You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/10/12 20:52:40 UTC
[ranger] 01/01: RANGER-3474:RangerHivePlugin enhancement to handle
new Hive commands
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit c3cc47da40f0f7504a3ed6ba7ecc363bc3afb248
Author: Ramesh Mani <rm...@apache.org>
AuthorDate: Tue Oct 12 11:55:30 2021 -0700
RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands
---
.../hive/authorizer/RangerHiveAuthorizer.java | 55 ++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index dd758e9..2be4424 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -905,6 +905,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
//
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
requests.add(request);
+ } else if (hiveOpType.equals(HiveOperationType.ALTERTABLE_OWNER)) {
+ RangerHiveAccessRequest request = buildRequestForAlterTableSetOwnerFromCommandString(user, groups, roles, hiveOpType.name(), context, sessionContext);
+ if (request != null) {
+ requests.add(request);
+ } else {
+ throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
+ user, hiveOpType.name()));
+ }
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!");
@@ -3079,6 +3087,28 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
return ret;
}
+
+ private RangerHiveAccessRequest buildRequestForAlterTableSetOwnerFromCommandString(String user,
+ Set<String> userGroups,
+ Set<String> userRoles,
+ String hiveOpTypeName,
+ HiveAuthzContext context,
+ HiveAuthzSessionContext sessionContext) {
+ RangerHiveResource resource = null;
+ RangerHiveAccessRequest request = null;
+ HiveObj hiveObj = new HiveObj();
+ hiveObj.fetchHiveObjForAlterTable(context);
+ String dbName = hiveObj.getDatabaseName();
+ String tableName = hiveObj.getTableName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Database: " + dbName + " Table: " + tableName);
+ }
+ if (dbName != null && tableName != null) {
+ resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
+ request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.ALTER, context, sessionContext);
+ }
+ return request;
+ }
}
enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL };
@@ -3088,6 +3118,8 @@ class HiveObj {
String databaseName;
String tableName;
+ HiveObj() {}
+
HiveObj(HiveAuthzContext context) {
fetchHiveObj(context);
}
@@ -3120,6 +3152,29 @@ class HiveObj {
}
}
+ public void fetchHiveObjForAlterTable(HiveAuthzContext context) {
+ // cmd passed: Alter Table <database.tableName or tableName> set owner user|role <user_or_role>
+ if (context != null) {
+ String cmdString = context.getCommandString();
+ if (cmdString != null) {
+ String[] cmd = cmdString.trim().split("\\s+");
+ if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) {
+ tableName = cmd[2];
+ if (tableName.contains(".")) {
+ String[] result = splitDBName(tableName);
+ databaseName = result[0];
+ tableName = result[1];
+ } else {
+ SessionState sessionState = SessionState.get();
+ if (sessionState != null) {
+ databaseName = sessionState.getCurrentDatabase();
+ }
+ }
+ }
+ }
+ }
+ }
+
private String[] splitDBName(String dbName) {
String[] ret = null;
ret = dbName.split("\\.");