private void ensureShowGrantAllowed(HivePrincipal principal) throws HiveAccessControlException, HiveAuthzPluginException { // if user is not an admin user, allow the request only if the user is // requesting for privileges for themselves or a role they belong to switch (principal.getType()) { case USER: if (!principal.getName().equals(currentUserName)) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of another user : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; case ROLE: if (!userBelongsToRole(principal.getName())) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of a role it does not belong to : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; default: throw new AssertionError("Unexpected principal type " + principal.getType()); } }
private void ensureShowGrantAllowed(HivePrincipal principal) throws HiveAccessControlException, HiveAuthzPluginException { // if user is not an admin user, allow the request only if the user is // requesting for privileges for themselves or a role they belong to switch (principal.getType()) { case USER: if (!principal.getName().equals(currentUserName)) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of another user : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; case ROLE: if (!userBelongsToRole(principal.getName())) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of a role it does not belong to : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; default: throw new AssertionError("Unexpected principal type " + principal.getType()); } }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { try { Hive hive = Hive.getWithFastCheck(this.conf); hive.createRole(roleName, adminGrantor == null ? null : adminGrantor.getName()); } catch (HiveException e) { throw new HiveAuthzPluginException(e); } }
@Override public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { try { // first authorize the call if (!isUserAdmin()) { ensureShowGrantAllowed(principal); } List<RolePrincipalGrant> roleGrants = getRoleGrants(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType())); List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(roleGrants.size()); for (RolePrincipalGrant roleGrant : roleGrants) { hiveRoleGrants.add(new HiveRoleGrant(roleGrant)); } return hiveRoleGrants; } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user " + principal.getName(), e); } }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { try { Hive hive = Hive.getWithFastCheck(this.conf); hive.createRole(roleName, adminGrantor == null ? null : adminGrantor.getName()); } catch (HiveException e) { throw new HiveAuthzPluginException(e); } }
@Override public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { try { // first authorize the call if (!isUserAdmin()) { ensureShowGrantAllowed(principal); } List<RolePrincipalGrant> roleGrants = getRoleGrants(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType())); List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(roleGrants.size()); for (RolePrincipalGrant roleGrant : roleGrants) { hiveRoleGrants.add(new HiveRoleGrant(roleGrant)); } return hiveRoleGrants; } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user " + principal.getName(), e); } }
@Override public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); try { List<HiveRoleGrant> grants = new ArrayList<HiveRoleGrant>(); Hive hive = Hive.getWithFastCheck(this.conf); for (RolePrincipalGrant grant : hive.getRoleGrantInfoForPrincipal(principal.getName(), type)) { grants.add(new HiveRoleGrant(grant)); } return grants; } catch (HiveException e) { throw new HiveAuthzPluginException(e); } }
@Override public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); try { List<HiveRoleGrant> grants = new ArrayList<HiveRoleGrant>(); Hive hive = Hive.getWithFastCheck(this.conf); for (RolePrincipalGrant grant : hive.getRoleGrantInfoForPrincipal(principal.getName(), type)) { grants.add(new HiveRoleGrant(grant)); } return grants; } catch (HiveException e) { throw new HiveAuthzPluginException(e); } }
private void grantOrRevokeRole(List<HivePrincipal> principals, List<String> roles, boolean grantOption, HivePrincipal grantor, boolean isGrant) throws HiveException { PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType()); Hive hive = Hive.getWithFastCheck(this.conf); for (HivePrincipal principal : principals) { PrincipalType principalType = AuthorizationUtils.getThriftPrincipalType(principal.getType()); String userName = principal.getName(); for (String roleName : roles) { if (isGrant) { hive.grantRole(roleName, userName, principalType, grantor.getName(), grantorType, grantOption); } else { hive.revokeRole(roleName, userName, principalType, grantOption); } } } }
/** * Get thrift privilege grant info * @param privilege * @param grantorPrincipal * @param grantOption * @param grantTime * @return * @throws HiveException */ public static PrivilegeGrantInfo getThriftPrivilegeGrantInfo(HivePrivilege privilege, HivePrincipal grantorPrincipal, boolean grantOption, int grantTime) throws HiveException { return new PrivilegeGrantInfo(privilege.getName(), grantTime, grantorPrincipal.getName(), getThriftPrincipalType(grantorPrincipal.getType()), grantOption); }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can create new roles. if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to add roles. " + ADMIN_ONLY_MSG); } if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) { throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " + RESERVED_ROLE_NAMES); } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( new Role(roleName, 0, grantorName)); } catch (TException e) { throw SQLAuthorizationUtils.getPluginException("Error create role", e); } }
private void grantOrRevokeRole(List<HivePrincipal> principals, List<String> roles, boolean grantOption, HivePrincipal grantor, boolean isGrant) throws HiveException { PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType()); Hive hive = Hive.getWithFastCheck(this.conf); for (HivePrincipal principal : principals) { PrincipalType principalType = AuthorizationUtils.getThriftPrincipalType(principal.getType()); String userName = principal.getName(); for (String roleName : roles) { if (isGrant) { hive.grantRole(roleName, userName, principalType, grantor.getName(), grantorType, grantOption); } else { hive.revokeRole(roleName, userName, principalType, grantOption); } } } }
/** * Get thrift privilege grant info * @param privilege * @param grantorPrincipal * @param grantOption * @param grantTime * @return * @throws HiveException */ public static PrivilegeGrantInfo getThriftPrivilegeGrantInfo(HivePrivilege privilege, HivePrincipal grantorPrincipal, boolean grantOption, int grantTime) throws HiveException { return new PrivilegeGrantInfo(privilege.getName(), grantTime, grantorPrincipal.getName(), getThriftPrincipalType(grantorPrincipal.getType()), grantOption); }
/** * Validate the principal type, and convert role name to lower case * @param hPrincipal * @return validated principal * @throws HiveAuthzPluginException */ public static HivePrincipal getValidatedPrincipal(HivePrincipal hPrincipal) throws HiveAuthzPluginException { if (hPrincipal == null || hPrincipal.getType() == null) { // null principal return hPrincipal; } switch (hPrincipal.getType()) { case USER: return hPrincipal; case ROLE: // lower case role names, for case insensitive behavior return new HivePrincipal(hPrincipal.getName().toLowerCase(), hPrincipal.getType()); default: throw new HiveAuthzPluginException("Invalid principal type in principal " + hPrincipal); } }
@Override public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); mClient.grant_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantorPrinc.getName(), AuthorizationUtils.getThriftPrincipalType(grantorPrinc.getType()), grantOption); } catch (MetaException e) { throw SQLAuthorizationUtils.getPluginException("Error granting role", e); } catch (Exception e) { String msg = "Error granting roles for " + hivePrincipal.getName() + " to role " + roleName; throw SQLAuthorizationUtils.getPluginException(msg, e); } } } }
/** * Validate the principal type, and convert role name to lower case * @param hPrincipal * @return validated principal * @throws HiveAuthzPluginException */ public static HivePrincipal getValidatedPrincipal(HivePrincipal hPrincipal) throws HiveAuthzPluginException { if (hPrincipal == null || hPrincipal.getType() == null) { // null principal return hPrincipal; } switch (hPrincipal.getType()) { case USER: return hPrincipal; case ROLE: // lower case role names, for case insensitive behavior return new HivePrincipal(hPrincipal.getName().toLowerCase(), hPrincipal.getType()); default: throw new HiveAuthzPluginException("Invalid principal type in principal " + hPrincipal); } }
@Override public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); mClient.revoke_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption); } catch (Exception e) { String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role " + roleName; throw SQLAuthorizationUtils.getPluginException(msg, e); } } } }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can create new roles. if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to add roles. " + ADMIN_ONLY_MSG); } if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) { throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " + RESERVED_ROLE_NAMES); } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( new Role(roleName, 0, grantorName)); } catch (TException e) { throw SQLAuthorizationUtils.getPluginException("Error create role", e); } }
private void grantOrRevokePrivs(List<HivePrincipal> principals, PrivilegeBag privBag, boolean isGrant, boolean grantOption) throws HiveException { for (HivePrincipal principal : principals) { PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); for (HiveObjectPrivilege priv : privBag.getPrivileges()) { priv.setPrincipalName(principal.getName()); priv.setPrincipalType(type); } Hive hive = Hive.getWithFastCheck(this.conf); if (isGrant) { hive.grantPrivileges(privBag); } else { hive.revokePrivileges(privBag, grantOption); } } }
private void grantOrRevokePrivs(List<HivePrincipal> principals, PrivilegeBag privBag, boolean isGrant, boolean grantOption) throws HiveException { for (HivePrincipal principal : principals) { PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); for (HiveObjectPrivilege priv : privBag.getPrivileges()) { priv.setPrincipalName(principal.getName()); priv.setPrincipalType(type); } Hive hive = Hive.getWithFastCheck(this.conf); if (isGrant) { hive.grantPrivileges(privBag); } else { hive.revokePrivileges(privBag, grantOption); } } }