org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject Java Examples
The following examples show how to use
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RangerHivePolicyProvider.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject) {
HiveResourceACLs ret;
RangerPerfTracer perf = null;
if (RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEACLPROVIDER_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HIVEACLPROVIDER_REQUEST_LOG, "RangerHivePolicyProvider.getResourceACLS()");
}
// Extract and build RangerHiveResource from inputObject
RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject);
ret = getResourceACLs(hiveResource);
RangerPerfTracer.log(perf);
return ret;
}
Example #2
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
static RangerHiveResource createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) {
RangerHiveResource resource = null;
HivePrivilegeObjectType objectType = privilegeObject.getType();
switch(objectType) {
case DATABASE:
case TABLE_OR_VIEW:
resource = createHiveResource(privilegeObject);
break;
default:
LOG.warn("RangerHiveAuthorizer.getHiveResourceForFiltering: unexpected objectType:" + objectType);
}
return resource;
}
Example #3
| Source File: RangerHiveAuthorizerBase.java From ranger with Apache License 2.0 | 5 votes |
|
/**
* Show privileges for given principal on given object
* @param principal
* @param privObj
* @return
* @throws HiveAuthzPluginException
* @throws HiveAccessControlException
*/
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
throws HiveAuthzPluginException, HiveAccessControlException {
LOG.debug("RangerHiveAuthorizerBase.showPrivileges()");
throwNotImplementedException("showPrivileges");
return null;
}
Example #4
| Source File: SentryAuthorizerUtil.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
/**
* Convert TSentryPrivilege to HivePrivilegeInfo
*
* @param tPrivilege
* @param principal
*/
public static HivePrivilegeInfo convert2HivePrivilegeInfo(TSentryPrivilege tPrivilege,
HivePrincipal principal) {
HivePrivilege hivePrivilege = convert2HivePrivilege(tPrivilege.getAction());
HivePrivilegeObject hivePrivilegeObject = convert2HivePrivilegeObject(tPrivilege);
// now sentry don't show grantor of a privilege
HivePrincipal grantor = new HivePrincipal(UNKONWN_GRANTOR, HivePrincipalType.ROLE);
boolean grantOption =
tPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
return new HivePrivilegeInfo(principal, hivePrivilege, hivePrivilegeObject, grantor,
grantOption, (int) tPrivilege.getCreateTime());
}
Example #5
| Source File: SentryAuthorizerUtil.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
/**
* Convert HivePrivilegeObject list to List<List<DBModelAuthorizable>>
*
* @param server
* @param privilges
*/
public static List<List<DBModelAuthorizable>> convert2SentryPrivilegeList(Server server,
List<HivePrivilegeObject> privilges) {
List<List<DBModelAuthorizable>> hierarchyList = new ArrayList<List<DBModelAuthorizable>>();
if (privilges != null && !privilges.isEmpty()) {
for (HivePrivilegeObject p : privilges) {
hierarchyList.addAll(getAuthzHierarchy(server, p));
}
}
return hierarchyList;
}
Example #6
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
throws HiveException {
if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
SentryHivePrivilegeObjectDesc sPrivSubjectDesc =
(SentryHivePrivilegeObjectDesc) privSubjectDesc;
if (sPrivSubjectDesc.isSentryPrivObjectDesc()) {
HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
}
}
return super.getHivePrivilegeObject(privSubjectDesc);
}
Example #7
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
Example #8
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
Example #9
| Source File: DefaultSentryValidator.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
HiveAuthzContext context) {
if (listObjs != null && listObjs.size() >= 1) {
HivePrivilegeObjectType pType = listObjs.get(0).getType();
HiveAuthzBinding hiveAuthzBinding = null;
try {
switch (pType) {
case DATABASE:
hiveAuthzBinding = getAuthzBinding();
listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding);
break;
case TABLE_OR_VIEW:
hiveAuthzBinding = getAuthzBinding();
listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding);
break;
}
} catch (Exception e) {
LOG.debug(e.getMessage(),e);
} finally {
if (hiveAuthzBinding != null) {
hiveAuthzBinding.close();
}
}
}
return listObjs;
}
Example #10
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false);
}
Example #11
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true);
}
Example #12
| Source File: HiveAuthorizationHelper.java From dremio-oss with Apache License 2.0 | 5 votes |
|
/**
* Check authorization for "SHOW DATABASES" command. A {@link HiveAccessControlException} is thrown
* for illegal access.
*/
public void authorizeShowDatabases() throws HiveAccessControlException {
if (!authzEnabled) {
return;
}
authorize(HiveOperationType.SHOWDATABASES, Collections.<HivePrivilegeObject> emptyList(), Collections.<HivePrivilegeObject> emptyList(), "SHOW DATABASES");
}
Example #13
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private StringBuilder toString(HivePrivilegeObject privObj, StringBuilder sb) {
sb.append("'HivePrivilegeObject':{");
sb.append("'type':").append(privObj.getType().toString());
sb.append(", 'dbName':").append(privObj.getDbname());
sb.append(", 'objectType':").append(privObj.getType());
sb.append(", 'objectName':").append(privObj.getObjectName());
sb.append(", 'columns':[").append(StringUtil.toString(privObj.getColumns())).append("]");
sb.append(", 'partKeys':[").append(StringUtil.toString(privObj.getPartKeys())).append("]");
sb.append(", 'commandParams':[").append(StringUtil.toString(privObj.getCommandParams())).append("]");
sb.append(", 'actionType':").append(privObj.getActionType().toString());
//sb.append(", 'owner':").append(privObj.getOwnerName());
sb.append("}");
return sb;
}
Example #14
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private StringBuilder toString(List<HivePrivilegeObject> privObjs, StringBuilder sb) {
if(privObjs != null && privObjs.size() > 0) {
toString(privObjs.get(0), sb);
for(int i = 1; i < privObjs.size(); i++) {
sb.append(",");
toString(privObjs.get(i), sb);
}
}
return sb;
}
Example #15
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private String toString(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
HiveAuthzContext context,
HiveAuthzSessionContext sessionContext) {
StringBuilder sb = new StringBuilder();
sb.append("'checkPrivileges':{");
sb.append("'hiveOpType':").append(hiveOpType);
sb.append(", 'inputHObjs':[");
toString(inputHObjs, sb);
sb.append("]");
sb.append(", 'outputHObjs':[");
toString(outputHObjs, sb);
sb.append("]");
sb.append(", 'context':{");
sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString());
sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress());
sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", "));
sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString());
sb.append("}");
sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
sb.append("}");
return sb.toString();
}
Example #16
| Source File: HiveAuthorizationHelper.java From dremio-oss with Apache License 2.0 | 5 votes |
|
/**
* Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
* for illegal access.
* @param dbName
*/
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
if (!authzEnabled) {
return;
}
final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);
authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "SHOW TABLES");
}
Example #17
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private boolean isTempUDFOperation(String hiveOpTypeName, HivePrivilegeObject hiveObj) {
boolean ret = false;
if ((hiveOpTypeName.contains("createfunction") || hiveOpTypeName.contains("dropfunction")) &&
StringUtils.isEmpty(hiveObj.getDbname())) {
// This happens for temp udf function and will use
// global resource policy in ranger for auth
ret = true;
}
return ret;
}
Example #18
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
throws HiveAuthzPluginException {
try {
return AuthorizationUtils.getThriftHiveObjectRef(privObj);
} catch (HiveException e) {
throw new HiveAuthzPluginException(e);
}
}
Example #19
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
HivePrivilegeObject privObj) throws HiveAuthzPluginException {
List<HivePrivilegeInfo> ret;
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveAuthorizer.showPrivileges ==> principal: " + principal+ "HivePrivilegeObject : " + privObj.getObjectName());
}
if ( hivePlugin == null) {
new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges error: hivePlugin is null");
}
try {
HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);
if (msObjRef.getObjectName() == null) {
throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for Hive resources and not user level");
}
ret = getHivePrivilegeInfos(principal, privObj);
} catch (Exception e) {
LOG.error("RangerHiveAuthorizer.showPrivileges() error", e);
throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() error: " + e.getMessage(), e);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveAuthorizer.showPrivileges() Result: " + ret);
}
return ret;
}
Example #20
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private void handleDfsCommand(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
String user,
RangerHiveAuditHandler auditHandler)
throws HiveAuthzPluginException, HiveAccessControlException {
String dfsCommandParams = null;
if(inputHObjs != null) {
for(HivePrivilegeObject hiveObj : inputHObjs) {
if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());
if(! StringUtil.isEmpty(dfsCommandParams)) {
break;
}
}
}
}
int serviceType = -1;
String serviceName = null;
if(hivePlugin != null) {
serviceType = hivePlugin.getServiceDefId();
serviceName = hivePlugin.getServiceName();
}
auditHandler.logAuditEventForDfs(user, dfsCommandParams, false, serviceType, serviceName);
throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
user, hiveOpType.name()));
}
Example #21
| Source File: HiveAuthorizationHelper.java From dremio-oss with Apache License 2.0 | 5 votes |
|
/**
* Check authorization for "READ TABLE" for given db.table. A {@link HiveAccessControlException} is thrown
* for illegal access.
* @param dbName
* @param tableName
*/
public void authorizeReadTable(final String dbName, final String tableName) throws HiveAccessControlException {
if (!authzEnabled) {
return;
}
HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, dbName, tableName);
authorize(HiveOperationType.QUERY, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "READ TABLE");
}
Example #22
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
/**
* Grant privileges for principals on the object
* @param hivePrincipals
* @param hivePrivileges
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
* @throws HiveAuthzPluginException
* @throws HiveAccessControlException
*/
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges,
HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal,
boolean grantOption)
throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
LOG.debug("grantPrivileges() => HivePrivilegeObject:" + toString(hivePrivObject, new StringBuilder()) + "grantorPrincipal: " + grantorPrincipal + "hivePrincipals" + hivePrincipals + "hivePrivileges" + hivePrivileges);
}
if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
}
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, null, outputs);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
LOG.info("grantPrivileges(): " + request);
if(LOG.isDebugEnabled()) {
LOG.debug("grantPrivileges(): " + request);
}
hivePlugin.grantAccess(request, auditHandler);
} catch(Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
auditHandler.flushAudit();
}
}
Example #23
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal,
HivePrivilegeObject.HivePrivilegeObjectType objectType,
String dbName,
String objectName,
String columnName,
List<String> partValues,
String aclName,
RangerPolicy policy) {
HivePrivilegeInfo ret = null;
int creationDate = 0;
boolean delegateAdmin = false;
for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
List<String> users = policyItem.getUsers();
List<String> groups = policyItem.getGroups();
List<String> accessTypes = new ArrayList<>();
for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
accessTypes.add(policyItemAccess.getType());
}
if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName())
|| groups.contains(hivePrincipal.getName()))) {
creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000);
delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
}
}
HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
HivePrivilege privilege = new HivePrivilege(aclName, null);
ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);
return ret;
}
Example #24
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
RangerHiveResource resource = null;
HivePrivilegeObjectType objectType = privilegeObject.getType();
String objectName = privilegeObject.getObjectName();
String dbName = privilegeObject.getDbname();
switch(objectType) {
case DATABASE:
resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
break;
case TABLE_OR_VIEW:
resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
//resource.setOwnerUser(privilegeObject.getOwnerName());
break;
case COLUMN:
List<String> columns = privilegeObject.getColumns();
int numOfColumns = columns == null ? 0 : columns.size();
if (numOfColumns == 1) {
resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
//resource.setOwnerUser(privilegeObject.getOwnerName());
} else {
LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType);
}
break;
default:
LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType);
}
if (resource != null) {
resource.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
}
return resource;
}
Example #25
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
/**
* Revoke privileges for principals on the object
* @param hivePrincipals
* @param hivePrivileges
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
* @throws HiveAuthzPluginException
* @throws HiveAccessControlException
*/
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges,
HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal,
boolean grantOption)
throws HiveAuthzPluginException, HiveAccessControlException {
if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
}
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, null, outputs);
GrantRevokeRequest request = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);
LOG.info("revokePrivileges(): " + request);
if(LOG.isDebugEnabled()) {
LOG.debug("revokePrivileges(): " + request);
}
hivePlugin.revokeAccess(request, auditHandler);
} catch(Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
auditHandler.flushAudit();
}
}
Example #26
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
private RangerHiveResource getHiveResource(HiveOperationType hiveOpType,
HivePrivilegeObject hiveObj,
List<HivePrivilegeObject> inputs,
List<HivePrivilegeObject> outputs) {
RangerHiveResource ret = null;
HiveObjectType objectType = getObjectType(hiveObj, hiveOpType);
switch(objectType) {
case DATABASE:
ret = new RangerHiveResource(objectType, hiveObj.getDbname());
/*
if (!isCreateOperation(hiveOpType)) {
ret.setOwnerUser(hiveObj.getOwnerName());
}
*/
break;
case TABLE:
case VIEW:
case FUNCTION:
ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
// To suppress PMD violations
if (LOG.isDebugEnabled()) {
LOG.debug("Size of inputs = [" + (CollectionUtils.isNotEmpty(inputs) ? inputs.size() : 0) +
", Size of outputs = [" + (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]");
}
/*
String ownerName = hiveObj.getOwnerName();
if (isCreateOperation(hiveOpType)) {
HivePrivilegeObject dbObject = getDatabaseObject(hiveObj.getDbname(), inputs, outputs);
if (dbObject != null) {
ownerName = dbObject.getOwnerName();
}
}
ret.setOwnerUser(ownerName);
*/
break;
case PARTITION:
case INDEX:
ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
break;
case COLUMN:
ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName(), StringUtils.join(hiveObj.getColumns(), COLUMN_SEP));
//ret.setOwnerUser(hiveObj.getOwnerName());
break;
case URI:
case SERVICE_NAME:
ret = new RangerHiveResource(objectType, hiveObj.getObjectName());
break;
case GLOBAL:
ret = new RangerHiveResource(objectType,hiveObj.getObjectName());
break;
case NONE:
break;
}
if (ret != null) {
ret.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
}
return ret;
}
Example #27
| Source File: SentryAuthorizerUtil.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
/**
* Convert HivePrivilegeObject to DBModelAuthorizable list Now hive 0.13 don't support column
* level
*
* @param server
* @param privilege
*/
public static List<List<DBModelAuthorizable>> getAuthzHierarchy(Server server,
HivePrivilegeObject privilege) {
List<DBModelAuthorizable> baseHierarchy = new ArrayList<DBModelAuthorizable>();
List<List<DBModelAuthorizable>> objectHierarchy = new ArrayList<List<DBModelAuthorizable>>();
boolean isLocal = false;
if (privilege.getType() != null) {
switch (privilege.getType()) {
case GLOBAL:
baseHierarchy.add(new Server(privilege.getObjectName()));
objectHierarchy.add(baseHierarchy);
break;
case DATABASE:
baseHierarchy.add(server);
baseHierarchy.add(new Database(privilege.getDbname()));
objectHierarchy.add(baseHierarchy);
break;
case TABLE_OR_VIEW:
baseHierarchy.add(server);
baseHierarchy.add(new Database(privilege.getDbname()));
baseHierarchy.add(new Table(privilege.getObjectName()));
if (privilege.getColumns() != null) {
for (String columnName : privilege.getColumns()) {
List<DBModelAuthorizable> columnHierarchy =
new ArrayList<DBModelAuthorizable>(baseHierarchy);
columnHierarchy.add(new Column(columnName));
objectHierarchy.add(columnHierarchy);
}
} else {
objectHierarchy.add(baseHierarchy);
}
break;
case LOCAL_URI:
isLocal = true;
case DFS_URI:
if (privilege.getObjectName() == null) {
break;
}
try {
baseHierarchy.add(server);
baseHierarchy.add(parseURI(privilege.getObjectName(), isLocal));
objectHierarchy.add(baseHierarchy);
} catch (Exception e) {
throw new AuthorizationException("Failed to get File URI", e);
}
break;
case FUNCTION:
case PARTITION:
case COLUMN:
case COMMAND_PARAMS:
// not support these type
break;
default:
break;
}
}
return objectHierarchy;
}
Example #28
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
return authValidator.filterListCmdObjects(listObjs, context);
}
Example #29
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
throws HiveAuthzPluginException, HiveAccessControlException {
return accessController.showPrivileges(principal, privObj);
}
Example #30
| Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context);
}
