@Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { hiveAccessController.applyAuthorizationConfigPolicy(hiveConf); }
public SQLStdHiveAccessControllerWrapper(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { this.hiveAccessController = new SQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx); }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { // validate principals roleName = roleName.toLowerCase(); adminGrantor = SQLAuthorizationUtils.getValidatedPrincipal(adminGrantor); hiveAccessController.createRole(roleName, adminGrantor); }
@Override public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e); } }
private List<HiveRoleGrant> getRolesFromMS() throws HiveAuthzPluginException { try { List<RolePrincipalGrant> roles = getRoleGrants(currentUserName, PrincipalType.USER); Map<String, HiveRoleGrant> name2Rolesmap = new HashMap<String, HiveRoleGrant>(); getAllRoleAncestors(name2Rolesmap, roles); List<HiveRoleGrant> currentRoles = new ArrayList<HiveRoleGrant>(roles.size()); for (HiveRoleGrant role : name2Rolesmap.values()) { if (!HiveMetaStore.ADMIN.equalsIgnoreCase(role.getRoleName())) { currentRoles.add(role); } else { this.adminRole = role; } } return currentRoles; } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Failed to retrieve roles for " + currentUserName, e); } }
@Override public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { try { // first authorize the call if (!isUserAdmin()) { ensureShowGrantAllowed(principal); } List<RolePrincipalGrant> roleGrants = getRoleGrants(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType())); List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(roleGrants.size()); for (RolePrincipalGrant roleGrant : roleGrants) { hiveRoleGrants.add(new HiveRoleGrant(roleGrant)); } return hiveRoleGrants; } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user " + principal.getName(), e); } }
if (!isUserAdmin()) { throw new HiveAccessControlException("User : " + currentUserName + " has to specify" + " a user name or role in the show grant. " + ADMIN_ONLY_MSG); if (!isUserAdmin()) { ensureShowGrantAllowed(principal); if (!isSupportedObjectType(msObjRef.getObjectType())) { getPluginPrivilegeObjType(msObjRef.getObjectType()), msObjRef.getDbName(), msObjRef.getObjectName(), msObjRef.getPartValues(), msObjRef.getColumnName());
private void verifySettability(List<String> paramRegexes, List<String> settableParams, ConfVars whiteListParam) throws HiveAuthzPluginException { HiveConf processedConf = newAuthEnabledConf(); processedConf.setVar(whiteListParam, Joiner.on("|").join(paramRegexes)); SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx()); accessController.applyAuthorizationConfigPolicy(processedConf); verifyParamSettability(settableParams, processedConf); }
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
@Override public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); mClient.revoke_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption); } catch (Exception e) { String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role " + roleName; throw SQLAuthorizationUtils.getPluginException(msg, e); } } } }
private List<HivePrivilege> expandAndValidatePrivileges(List<HivePrivilege> hivePrivileges) throws HiveAuthzPluginException { // expand ALL privileges, if any hivePrivileges = expandAllPrivileges(hivePrivileges); SQLAuthorizationUtils.validatePrivileges(hivePrivileges); return hivePrivileges; }
@Override public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // lower case roleName roleName = roleName.toLowerCase(); hiveAccessController.dropRole(roleName); }
@Override public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { return hiveAccessController.getAllRoles(); }
@Override public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the revoke, and get the set of privileges to be revoked List<HiveObjectPrivilege> revokePrivs = RevokePrivAuthUtils .authorizeAndGetRevokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName()); try { // unfortunately, the metastore api revokes all privileges that match on // principal, privilege object type it does not filter on the grator // username. // So this will revoke privileges that are granted by other users.This is // not SQL compliant behavior. Need to change/add a metastore api // that has desired behavior. metastoreClient.revoke_privileges(new PrivilegeBag(revokePrivs), grantOption); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e); } }
if (!isUserAdmin()) { throw new HiveAccessControlException("User : " + currentUserName + " has to specify" + " a user name or role in the show grant. " + ADMIN_ONLY_MSG); if (!isUserAdmin()) { ensureShowGrantAllowed(principal); if (!isSupportedObjectType(msObjRef.getObjectType())) { getPluginPrivilegeObjType(msObjRef.getObjectType()), msObjRef.getDbName(), msObjRef.getObjectName(), msObjRef.getPartValues(), msObjRef.getColumnName());
/** * Test that SQLStdHiveAccessController is not applying config restrictions on CLI * * @throws HiveAuthzPluginException */ @Test public void testConfigProcessing() throws HiveAuthzPluginException { HiveConf processedConf = new HiveConf(); SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, processedConf, new HadoopDefaultAuthenticator(), getCLISessionCtx() ); accessController.applyAuthorizationConfigPolicy(processedConf); // check that hook to disable transforms has not been added assertFalse("Check for transform query disabling hook", processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); // verify that some dummy param can be set processedConf.verifyAndSet("dummy.param", "dummy.val"); processedConf.verifyAndSet(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "true"); }
@Override public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e); } }
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
@Override public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { try { // first authorize the call if (!isUserAdmin()) { ensureShowGrantAllowed(principal); } List<RolePrincipalGrant> roleGrants = getRoleGrants(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType())); List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(roleGrants.size()); for (RolePrincipalGrant roleGrant : roleGrants) { hiveRoleGrants.add(new HiveRoleGrant(roleGrant)); } return hiveRoleGrants; } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user " + principal.getName(), e); } }
/** * Add role names of parentRoles and its parents to processedRolesMap * * @param processedRolesMap * @param roleGrants * @throws TException * @throws HiveAuthzPluginException * @throws MetaException */ private void getAllRoleAncestors(Map<String, HiveRoleGrant> processedRolesMap, List<RolePrincipalGrant> roleGrants) throws MetaException, HiveAuthzPluginException, TException { for (RolePrincipalGrant parentRoleGrant : roleGrants) { String parentRoleName = parentRoleGrant.getRoleName(); if (processedRolesMap.get(parentRoleName) == null) { // unprocessed role: get its parents, add it to processed, and call this // function recursively List<RolePrincipalGrant> nextParentRoles = getRoleGrants(parentRoleName, PrincipalType.ROLE); processedRolesMap.put(parentRoleName, new HiveRoleGrant(parentRoleGrant)); getAllRoleAncestors(processedRolesMap, nextParentRoles); } } }