org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType Java Examples

The following examples show how to use org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up 
static RangerHiveResource createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) {
	RangerHiveResource resource = null;

	HivePrivilegeObjectType objectType = privilegeObject.getType();

	switch(objectType) {
		case DATABASE:
		case TABLE_OR_VIEW:
			resource = createHiveResource(privilegeObject);
			break;
		default:
			LOG.warn("RangerHiveAuthorizer.getHiveResourceForFiltering: unexpected objectType:" + objectType);
	}

	return resource;
}
Example #2
Source File: HiveAuthorizationHelper.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up 
/**
 * Check authorization for "SHOW TABLES" command in given Hive db. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 * @param dbName
 */
public void authorizeShowTables(final String dbName) throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  final HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null);

  authorize(HiveOperationType.SHOWTABLES, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "SHOW TABLES");
}
Example #3
Source File: HiveAuthorizationHelper.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up 
/**
 * Check authorization for "READ TABLE" for given db.table. A {@link HiveAccessControlException} is thrown
 * for illegal access.
 * @param dbName
 * @param tableName
 */
public void authorizeReadTable(final String dbName, final String tableName) throws HiveAccessControlException {
  if (!authzEnabled) {
    return;
  }

  HivePrivilegeObject toRead = new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, dbName, tableName);
  authorize(HiveOperationType.QUERY, ImmutableList.of(toRead), Collections.<HivePrivilegeObject> emptyList(), "READ TABLE");
}
Example #4
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up 
static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
	RangerHiveResource resource = null;

	HivePrivilegeObjectType objectType = privilegeObject.getType();
	String objectName = privilegeObject.getObjectName();
	String dbName = privilegeObject.getDbname();

	switch(objectType) {
		case DATABASE:
			resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
			break;
		case TABLE_OR_VIEW:
			resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
			//resource.setOwnerUser(privilegeObject.getOwnerName());
			break;
		case COLUMN:
			List<String> columns = privilegeObject.getColumns();
			int numOfColumns = columns == null ? 0 : columns.size();
			if (numOfColumns == 1) {
				resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
				//resource.setOwnerUser(privilegeObject.getOwnerName());
			} else {
				LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType);
			}
			break;
		default:
			LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType);
	}

	if (resource != null) {
		resource.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
	}

	return resource;
}
Example #5
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private void handleDfsCommand(HiveOperationType         hiveOpType,
							  List<HivePrivilegeObject> inputHObjs,
							  String                    user,
							  RangerHiveAuditHandler    auditHandler)
      throws HiveAuthzPluginException, HiveAccessControlException {

	String dfsCommandParams = null;

	if(inputHObjs != null) {
		for(HivePrivilegeObject hiveObj : inputHObjs) {
			if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
				dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());

				if(! StringUtil.isEmpty(dfsCommandParams)) {
					break;
				}
			}
		}
	}

	int    serviceType = -1;
	String serviceName = null;

	if(hivePlugin != null) {
		serviceType = hivePlugin.getServiceDefId();
		serviceName = hivePlugin.getServiceName();
	}

	auditHandler.logAuditEventForDfs(user, dfsCommandParams, false, serviceType, serviceName);

	throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
										 user, hiveOpType.name()));
}
Example #6
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private HivePrivilegeObjectType getPluginPrivilegeObjType(
		org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
	switch (objectType) {
	case DATABASE:
		return HivePrivilegeObjectType.DATABASE;
	case TABLE:
		return HivePrivilegeObjectType.TABLE_OR_VIEW;
	default:
		throw new AssertionError("Unexpected object type " + objectType);
	}
}
Example #7
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 5 votes vote down vote up 
private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal,
												  HivePrivilegeObject.HivePrivilegeObjectType objectType,
												  String dbName,
												  String objectName,
												  String columnName,
												  List<String> partValues,
												  String aclName,
												  RangerPolicy policy) {
	HivePrivilegeInfo ret = null;
	int     creationDate  = 0;
	boolean delegateAdmin = false;

	for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
		List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
		List<String> users = policyItem.getUsers();
		List<String> groups = policyItem.getGroups();
		List<String> accessTypes = new ArrayList<>();

		for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
			accessTypes.add(policyItemAccess.getType());
		}

		if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName())
				|| groups.contains(hivePrincipal.getName()))) {
			creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000);
			delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
		}
	}

	HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
	HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
	HivePrivilege privilege = new HivePrivilege(aclName, null);
	ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);

	return ret;
}
Example #8
Source File: DefaultSentryValidator.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up 
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
    HiveAuthzContext context) {
  if (listObjs != null && listObjs.size() >= 1) {
    HivePrivilegeObjectType pType = listObjs.get(0).getType();
    HiveAuthzBinding hiveAuthzBinding = null;
    try {
      switch (pType) {
        case DATABASE:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
        case TABLE_OR_VIEW:
          hiveAuthzBinding = getAuthzBinding();
          listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding);
          break;
      }
    } catch (Exception e) {
      LOG.debug(e.getMessage(),e);
    } finally {
      if (hiveAuthzBinding != null) {
        hiveAuthzBinding.close();
      }
    }
  }
  return listObjs;
}
Example #9
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up 
protected static HivePrivilegeObjectType getPrivObjectType(
    SentryHivePrivilegeObjectDesc privSubjectDesc) {
  if (privSubjectDesc.getObject() == null) {
    return null;
  }
  if (privSubjectDesc.getServer()) {
    return HivePrivilegeObjectType.GLOBAL;
  } else if (privSubjectDesc.getUri()) {
    return HivePrivilegeObjectType.LOCAL_URI;
  } else {
    return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW
        : HivePrivilegeObjectType.DATABASE;
  }
}
Example #10
Source File: SentryHiveAuthorizer.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up 
@Override
public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
    throws HiveException {
  if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
    SentryHivePrivilegeObjectDesc sPrivSubjectDesc =
        (SentryHivePrivilegeObjectDesc) privSubjectDesc;
    if (sPrivSubjectDesc.isSentryPrivObjectDesc()) {
      HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
      return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
    }
  }
  return super.getHivePrivilegeObject(privSubjectDesc);
}
Example #11
Source File: RangerHiveAuthorizer.java    From ranger with Apache License 2.0 4 votes vote down vote up 
@Override
public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
	List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();

	if(LOG.isDebugEnabled()) {
		LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
	}

	RangerPerfTracer perf = null;

	if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
		perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
	}

	if(CollectionUtils.isNotEmpty(hiveObjs)) {
		for (HivePrivilegeObject hiveObj : hiveObjs) {
			HivePrivilegeObjectType hiveObjType = hiveObj.getType();

			if(hiveObjType == null) {
				hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
			}

			if(LOG.isDebugEnabled()) {
				LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
			}

			boolean needToTransform = false;

			if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
				String database = hiveObj.getDbname();
				String table    = hiveObj.getObjectName();

				String rowFilterExpr = getRowFilterExpression(queryContext, database, table);

				if (StringUtils.isNotBlank(rowFilterExpr)) {
					if(LOG.isDebugEnabled()) {
						LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
					}

					hiveObj.setRowFilterExpression(rowFilterExpr);
					needToTransform = true;
				}

				if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
					List<String> columnTransformers = new ArrayList<String>();

					for (String column : hiveObj.getColumns()) {
						boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);

						if(LOG.isDebugEnabled()) {
							LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
						}

						needToTransform = needToTransform || isColumnTransformed;
					}

					hiveObj.setCellValueTransformers(columnTransformers);
				}
			}

			if (needToTransform) {
				ret.add(hiveObj);
			}
		}
	}

	RangerPerfTracer.log(perf);

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
	}

	return ret;
}