Java Code Examples for org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject#getObjectName()

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject#getObjectName() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up
static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
	RangerHiveResource resource = null;

	HivePrivilegeObjectType objectType = privilegeObject.getType();
	String objectName = privilegeObject.getObjectName();
	String dbName = privilegeObject.getDbname();

	switch(objectType) {
		case DATABASE:
			resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
			break;
		case TABLE_OR_VIEW:
			resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
			//resource.setOwnerUser(privilegeObject.getOwnerName());
			break;
		case COLUMN:
			List<String> columns = privilegeObject.getColumns();
			int numOfColumns = columns == null ? 0 : columns.size();
			if (numOfColumns == 1) {
				resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
				//resource.setOwnerUser(privilegeObject.getOwnerName());
			} else {
				LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType);
			}
			break;
		default:
			LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType);
	}

	if (resource != null) {
		resource.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
	}

	return resource;
}
 
Example 2
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
	List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
	}

	RangerPerfTracer perf = null;

	if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
		perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
	}

	if(CollectionUtils.isNotEmpty(hiveObjs)) {
		for (HivePrivilegeObject hiveObj : hiveObjs) {
			HivePrivilegeObjectType hiveObjType = hiveObj.getType();

			if(hiveObjType == null) {
				hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
			}

			if(LOG.isDebugEnabled()) {
				LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
			}

			boolean needToTransform = false;

			if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
				String database = hiveObj.getDbname();
				String table    = hiveObj.getObjectName();

				String rowFilterExpr = getRowFilterExpression(queryContext, database, table);

				if (StringUtils.isNotBlank(rowFilterExpr)) {
					if(LOG.isDebugEnabled()) {
						LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
					}

					hiveObj.setRowFilterExpression(rowFilterExpr);
					needToTransform = true;
				}

				if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
					List<String> columnTransformers = new ArrayList<String>();

					for (String column : hiveObj.getColumns()) {
						boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);

						if(LOG.isDebugEnabled()) {
							LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
						}

						needToTransform = needToTransform || isColumnTransformed;
					}

					hiveObj.setCellValueTransformers(columnTransformers);
				}
			}

			if (needToTransform) {
				ret.add(hiveObj);
			}
		}
	}

	RangerPerfTracer.log(perf);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
	}

	return ret;
}
 
Example 3
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up
private RangerHiveResource getHiveResource(HiveOperationType   hiveOpType,
										   HivePrivilegeObject hiveObj,
										   List<HivePrivilegeObject> inputs,
										   List<HivePrivilegeObject> outputs) {
	RangerHiveResource ret = null;

	HiveObjectType objectType = getObjectType(hiveObj, hiveOpType);

	switch(objectType) {
		case DATABASE:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname());
			/*
			if (!isCreateOperation(hiveOpType)) {
				ret.setOwnerUser(hiveObj.getOwnerName());
			}

			 */
		break;

		case TABLE:
		case VIEW:
		case FUNCTION:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
			// To suppress PMD violations
			if (LOG.isDebugEnabled()) {
				LOG.debug("Size of inputs = [" + (CollectionUtils.isNotEmpty(inputs) ? inputs.size() : 0) +
						", Size of outputs = [" + (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]");
			}

			/*
			String ownerName = hiveObj.getOwnerName();

			if (isCreateOperation(hiveOpType)) {
				HivePrivilegeObject dbObject = getDatabaseObject(hiveObj.getDbname(), inputs, outputs);
				if (dbObject != null) {
					ownerName = dbObject.getOwnerName();
				}
			}

			ret.setOwnerUser(ownerName);

			 */

		break;

		case PARTITION:
		case INDEX:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
		break;

		case COLUMN:
			ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName(), StringUtils.join(hiveObj.getColumns(), COLUMN_SEP));
			//ret.setOwnerUser(hiveObj.getOwnerName());
		break;

           case URI:
		case SERVICE_NAME:
			ret = new RangerHiveResource(objectType, hiveObj.getObjectName());
           break;

		case GLOBAL:
			ret = new RangerHiveResource(objectType,hiveObj.getObjectName());
		break;

		case NONE:
		break;
	}

	if (ret != null) {
		ret.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
	}

	return ret;
}
 
Example 4
Source File: DefaultSentryValidator.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
private List<HivePrivilegeObject> filterShowTables(List<HivePrivilegeObject> listObjs,
    String userName, HiveAuthzBinding hiveAuthzBinding) {
  List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
  Subject subject = new Subject(userName);
  HiveAuthzPrivileges tableMetaDataPrivilege =
      new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
          .addInputObjectPriviledge(AuthorizableType.Column,
              EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT))
          .setOperationScope(HiveOperationScope.TABLE)
          .setOperationType(
              org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.INFO)
          .build();

  for (HivePrivilegeObject obj : listObjs) {
    // if user has privileges on table, add to filtered list, else discard
    Table table = new Table(obj.getObjectName());
    Database database;
    database = new Database(obj.getDbname());

    List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
    List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
    List<DBModelAuthorizable> externalAuthorizableHierarchy =
        new ArrayList<DBModelAuthorizable>();
    externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
    externalAuthorizableHierarchy.add(database);
    externalAuthorizableHierarchy.add(table);
    externalAuthorizableHierarchy.add(Column.ALL);
    inputHierarchy.add(externalAuthorizableHierarchy);

    try {
      hiveAuthzBinding.authorize(HiveOperation.SHOWTABLES, tableMetaDataPrivilege, subject,
          inputHierarchy, outputHierarchy);
      filteredResult.add(obj);
    } catch (AuthorizationException e) {
      // squash the exception, user doesn't have privileges, so the table is
      // not added to
      // filtered list.
    }
  }
  return filteredResult;
}
 
Example 5
Source File: DefaultSentryValidator.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
private List<HivePrivilegeObject> filterShowDatabases(List<HivePrivilegeObject> listObjs,
    String userName, HiveAuthzBinding hiveAuthzBinding) {
  List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
  Subject subject = new Subject(userName);
  HiveAuthzPrivileges anyPrivilege =
      new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
          .addInputObjectPriviledge(
              AuthorizableType.Column,
              EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT, DBModelAction.ALTER,
                  DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.INDEX,
                  DBModelAction.LOCK))
          .setOperationScope(HiveOperationScope.CONNECT)
          .setOperationType(
              org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.QUERY)
          .build();

  for (HivePrivilegeObject obj : listObjs) {
    // if user has privileges on database, add to filtered list, else discard
    Database database = null;

    // if default is not restricted, continue
    if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(obj.getObjectName())
        && "false".equalsIgnoreCase(hiveAuthzBinding.getAuthzConf().get(
            HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false"))) {
      filteredResult.add(obj);
      continue;
    }

    database = new Database(obj.getObjectName());

    List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
    List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
    List<DBModelAuthorizable> externalAuthorizableHierarchy =
        new ArrayList<DBModelAuthorizable>();
    externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
    externalAuthorizableHierarchy.add(database);
    externalAuthorizableHierarchy.add(Table.ALL);
    externalAuthorizableHierarchy.add(Column.ALL);
    inputHierarchy.add(externalAuthorizableHierarchy);

    try {
      hiveAuthzBinding.authorize(HiveOperation.SHOWDATABASES, anyPrivilege, subject,
          inputHierarchy, outputHierarchy);
      filteredResult.add(obj);
    } catch (AuthorizationException e) {
      // squash the exception, user doesn't have privileges, so the table is
      // not added to
      // filtered list.
    }
  }
  return filteredResult;
}
 
Example 6
Source File: SentryAuthorizerUtil.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
/**
 * Convert HivePrivilegeObject to DBModelAuthorizable list Now hive 0.13 don't support column
 * level
 *
 * @param server
 * @param privilege
 */
public static List<List<DBModelAuthorizable>> getAuthzHierarchy(Server server,
    HivePrivilegeObject privilege) {
  List<DBModelAuthorizable> baseHierarchy = new ArrayList<DBModelAuthorizable>();
  List<List<DBModelAuthorizable>> objectHierarchy = new ArrayList<List<DBModelAuthorizable>>();
  boolean isLocal = false;
  if (privilege.getType() != null) {
    switch (privilege.getType()) {
      case GLOBAL:
        baseHierarchy.add(new Server(privilege.getObjectName()));
        objectHierarchy.add(baseHierarchy);
        break;
      case DATABASE:
        baseHierarchy.add(server);
        baseHierarchy.add(new Database(privilege.getDbname()));
        objectHierarchy.add(baseHierarchy);
        break;
      case TABLE_OR_VIEW:
        baseHierarchy.add(server);
        baseHierarchy.add(new Database(privilege.getDbname()));
        baseHierarchy.add(new Table(privilege.getObjectName()));
        if (privilege.getColumns() != null) {
          for (String columnName : privilege.getColumns()) {
            List<DBModelAuthorizable> columnHierarchy =
                new ArrayList<DBModelAuthorizable>(baseHierarchy);
            columnHierarchy.add(new Column(columnName));
            objectHierarchy.add(columnHierarchy);
          }
        } else {
          objectHierarchy.add(baseHierarchy);
        }
        break;
      case LOCAL_URI:
        isLocal = true;
      case DFS_URI:
        if (privilege.getObjectName() == null) {
          break;
        }
        try {
          baseHierarchy.add(server);
          baseHierarchy.add(parseURI(privilege.getObjectName(), isLocal));
          objectHierarchy.add(baseHierarchy);
        } catch (Exception e) {
          throw new AuthorizationException("Failed to get File URI", e);
        }
        break;
      case FUNCTION:
      case PARTITION:
      case COLUMN:
      case COMMAND_PARAMS:
        // not support these type
        break;
      default:
        break;
    }
  }
  return objectHierarchy;
}