org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext Java Examples
The following examples show how to use
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
/**
* initialize authenticator and hiveAuthzBinding.
*/
protected void initilize(HiveConf conf, HiveAuthzConf authzConf,
HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
Preconditions.checkNotNull(conf, "HiveConf cannot be null");
Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null");
Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null");
Preconditions.checkNotNull(ctx, "HiveAuthzSessionContext cannot be null");
this.conf = conf;
this.authzConf = authzConf;
this.authenticator = authenticator;
this.ctx = ctx;
this.serverName =
Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()),
REQUIRED_AUTHZ_SERVER_NAME);
}
Example #2
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
/**
* Get instance of SentryAccessController from configuration
* Default return DefaultSentryAccessController
*
* @param conf
* @param authzConf
* @param hiveAuthzBinding
* @param authenticator
* @throws HiveAuthzPluginException
*/
public static SentryHiveAccessController getAccessController(HiveConf conf,
HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
Class<? extends SentryHiveAccessController> clazz =
conf.getClass(HIVE_SENTRY_ACCESS_CONTROLLER, DefaultSentryAccessController.class,
SentryHiveAccessController.class);
if (clazz == null) {
// should not happen as default value is set
throw new HiveAuthzPluginException("Configuration value " + HIVE_SENTRY_ACCESS_CONTROLLER
+ " is not set to valid SentryAccessController subclass");
}
try {
return new DefaultSentryAccessController(conf, authzConf, authenticator, ctx);
} catch (Exception e) {
throw new HiveAuthzPluginException(e);
}
}
Example #3
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx)
throws HiveAuthzPluginException {
HiveAuthzSessionContext sessionContext;
try {
this.authzConf = HiveAuthzBindingHook.loadAuthzConf(conf);
sessionContext = applyTestSettings(ctx, conf);
assertHiveCliAuthDisabled(conf, sessionContext);
} catch (Exception e) {
throw new HiveAuthzPluginException(e);
}
SentryHiveAccessController accessController =
getAccessController(conf, authzConf, authenticator, sessionContext);
SentryHiveAuthorizationValidator authzValidator =
getAuthzValidator(conf, authzConf, authenticator);
return new SentryHiveAuthorizer(accessController, authzValidator);
}
Example #4
| Source File: RangerHiveAuthorizerFactory.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider hiveAuthenticator,
HiveAuthzSessionContext sessionContext)
throws HiveAuthzPluginException {
HiveAuthorizer ret = null;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveAuthorizerFactory.createHiveAuthorizer()");
}
try {
activatePluginClassLoader();
ret = rangerHiveAuthorizerFactoryImpl.createHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveAuthorizerFactory.createHiveAuthorizer()");
}
return ret;
}
Example #5
| Source File: RangerHiveAuthorizerBase.java From ranger with Apache License 2.0 | 6 votes |
|
public RangerHiveAuthorizerBase(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf hiveConf,
HiveAuthenticationProvider hiveAuthenticator,
HiveAuthzSessionContext context) {
mMetastoreClientFactory = metastoreClientFactory;
mHiveConf = hiveConf;
mHiveAuthenticator = hiveAuthenticator;
mSessionContext = context;
String userName = mHiveAuthenticator == null ? null : mHiveAuthenticator.getUserName();
mUgi = userName == null ? null : UserGroupInformation.createRemoteUser(userName);
if(mHiveAuthenticator == null) {
LOG.warn("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): hiveAuthenticator is null");
} else if(StringUtil.isEmpty(userName)) {
LOG.warn("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): hiveAuthenticator.getUserName() returned null/empty");
} else if(mUgi == null) {
LOG.warn(String.format("RangerHiveAuthorizerBase.RangerHiveAuthorizerBase(): UserGroupInformation.createRemoteUser(%s) returned null", userName));
}
}
Example #6
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private String toString(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
HiveAuthzContext context,
HiveAuthzSessionContext sessionContext) {
StringBuilder sb = new StringBuilder();
sb.append("'checkPrivileges':{");
sb.append("'hiveOpType':").append(hiveOpType);
sb.append(", 'inputHObjs':[");
toString(inputHObjs, sb);
sb.append("]");
sb.append(", 'outputHObjs':[");
toString(outputHObjs, sb);
sb.append("]");
sb.append(", 'context':{");
sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString());
sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress());
sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", "));
sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString());
sb.append("}");
sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
sb.append("}");
return sb.toString();
}
Example #7
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
/**
* just for testing
*/
@VisibleForTesting
protected HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf, HiveAuthzConf authzConf, HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
SentryHiveAccessController accessController =
getAccessController(conf, authzConf, authenticator, ctx);
SentryHiveAuthorizationValidator authzValidator =
getAuthzValidator(conf, authzConf, authenticator);
return new SentryHiveAuthorizer(accessController, authzValidator);
}
Example #8
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void assertHiveCliAuthDisabled(HiveConf conf, HiveAuthzSessionContext ctx)
throws HiveAuthzPluginException {
if (ctx.getClientType() == CLIENT_TYPE.HIVECLI
&& conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
throw new HiveAuthzPluginException(
"SQL standards based authorization should not be enabled from hive cli"
+ "Instead the use of storage based authorization in hive metastore is reccomended. Set "
+ ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli");
}
}
Example #9
| Source File: SentryAuthorizerFactory.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) {
if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE)
&& ctx.getClientType() == CLIENT_TYPE.HIVECLI) {
// create new session ctx object with HS2 as client type
HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx);
ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2);
return ctxBuilder.build();
}
return ctx;
}
Example #10
| Source File: RangerHiveAuthorizerFactory.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider hiveAuthenticator,
HiveAuthzSessionContext sessionContext)
throws HiveAuthzPluginException {
return new RangerHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
}
Example #11
| Source File: RelaxedSQLStdHiveAccessController.java From beeju with Apache License 2.0 | 5 votes |
|
public RelaxedSQLStdHiveAccessController(
HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
super(metastoreClientFactory, conf, authenticator, ctx);
}
Example #12
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
if(ugi == null) {
throw new SemanticException("user information not available");
}
if(LOG.isDebugEnabled()) {
LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")");
}
String ret = null;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
Set<String> roles = getCurrentRoles();
HiveObjectType objectType = HiveObjectType.TABLE;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
if(isRowFilterEnabled(result)) {
ret = result.getFilterExpr();
}
} finally {
auditHandler.flushAudit();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret);
}
return ret;
}
Example #13
| Source File: RangerHiveAccessRequest.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerHiveAccessRequest(RangerHiveResource resource,
String user,
Set<String> userGroups,
Set<String> userRoles,
HiveOperationType hiveOpType,
HiveAccessType accessType,
HiveAuthzContext context,
HiveAuthzSessionContext sessionContext) {
this(resource, user, userGroups, userRoles, hiveOpType.name(), accessType, context, sessionContext);
}
Example #14
| Source File: RangerHiveAccessRequest.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerHiveAccessRequest(RangerHiveResource resource,
String user,
Set<String> userGroups,
Set<String> userRoles,
String hiveOpTypeName,
HiveAccessType accessType,
HiveAuthzContext context,
HiveAuthzSessionContext sessionContext) {
this.setResource(resource);
this.setUser(user);
this.setUserGroups(userGroups);
this.setUserRoles(userRoles);
this.setAccessTime(new Date());
this.setAction(hiveOpTypeName);
this.setHiveAccessType(accessType);
if(context != null) {
this.setRequestData(context.getCommandString());
this.setForwardedAddresses(context.getForwardedAddresses());
this.setRemoteIPAddress(context.getIpAddress());
}
if(sessionContext != null) {
this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
this.setSessionId(sessionContext.getSessionString());
}
}
Example #15
| Source File: RelaxedSQLStdHiveAccessControllerWrapper.java From beeju with Apache License 2.0 | 5 votes |
|
public RelaxedSQLStdHiveAccessControllerWrapper(
HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
super(metastoreClientFactory, conf, authenticator, ctx);
overrideHiveAccessController(
new RelaxedSQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx));
}
Example #16
| Source File: RelaxedSQLStdHiveAuthorizerFactory.java From beeju with Apache License 2.0 | 5 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(
HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf,
HiveAuthenticationProvider authenticator,
HiveAuthzSessionContext ctx)
throws HiveAuthzPluginException {
RelaxedSQLStdHiveAccessControllerWrapper privilegeManager = new RelaxedSQLStdHiveAccessControllerWrapper(
metastoreClientFactory, conf, authenticator, ctx);
return new HiveAuthorizerImpl(privilegeManager,
new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, privilegeManager, ctx));
}
Example #17
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
if(ugi == null) {
throw new SemanticException("user information not available");
}
if(LOG.isDebugEnabled()) {
LOG.debug("==> addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + ")");
}
boolean ret = false;
String columnTransformer = columnName;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
Set<String> roles = getCurrentRoles();
HiveObjectType objectType = HiveObjectType.COLUMN;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
ret = isDataMaskEnabled(result);
if(ret) {
String maskType = result.getMaskType();
RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();
String transformer = null;
if (maskTypeDef != null) {
transformer = maskTypeDef.getTransformer();
}
if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
columnTransformer = "NULL";
} else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
String maskedValue = result.getMaskedValue();
if(maskedValue == null) {
columnTransformer = "NULL";
} else {
columnTransformer = maskedValue.replace("{col}", columnName);
}
} else if(StringUtils.isNotEmpty(transformer)) {
columnTransformer = transformer.replace("{col}", columnName);
}
/*
String maskCondition = result.getMaskCondition();
if(StringUtils.isNotEmpty(maskCondition)) {
ret = "if(" + maskCondition + ", " + ret + ", " + columnName + ")";
}
*/
}
} finally {
auditHandler.flushAudit();
}
columnTransformers.add(columnTransformer);
if(LOG.isDebugEnabled()) {
LOG.debug("<== addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + "): " + ret);
}
return ret;
}
Example #18
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
private GrantRevokeRequest createGrantRevokeData(RangerHiveResource resource,
List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges,
HivePrincipal grantorPrincipal,
boolean grantOption)
throws HiveAccessControlException {
if(resource == null ||
! ( resource.getObjectType() == HiveObjectType.DATABASE
|| resource.getObjectType() == HiveObjectType.TABLE
|| resource.getObjectType() == HiveObjectType.VIEW
|| resource.getObjectType() == HiveObjectType.COLUMN
)
) {
throw new HiveAccessControlException("grant/revoke: unexpected object type '" + (resource == null ? null : resource.getObjectType().name()));
}
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(getGrantorUsername(grantorPrincipal));
ret.setGrantorGroups(getGrantorGroupNames(grantorPrincipal));
ret.setDelegateAdmin(grantOption ? Boolean.TRUE : Boolean.FALSE);
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.FALSE);
String database = StringUtils.isEmpty(resource.getDatabase()) ? "*" : resource.getDatabase();
String table = StringUtils.isEmpty(resource.getTable()) ? "*" : resource.getTable();
String column = StringUtils.isEmpty(resource.getColumn()) ? "*" : resource.getColumn();
Map<String, String> mapResource = new HashMap<String, String>();
mapResource.put(RangerHiveResource.KEY_DATABASE, database);
mapResource.put(RangerHiveResource.KEY_TABLE, table);
mapResource.put(RangerHiveResource.KEY_COLUMN, column);
ret.setOwnerUser(resource.getOwnerUser());
ret.setResource(mapResource);
SessionState ss = SessionState.get();
if(ss != null) {
ret.setClientIPAddress(ss.getUserIpAddress());
ret.setSessionId(ss.getSessionId());
HiveConf hiveConf = ss.getConf();
if(hiveConf != null) {
ret.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
}
}
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
if(sessionContext != null) {
ret.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
}
for(HivePrincipal principal : hivePrincipals) {
switch(principal.getType()) {
case USER:
ret.getUsers().add(principal.getName());
break;
case GROUP:
ret.getGroups().add(principal.getName());
break;
case ROLE:
ret.getRoles().add(principal.getName());
break;
case UNKNOWN:
break;
}
}
for(HivePrivilege privilege : hivePrivileges) {
String privName = privilege.getName();
if(StringUtils.equalsIgnoreCase(privName, HiveAccessType.ALL.name()) ||
StringUtils.equalsIgnoreCase(privName, HiveAccessType.ALTER.name()) ||
StringUtils.equalsIgnoreCase(privName, HiveAccessType.CREATE.name()) ||
StringUtils.equalsIgnoreCase(privName, HiveAccessType.DROP.name()) ||
StringUtils.equalsIgnoreCase(privName, HiveAccessType.INDEX.name()) ||
StringUtils.equalsIgnoreCase(privName, HiveAccessType.LOCK.name()) ||
StringUtils.equalsIgnoreCase(privName, HiveAccessType.SELECT.name()) ||
StringUtils.equalsIgnoreCase(privName, HiveAccessType.UPDATE.name())) {
ret.getAccessTypes().add(privName.toLowerCase());
} else if (StringUtils.equalsIgnoreCase(privName, "Insert") ||
StringUtils.equalsIgnoreCase(privName, "Delete")) {
// Mapping Insert/Delete to Update
ret.getAccessTypes().add(HiveAccessType.UPDATE.name().toLowerCase());
} else {
LOG.warn("grant/revoke: unexpected privilege type '" + privName + "'. Ignored");
}
}
return ret;
}
Example #19
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
boolean grantOption, HivePrincipal grantorPrinc)
throws HiveAuthzPluginException, HiveAccessControlException {
LOG.debug("RangerHiveAuthorizerBase.revokeRole()");
boolean result = false;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
String grantorUserName = getGrantorUsername(grantorPrinc);
List<String> principals = new ArrayList<>();
try {
GrantRevokeRoleRequest request = new GrantRevokeRoleRequest();
request.setGrantor(grantorUserName);
request.setGrantorGroups(getGrantorGroupNames(grantorPrinc));
Set<String> userList = new HashSet<>();
Set<String> roleList = new HashSet<>();
Set<String> groupList = new HashSet<>();
for(HivePrincipal principal : hivePrincipals) {
String principalName = null;
switch(principal.getType()) {
case USER:
principalName = principal.getName();
userList.add(principalName);
principals.add("USER " + principalName);
break;
case GROUP:
principalName = principal.getName();
groupList.add(principalName);
principals.add("GROUP " + principalName);
break;
case ROLE:
principalName = principal.getName();
roleList.add(principalName);
principals.add("ROLE " + principalName);
break;
case UNKNOWN:
break;
}
}
request.setUsers(userList);
request.setGroups(groupList);
request.setRoles(roleList);
request.setGrantOption(grantOption);
request.setTargetRoles(new HashSet<>(roles));
SessionState ss = SessionState.get();
if(ss != null) {
request.setClientIPAddress(ss.getUserIpAddress());
request.setSessionId(ss.getSessionId());
HiveConf hiveConf = ss.getConf();
if(hiveConf != null) {
request.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
}
}
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
if(sessionContext != null) {
request.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
}
LOG.info("revokeRole(): " + request);
if(LOG.isDebugEnabled()) {
LOG.debug("revokeRole(): " + request);
}
hivePlugin.revokeRole(request, auditHandler);
result = true;
} catch(Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin, grantorUserName, principals, HiveOperationType.REVOKE_ROLE, HiveAccessType.ALTER, roles, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
}
Example #20
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
@Override
public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
boolean grantOption, HivePrincipal grantorPrinc)
throws HiveAuthzPluginException, HiveAccessControlException {
LOG.debug("RangerHiveAuthorizerBase.grantRole()");
boolean result = false;
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
String username = getGrantorUsername(grantorPrinc);
List<String> principals = new ArrayList<>();
try {
GrantRevokeRoleRequest request = new GrantRevokeRoleRequest();
request.setGrantor(username);
request.setGrantorGroups(getGrantorGroupNames(grantorPrinc));
Set<String> userList = new HashSet<>();
Set<String> roleList = new HashSet<>();
Set<String> groupList = new HashSet<>();
for(HivePrincipal principal : hivePrincipals) {
String name = null;
switch(principal.getType()) {
case USER:
name = principal.getName();
userList.add(name);
principals.add("USER " + name);
break;
case GROUP:
name = principal.getName();
groupList.add(name);
principals.add("GROUP " + name);
break;
case ROLE:
name = principal.getName();
roleList.add(name);
principals.add("ROLE "+ name);
break;
case UNKNOWN:
break;
}
}
request.setUsers(userList);
request.setGroups(groupList);
request.setRoles(roleList);
request.setGrantOption(grantOption);
request.setTargetRoles(new HashSet<>(roles));
SessionState ss = SessionState.get();
if(ss != null) {
request.setClientIPAddress(ss.getUserIpAddress());
request.setSessionId(ss.getSessionId());
HiveConf hiveConf = ss.getConf();
if(hiveConf != null) {
request.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
}
}
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
if(sessionContext != null) {
request.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
}
hivePlugin.grantRole(request, auditHandler);
result = true;
} catch(Exception excp) {
throw new HiveAccessControlException(excp);
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin, username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER, roles, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
}
Example #21
| Source File: RangerHiveAuthorizerBase.java From ranger with Apache License 2.0 | 4 votes |
|
public HiveAuthzSessionContext getHiveAuthzSessionContext() {
return mSessionContext;
}
Example #22
| Source File: RangerHiveAuthorizer.java From ranger with Apache License 2.0 | 4 votes |
|
public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf hiveConf,
HiveAuthenticationProvider hiveAuthenticator,
HiveAuthzSessionContext sessionContext) {
super(metastoreClientFactory, hiveConf, hiveAuthenticator, sessionContext);
LOG.debug("RangerHiveAuthorizer.RangerHiveAuthorizer()");
RangerHivePlugin plugin = hivePlugin;
if(plugin == null) {
synchronized(RangerHiveAuthorizer.class) {
plugin = hivePlugin;
if(plugin == null) {
String appType = "unknown";
if(sessionContext != null) {
switch(sessionContext.getClientType()) {
case HIVECLI:
appType = "hiveCLI";
break;
case HIVESERVER2:
appType = "hiveServer2";
break;
/*
case HIVEMETASTORE:
appType = "hiveMetastore";
break;
case OTHER:
appType = "other";
break;
*/
}
}
plugin = new RangerHivePlugin(appType);
plugin.init();
hivePlugin = plugin;
}
}
}
}
Example #23
| Source File: HiveAuthzBindingSessionHook.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
@Override
public HiveAuthorizer createHiveAuthorizer(
HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf,
HiveAuthenticationProvider hiveAuthenticator,
HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
return new SentryHiveAuthorizerImpl(null, null); }
Example #24
| Source File: RangerHiveAccessRequest.java From ranger with Apache License 2.0 | 4 votes |
|
public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, Set<String> roles, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
this(resource, user, groups, roles, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
}
Example #25
| Source File: HiveAuthorizationHelper.java From dremio-oss with Apache License 2.0 | 4 votes |
|
public HiveAuthorizationHelper(final IMetaStoreClient mClient, final HiveConf hiveConf, final String user) {
authzEnabled = hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED);
if (!authzEnabled) {
authorizerV2 = null;
return;
}
try (final ContextClassLoaderSwapper cls = ContextClassLoaderSwapper.newInstance()) {
final HiveConf hiveConfCopy = new HiveConf(hiveConf);
hiveConfCopy.set("user.name", user);
hiveConfCopy.set("proxy.user.name", user);
final HiveAuthenticationProvider authenticator = HiveUtils.getAuthenticator(hiveConfCopy,
HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER);
// This must be retrieved before creating the session state, because creation of the
// session state changes the given HiveConf's classloader to a UDF ClassLoader.
final HiveAuthorizerFactory authorizerFactory =
HiveUtils.getAuthorizerFactory(hiveConfCopy, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);
SessionState ss = new SessionState(hiveConfCopy, user);
authenticator.setSessionState(ss);
HiveAuthzSessionContext.Builder authzContextBuilder = new HiveAuthzSessionContext.Builder();
authzContextBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); // Dremio is emulating HS2 here
authorizerV2 = authorizerFactory.createHiveAuthorizer(
new HiveMetastoreClientFactory() {
@Override
public IMetaStoreClient getHiveMetastoreClient() throws HiveAuthzPluginException {
return mClient;
}
},
hiveConf, authenticator, authzContextBuilder.build());
authorizerV2.applyAuthorizationConfigPolicy(hiveConfCopy);
} catch (final HiveException e) {
throw new RuntimeException("Failed to initialize Hive authorization components: " + e.getMessage(), e);
}
logger.trace("Hive authorization enabled");
}
Example #26
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
public DefaultSentryAccessController(HiveConf conf, HiveAuthzConf authzConf,
HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
initilize(conf, authzConf, authenticator, ctx);
this.hiveHook = HiveHook.HiveServer2;
}
Example #27
| Source File: DefaultSentryAccessController.java From incubator-sentry with Apache License 2.0 | 4 votes |
|
public DefaultSentryAccessController(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf,
HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
initilize(conf, authzConf, authenticator, ctx);
this.hiveHook = hiveHook;
}
