {
// Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries
String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim();
if (hooks.isEmpty()) {
hooks = DisallowTransformHook.class.getName();
} else {
hooks = hooks + "," + DisallowTransformHook.class.getName();
}
hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks);
SettableConfigUpdater.setHiveConfWhiteList(hiveConf);
}
}
Example #2
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Override
public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
List<String> roles = new ArrayList<String>();
try {
sentryClient = getSentryClient();
hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf);
ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet();
if (roleSet.isAll()) {
roles = convert2RoleList(sentryClient.listUserRoles(authenticator.getUserName()));
} else {
roles.addAll(roleSet.getRoles());
}
} catch (Exception e) {
String msg = "Error when sentryClient listUserRoles: " + e.getMessage();
executeOnErrorHooks(msg, e);
} finally {
if (sentryClient != null) {
sentryClient.close();
}
if (hiveAuthzBinding != null) {
hiveAuthzBinding.close();
}
}
return roles;
}
Example #3
| Source File: RangerHiveAuthorizerFactory.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider hiveAuthenticator,
HiveAuthzSessionContext sessionContext)
throws HiveAuthzPluginException {
HiveAuthorizer ret = null;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveAuthorizerFactory.createHiveAuthorizer()");
}
try {
activatePluginClassLoader();
ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveAuthorizerFactory.createHiveAuthorizer()");
}
return ret;
}
Example #4
| Source File: SimpleSemanticAnalyzer.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
private void parseShowIndex(String cmd, String regex) throws HiveAuthzPluginException {
Pattern pattern = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
Matcher matcher = pattern.matcher(cmd);
if (matcher.find()) {
String dbName = matcher.group(matcher.groupCount());
String tbName = matcher.group(3);
if (dbName != null) {
currentDb = dbName;
currentTb = tbName;
} else {
extractDbAndTb(tbName);
}
} else {
throw new HiveAuthzPluginException("this command " + cmd + " is not match show index grammar");
}
}
Example #5
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx)
throws HiveAuthzPluginException {
HiveAuthzSessionContext sessionContext;
try {
this.authzConf = HiveAuthzBindingHook.loadAuthzConf(conf);
sessionContext = applyTestSettings(ctx, conf);
assertHiveCliAuthDisabled(conf, sessionContext);
} catch (Exception e) {
throw new HiveAuthzPluginException(e);
}
SentryHiveAccessController accessController =
getAccessController(conf, authzConf, authenticator, sessionContext);
SentryHiveAuthorizationValidator authzValidator =
getAuthzValidator(conf, authzConf, authenticator);
return new SentryHiveAuthorizer(accessController, authzValidator);
}
Example #6
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
private void initUserRoles() {
if (LOG.isDebugEnabled()) {
LOG.debug(" ==> RangerHiveAuthorizer.initUserRoles()");
}
// from SQLStdHiveAccessController.initUserRoles()
// to aid in testing through .q files, authenticator is passed as argument to
// the interface. this helps in being able to switch the user within a session.
// so we need to check if the user has changed
String newUserName = getHiveAuthenticator().getUserName();
if (Objects.equals(currentUserName, newUserName)) {
// no need to (re-)initialize the currentUserName, currentRoles fields
return;
}
this.currentUserName = newUserName;
try {
currentRoles = getCurrentRoleNamesFromRanger();
} catch (HiveAuthzPluginException e) {
LOG.error("Error while fetching roles from ranger for user : " + currentUserName, e);
}
LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
}
Example #7
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
/**
* Get instance of SentryAuthorizationValidator from configuration
* Default return DefaultSentryAuthorizationValidator
*
* @param conf
* @param authzConf
* @param authenticator
* @throws HiveAuthzPluginException
*/
public static SentryHiveAuthorizationValidator getAuthzValidator(HiveConf conf,
HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator)
throws HiveAuthzPluginException {
Class<? extends SentryHiveAuthorizationValidator> clazz =
conf.getClass(HIVE_SENTRY_AUTHORIZATION_CONTROLLER, DefaultSentryValidator.class,
SentryHiveAuthorizationValidator.class);
if (clazz == null) {
// should not happen as default value is set
throw new HiveAuthzPluginException("Configuration value "
+ HIVE_SENTRY_AUTHORIZATION_CONTROLLER
+ " is not set to valid SentryAuthorizationValidator subclass");
}
try {
return new DefaultSentryValidator(conf, authzConf, authenticator);
} catch (Exception e) {
throw new HiveAuthzPluginException(e);
}
}
Example #8
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
/**
* Get instance of SentryAccessController from configuration
* Default return DefaultSentryAccessController
*
* @param conf
* @param authzConf
* @param hiveAuthzBinding
* @param authenticator
* @throws HiveAuthzPluginException
*/
public static SentryHiveAccessController getAccessController(HiveConf conf,
HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
Class<? extends SentryHiveAccessController> clazz =
conf.getClass(HIVE_SENTRY_ACCESS_CONTROLLER, DefaultSentryAccessController.class,
SentryHiveAccessController.class);
if (clazz == null) {
// should not happen as default value is set
throw new HiveAuthzPluginException("Configuration value " + HIVE_SENTRY_ACCESS_CONTROLLER
+ " is not set to valid SentryAccessController subclass");
}
try {
return new DefaultSentryAccessController(conf, authzConf, authenticator, ctx);
} catch (Exception e) {
throw new HiveAuthzPluginException(e);
}
}
Example #9
| Source File: RangerHiveAuthorizerBase.java From ranger with Apache License 2.0 | 5 votes |
|
/**
* Show privileges for given principal on given object
* @param principal
* @param privObj
* @return
* @throws HiveAuthzPluginException
* @throws HiveAccessControlException
*/
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
throws HiveAuthzPluginException, HiveAccessControlException {
LOG.debug("RangerHiveAuthorizerBase.showPrivileges()");
throwNotImplementedException("showPrivileges");
return null;
}
Example #10
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {
if (hivePlugin == null) {
throw new HiveAuthzPluginException();
}
RangerHivePolicyProvider policyProvider = new RangerHivePolicyProvider(hivePlugin);
return policyProvider;
}
Example #11
| Source File: SimpleSemanticAnalyzer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void parseFunction(String cmd, String regex) throws HiveAuthzPluginException {
Pattern pattern = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
Matcher matcher = pattern.matcher(cmd);
if (matcher.find()) {
String udfClass = matcher.group(matcher.groupCount());
if (udfClass.contains("'")) {
currentTb = udfClass.split("'")[1];
} else {
currentTb = udfClass;
}
} else {
throw new HiveAuthzPluginException("this command " + cmd
+ " is not match create function grammar");
}
}
Example #12
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException {
// from SQLStdHiveAccessController.setCurrentRole()
initUserRoles();
if (ROLE_NONE.equalsIgnoreCase(roleName)) {
// for set role NONE, clear all roles for current session.
currentRoles.clear();
return;
}
if (ROLE_ALL.equalsIgnoreCase(roleName)) {
// for set role ALL, reset roles to default roles.
currentRoles.clear();
currentRoles.addAll(getCurrentRoleNamesFromRanger());
return;
}
for (String role : getCurrentRoleNamesFromRanger()) {
// set to one of the roles user belongs to.
if (role.equalsIgnoreCase(roleName)) {
currentRoles.clear();
currentRoles.add(role);
return;
}
}
// set to ADMIN role, if user belongs there.
if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != this.adminRole) {
currentRoles.clear();
currentRoles.add(adminRole);
return;
}
LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
// If we are here it means, user is requesting a role he doesn't belong to.
throw new HiveAccessControlException(currentUserName + " doesn't belong to role " + roleName);
}
Example #13
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private Set<String> getCurrentRoleNamesFromRanger() throws HiveAuthzPluginException {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
}
UserGroupInformation ugi = getCurrentUserGroupInfo();
if (ugi == null) {
throw new HiveAuthzPluginException("User information not available");
}
Set<String> ret = new HashSet<String>();
String user = ugi.getShortUserName();
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
if (LOG.isDebugEnabled()) {
LOG.debug("<== getCurrentRoleNamesFromRanger() for user " + user);
}
Set<String> userRoles = new HashSet<String>(hivePlugin.getUserRoles(user, auditHandler));
for (String role : userRoles) {
if (!ROLE_ADMIN.equalsIgnoreCase(role)) {
ret.add(role);
} else {
this.adminRole = role;
}
}
} catch (Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
auditHandler.flushAudit();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user);
}
return ret;
}
Example #14
| Source File: RelaxedSQLStdHiveAuthorizerFactory.java From beeju with Apache License 2.0 | 5 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(
HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx)
throws HiveAuthzPluginException {
RelaxedSQLStdHiveAccessControllerWrapper privilegeManager = new RelaxedSQLStdHiveAccessControllerWrapper(
metastoreClientFactory, conf, authenticator, ctx);
return new HiveAuthorizerImpl(privilegeManager,
new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, privilegeManager, ctx));
}
Example #15
| Source File: RelaxedSQLStdHiveAccessControllerWrapper.java From beeju with Apache License 2.0 | 5 votes |
|
public RelaxedSQLStdHiveAccessControllerWrapper(
HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
super(metastoreClientFactory, conf, authenticator, ctx);
overrideHiveAccessController(
new RelaxedSQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx));
}
Example #16
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void dropRole(String roleName)
throws HiveAuthzPluginException, HiveAccessControlException {
if(LOG.isDebugEnabled()) {
LOG.debug("RangerHiveAuthorizer.dropRole()");
}
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
UserGroupInformation ugi = getCurrentUserGroupInfo();
boolean result = false;
List<String> roleNames = Arrays.asList(roleName);
if(ugi == null) {
throw new HiveAccessControlException("Permission denied: user information not available");
}
if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) {
throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " +
RESERVED_ROLE_NAMES);
}
String currentUserName = ugi.getShortUserName();
List<String> userNames = Arrays.asList(currentUserName);
try {
if(LOG.isDebugEnabled()) {
LOG.debug("<== dropRole(): " + roleName);
}
hivePlugin.dropRole(currentUserName, roleName, auditHandler);
result = true;
} catch(Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.DROPROLE, HiveAccessType.DROP, roleNames, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
}
Example #17
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerHiveAuthorizer.getCurrentRoleNames()");
}
UserGroupInformation ugi = getCurrentUserGroupInfo();
boolean result = false;
if (ugi == null) {
throw new HiveAuthzPluginException("User information not available");
}
List<String> ret = new ArrayList<String>();
String user = ugi.getShortUserName();
List<String> userNames = Arrays.asList(user);
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
if (LOG.isDebugEnabled()) {
LOG.debug("<== getCurrentRoleNames() for user " + user);
}
for (String role : getCurrentRoles()) {
ret.add(role);
}
result = true;
} catch (Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin, user, userNames,
HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, ret, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
return ret;
}
Example #18
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
throws HiveAuthzPluginException {
try {
return AuthorizationUtils.getThriftHiveObjectRef(privObj);
} catch (HiveException e) {
throw new HiveAuthzPluginException(e);
}
}
Example #19
| Source File: RelaxedSQLStdHiveAccessController.java From beeju with Apache License 2.0 | 5 votes |
|
public RelaxedSQLStdHiveAccessController(
HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
super(metastoreClientFactory, conf, authenticator, ctx);
}
Example #20
| Source File: RangerHiveAuthorizerBase.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
throws HiveAuthzPluginException, HiveAccessControlException {
LOG.debug("RangerHiveAuthorizerBase.getRoleGrantInfoForPrincipal()");
throwNotImplementedException("getRoleGrantInfoForPrincipal");
return null;
}
Example #21
| Source File: SimpleSemanticAnalyzer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void parseTableExtend(String cmd, String showTablestatus) throws HiveAuthzPluginException {
Pattern pattern = Pattern.compile(showTablestatus, Pattern.CASE_INSENSITIVE);
Matcher matcher = pattern.matcher(cmd);
if (matcher.find()) {
String dbName = matcher.group(matcher.groupCount());
currentDb = dbName;
currentTb = Table.SOME.getName();
} else {
throw new HiveAuthzPluginException("this command " + cmd + " is not match table meta grammar");
}
}
Example #22
| Source File: SimpleSemanticAnalyzer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void parseLoadTable(String cmd, String load) throws HiveAuthzPluginException {
Pattern pattern = Pattern.compile(load, Pattern.CASE_INSENSITIVE);
Matcher matcher = pattern.matcher(cmd);
if (matcher.find()) {
String tbName = matcher.group(matcher.groupCount());
extractDbAndTb(tbName.trim());
} else {
throw new HiveAuthzPluginException("this command " + cmd + " is not match table meta grammar");
}
}
Example #23
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void assertHiveCliAuthDisabled(HiveConf conf, HiveAuthzSessionContext ctx)
throws HiveAuthzPluginException {
if (ctx.getClientType() == CLIENT_TYPE.HIVECLI
&& conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
throw new HiveAuthzPluginException(
"SQL standards based authorization should not be enabled from hive cli"
+ "Instead the use of storage based authorization in hive metastore is reccomended. Set "
+ ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli");
}
}
Example #24
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
/**
* just for testing
*/
@VisibleForTesting
protected HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf, HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
SentryHiveAccessController accessController =
getAccessController(conf, authzConf, authenticator, ctx);
SentryHiveAuthorizationValidator authzValidator =
getAuthzValidator(conf, authzConf, authenticator);
return new SentryHiveAuthorizer(accessController, authzValidator);
}
Example #25
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true);
}
Example #26
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false);
}
Example #27
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
Example #28
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
Example #29
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
// Apply rest of the configuration only to HiveServer2
if (ctx.getClientType() != CLIENT_TYPE.HIVESERVER2
|| !hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
throw new HiveAuthzPluginException("Sentry just support for hiveserver2");
}
}
Example #30
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private SentryPolicyServiceClient getSentryClient() throws HiveAuthzPluginException {
try {
Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null");
return SentryServiceClientFactory.create(authzConf);
} catch (Exception e) {
String msg = "Error occurred when creating Sentry client: " + e.getMessage();
throw new HiveAuthzPluginException(msg, e);
}
}
