org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext Java Examples
The following examples show how to use
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
private RangerHiveAccessRequest createRangerHiveAccessRequest(String userOrGrantor, List<String> roleUsers, HiveOperationType hiveOperationType, HiveAccessType accessType, List<String> roleNames) { RangerHiveAccessRequest ret = null; HiveAuthzContext.Builder builder = new HiveAuthzContext.Builder(); String roleNameStr = createRoleString(roleNames); String userNameStr = createUserString(roleUsers); String commandString = getCommandString(hiveOperationType, userNameStr, roleNameStr); String cmdStr = (commandString != null) ? commandString : StringUtils.EMPTY; builder.setCommandString(cmdStr); HiveAuthzContext hiveAuthzContext = builder.build(); RangerHiveResource rangerHiveResource = new RangerHiveResource(HiveObjectType.GLOBAL,"*"); ret = new RangerHiveAccessRequest(rangerHiveResource, userOrGrantor, null, null, hiveOperationType, accessType, hiveAuthzContext, null); ret.setClusterName(hivePlugin.getClusterName()); ret.setAction(hiveOperationType.name()); ret.setClientIPAddress(getRemoteIp()); ret.setRemoteIPAddress(getRemoteIp()); return ret; }
Example #2
Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
private void fetchHiveObj(HiveAuthzContext context) { if (context != null) { String cmdString = context.getCommandString(); if (cmdString != null) { String[] cmd = cmdString.trim().split("\\s+"); if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) { String dbName = cmd[2]; if (dbName.contains(".")) { String[] result = splitDBName(dbName); databaseName = result[0]; tableName = result[1]; } else { databaseName = dbName; tableName = null; } } } } }
Example #3
Source File: RangerHiveAccessRequest.java From ranger with Apache License 2.0 | 5 votes |
public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> userGroups, Set<String> userRoles, String hiveOpTypeName, HiveAccessType accessType, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { this.setResource(resource); this.setUser(user); this.setUserGroups(userGroups); this.setUserRoles(userRoles); this.setAccessTime(new Date()); this.setAction(hiveOpTypeName); this.setHiveAccessType(accessType); if(context != null) { this.setRequestData(context.getCommandString()); this.setForwardedAddresses(context.getForwardedAddresses()); this.setRemoteIPAddress(context.getIpAddress()); } if(sessionContext != null) { this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString()); this.setSessionId(sessionContext.getSessionString()); } }
Example #4
Source File: RangerHiveAccessRequest.java From ranger with Apache License 2.0 | 5 votes |
public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> userGroups, Set<String> userRoles, HiveOperationType hiveOpType, HiveAccessType accessType, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { this(resource, user, userGroups, userRoles, hiveOpType.name(), accessType, context, sessionContext); }
Example #5
Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException { UserGroupInformation ugi = getCurrentUserGroupInfo(); if(ugi == null) { throw new SemanticException("user information not available"); } if(LOG.isDebugEnabled()) { LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")"); } String ret = null; RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); try { HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext(); String user = ugi.getShortUserName(); Set<String> groups = Sets.newHashSet(ugi.getGroupNames()); Set<String> roles = getCurrentRoles(); HiveObjectType objectType = HiveObjectType.TABLE; RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName); RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext); RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler); if(isRowFilterEnabled(result)) { ret = result.getFilterExpr(); } } finally { auditHandler.flushAudit(); } if(LOG.isDebugEnabled()) { LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret); } return ret; }
Example #6
Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
private String toString(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { StringBuilder sb = new StringBuilder(); sb.append("'checkPrivileges':{"); sb.append("'hiveOpType':").append(hiveOpType); sb.append(", 'inputHObjs':["); toString(inputHObjs, sb); sb.append("]"); sb.append(", 'outputHObjs':["); toString(outputHObjs, sb); sb.append("]"); sb.append(", 'context':{"); sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType()); sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString()); sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress()); sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", ")); sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString()); sb.append("}"); sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName()); sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]"); sb.append("}"); return sb.toString(); }
Example #7
Source File: DefaultSentryValidator.java From incubator-sentry with Apache License 2.0 | 5 votes |
@Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) { if (listObjs != null && listObjs.size() >= 1) { HivePrivilegeObjectType pType = listObjs.get(0).getType(); HiveAuthzBinding hiveAuthzBinding = null; try { switch (pType) { case DATABASE: hiveAuthzBinding = getAuthzBinding(); listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding); break; case TABLE_OR_VIEW: hiveAuthzBinding = getAuthzBinding(); listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding); break; } } catch (Exception e) { LOG.debug(e.getMessage(),e); } finally { if (hiveAuthzBinding != null) { hiveAuthzBinding.close(); } } } return listObjs; }
Example #8
Source File: RangerHiveAccessRequest.java From ranger with Apache License 2.0 | 4 votes |
public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, Set<String> roles, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { this(resource, user, groups, roles, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext); }
Example #9
Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
@Override public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException { List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>(); if(LOG.isDebugEnabled()) { LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")"); } RangerPerfTracer perf = null; if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()"); } if(CollectionUtils.isNotEmpty(hiveObjs)) { for (HivePrivilegeObject hiveObj : hiveObjs) { HivePrivilegeObjectType hiveObjType = hiveObj.getType(); if(hiveObjType == null) { hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW; } if(LOG.isDebugEnabled()) { LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")"); } boolean needToTransform = false; if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) { String database = hiveObj.getDbname(); String table = hiveObj.getObjectName(); String rowFilterExpr = getRowFilterExpression(queryContext, database, table); if (StringUtils.isNotBlank(rowFilterExpr)) { if(LOG.isDebugEnabled()) { LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr); } hiveObj.setRowFilterExpression(rowFilterExpr); needToTransform = true; } if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) { List<String> columnTransformers = new ArrayList<String>(); for (String column : hiveObj.getColumns()) { boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers); if(LOG.isDebugEnabled()) { LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed); } needToTransform = needToTransform || isColumnTransformed; } hiveObj.setCellValueTransformers(columnTransformers); } } if (needToTransform) { ret.add(hiveObj); } } } RangerPerfTracer.log(perf); if(LOG.isDebugEnabled()) { LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size()); } return ret; }
Example #10
Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException { UserGroupInformation ugi = getCurrentUserGroupInfo(); if(ugi == null) { throw new SemanticException("user information not available"); } if(LOG.isDebugEnabled()) { LOG.debug("==> addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + ")"); } boolean ret = false; String columnTransformer = columnName; RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); try { HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext(); String user = ugi.getShortUserName(); Set<String> groups = Sets.newHashSet(ugi.getGroupNames()); Set<String> roles = getCurrentRoles(); HiveObjectType objectType = HiveObjectType.COLUMN; RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName); RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext); RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler); ret = isDataMaskEnabled(result); if(ret) { String maskType = result.getMaskType(); RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef(); String transformer = null; if (maskTypeDef != null) { transformer = maskTypeDef.getTransformer(); } if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) { columnTransformer = "NULL"; } else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) { String maskedValue = result.getMaskedValue(); if(maskedValue == null) { columnTransformer = "NULL"; } else { columnTransformer = maskedValue.replace("{col}", columnName); } } else if(StringUtils.isNotEmpty(transformer)) { columnTransformer = transformer.replace("{col}", columnName); } /* String maskCondition = result.getMaskCondition(); if(StringUtils.isNotEmpty(maskCondition)) { ret = "if(" + maskCondition + ", " + ret + ", " + columnName + ")"; } */ } } finally { auditHandler.flushAudit(); } columnTransformers.add(columnTransformer); if(LOG.isDebugEnabled()) { LOG.debug("<== addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + "): " + ret); } return ret; }
Example #11
Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
HiveObj(HiveAuthzContext context) { fetchHiveObj(context); }
Example #12
Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 4 votes |
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context); }
Example #13
Source File: SentryHiveAuthorizer.java From incubator-sentry with Apache License 2.0 | 4 votes |
@Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { return authValidator.filterListCmdObjects(listObjs, context); }
Example #14
Source File: SentryHiveAuthorizationValidator.java From incubator-sentry with Apache License 2.0 | 2 votes |
/** * Check if current user has privileges to perform given operation type hiveOpType on the given * input and output objects. * * @param hiveOpType * @param inputHObjs * @param outputHObjs * @param context * @throws HiveAuthzPluginException, HiveAccessControlException */ @Override public abstract void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException;
Example #15
Source File: SentryHiveAuthorizationValidator.java From incubator-sentry with Apache License 2.0 | 2 votes |
/** * Filter the select results according current user's permission. remove the object which current * user do not have any privilege on it. * * @param listObjs * @param context */ @Override public abstract List<HivePrivilegeObject> filterListCmdObjects( List<HivePrivilegeObject> listObjs, HiveAuthzContext context);