@Override public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { return new HDFSPermissionPolicyProvider(getConf()); }
/** * Make sure that the warehouse variable is set up properly. * @throws MetaException if unable to instantiate */ private void initWh() throws MetaException, HiveException { if (wh == null){ if(!isRunFromMetaStore){ // Note, although HiveProxy has a method that allows us to check if we're being // called from the metastore or from the client, we don't have an initialized HiveProxy // till we explicitly initialize it as being from the client side. So, we have a // chicken-and-egg problem. So, we now track whether or not we're running from client-side // in the SBAP itself. hive_db = new HiveProxy(Hive.get(getConf(), StorageBasedAuthorizationProvider.class)); this.wh = new Warehouse(getConf()); if (this.wh == null){ // If wh is still null after just having initialized it, bail out - something's very wrong. throw new IllegalStateException("Unable to initialize Warehouse from clientside."); } }else{ // not good if we reach here, this was initialized at setMetaStoreHandler() time. // this means handler.getWh() is returning null. Error out. throw new IllegalStateException("Uninitialized Warehouse from MetastoreHandler"); } } }
/** * Make sure that the warehouse variable is set up properly. * @throws MetaException if unable to instantiate */ private void initWh() throws MetaException, HiveException { if (wh == null){ if(!isRunFromMetaStore){ // Note, although HiveProxy has a method that allows us to check if we're being // called from the metastore or from the client, we don't have an initialized HiveProxy // till we explicitly initialize it as being from the client side. So, we have a // chicken-and-egg problem. So, we now track whether or not we're running from client-side // in the SBAP itself. hive_db = new HiveProxy(Hive.get(getConf(), StorageBasedAuthorizationProvider.class)); this.wh = new Warehouse(getConf()); if (this.wh == null){ // If wh is still null after just having initialized it, bail out - something's very wrong. throw new IllegalStateException("Unable to initialize Warehouse from clientside."); } }else{ // not good if we reach here, this was initialized at setMetaStoreHandler() time. // this means handler.getWh() is returning null. Error out. throw new IllegalStateException("Uninitialized Warehouse from MetastoreHandler"); } } }
/** * Authorization privileges against a path. * * @param path * a filesystem path * @param readRequiredPriv * a list of privileges needed for inputs. * @param writeRequiredPriv * a list of privileges needed for outputs. */ public void authorize(Path path, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { try { EnumSet<FsAction> actions = getFsActions(readRequiredPriv); actions.addAll(getFsActions(writeRequiredPriv)); if (actions.isEmpty()) { return; } checkPermissions(getConf(), path, actions); } catch (AccessControlException ex) { throw authorizationException(ex); } catch (LoginException ex) { throw authorizationException(ex); } catch (IOException ex) { throw hiveException(ex); } }
/** * Authorization privileges against a path. * * @param path * a filesystem path * @param readRequiredPriv * a list of privileges needed for inputs. * @param writeRequiredPriv * a list of privileges needed for outputs. */ public void authorize(Path path, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { try { EnumSet<FsAction> actions = getFsActions(readRequiredPriv); actions.addAll(getFsActions(writeRequiredPriv)); if (actions.isEmpty()) { return; } checkPermissions(getConf(), path, actions); } catch (AccessControlException ex) { throw authorizationException(ex); } catch (LoginException ex) { throw authorizationException(ex); } catch (IOException ex) { throw hiveException(ex); } }
@Override public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { Path path = getDbLocation(db); // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(path, getConf(), authenticator.getUserName()); } authorize(path, readRequiredPriv, writeRequiredPriv); }
@Override public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { Path path = getDbLocation(db); // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(path, getConf(), authenticator.getUserName()); } authorize(path, readRequiredPriv, writeRequiredPriv); }
private void authorize(Table table, Partition part, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(part.getDataLocation(), getConf(), authenticator.getUserName()); } // Partition path can be null in the case of a new create partition - in this case, // we try to default to checking the permissions of the parent table. // Partition itself can also be null, in cases where this gets called as a generic // catch-all call in cases like those with CTAS onto an unpartitioned table (see HIVE-1887) if ((part == null) || (part.getLocation() == null)) { if (requireCreatePrivilege(readRequiredPriv) || requireCreatePrivilege(writeRequiredPriv)) { // this should be the case only if this is a create partition. // The privilege needed on the table should be ALTER_DATA, and not CREATE authorize(table, new Privilege[]{}, new Privilege[]{Privilege.ALTER_DATA}); } else { authorize(table, readRequiredPriv, writeRequiredPriv); } } else { authorize(part.getDataLocation(), readRequiredPriv, writeRequiredPriv); } }
private void authorize(Table table, Partition part, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(part.getDataLocation(), getConf(), authenticator.getUserName()); } // Partition path can be null in the case of a new create partition - in this case, // we try to default to checking the permissions of the parent table. // Partition itself can also be null, in cases where this gets called as a generic // catch-all call in cases like those with CTAS onto an unpartitioned table (see HIVE-1887) if ((part == null) || (part.getLocation() == null)) { if (requireCreatePrivilege(readRequiredPriv) || requireCreatePrivilege(writeRequiredPriv)) { // this should be the case only if this is a create partition. // The privilege needed on the table should be ALTER_DATA, and not CREATE authorize(table, new Privilege[]{}, new Privilege[]{Privilege.ALTER_DATA}); } else { authorize(table, readRequiredPriv, writeRequiredPriv); } } else { authorize(part.getDataLocation(), readRequiredPriv, writeRequiredPriv); } }
/** * Make sure that the warehouse variable is set up properly. * @throws MetaException if unable to instantiate */ private void initWh() throws MetaException, HiveException { if (wh == null){ if(!isRunFromMetaStore){ // Note, although HiveProxy has a method that allows us to check if we're being // called from the metastore or from the client, we don't have an initialized HiveProxy // till we explicitly initialize it as being from the client side. So, we have a // chicken-and-egg problem. So, we now track whether or not we're running from client-side // in the SBAP itself. hive_db = new HiveProxy(Hive.get(getConf(), StorageBasedAuthorizationProvider.class)); this.wh = new Warehouse(getConf()); if (this.wh == null){ // If wh is still null after just having initialized it, bail out - something's very wrong. throw new IllegalStateException("Unable to initialize Warehouse from clientside."); } }else{ // not good if we reach here, this was initialized at setMetaStoreHandler() time. // this means handler.getWh() is returning null. Error out. throw new IllegalStateException("Uninitialized Warehouse from MetastoreHandler"); } } }
/** * Authorization privileges against a path. * * @param path * a filesystem path * @param readRequiredPriv * a list of privileges needed for inputs. * @param writeRequiredPriv * a list of privileges needed for outputs. */ public void authorize(Path path, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { try { EnumSet<FsAction> actions = getFsActions(readRequiredPriv); actions.addAll(getFsActions(writeRequiredPriv)); if (actions.isEmpty()) { return; } checkPermissions(getConf(), path, actions); } catch (AccessControlException ex) { throw authorizationException(ex); } catch (LoginException ex) { throw authorizationException(ex); } catch (IOException ex) { throw hiveException(ex); } }
@Override public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { Path path = getDbLocation(db); // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(path, getConf(), authenticator.getUserName()); } authorize(path, readRequiredPriv, writeRequiredPriv); }
private void authorize(Table table, Partition part, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(part.getDataLocation(), getConf(), authenticator.getUserName()); } // Partition path can be null in the case of a new create partition - in this case, // we try to default to checking the permissions of the parent table. // Partition itself can also be null, in cases where this gets called as a generic // catch-all call in cases like those with CTAS onto an unpartitioned table (see HIVE-1887) if ((part == null) || (part.getLocation() == null)) { // this should be the case only if this is a create partition. // The privilege needed on the table should be ALTER_DATA, and not CREATE authorize(table, new Privilege[]{}, new Privilege[]{Privilege.ALTER_DATA}); } else { authorize(part.getDataLocation(), readRequiredPriv, writeRequiredPriv); } }
checkDeletePermission(path, getConf(), authenticator.getUserName());