You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/02/09 21:43:38 UTC
svn commit: r1566401 [1/3] - in /hive/trunk:
common/src/java/org/apache/hadoop/hive/conf/ conf/ data/conf/
itests/util/src/main/java/org/apache/hadoop/hive/ql/security/
metastore/src/java/org/apache/hadoop/hive/metastore/
ql/src/java/org/apache/hadoop/...
Author: thejas
Date: Sun Feb 9 20:43:37 2014
New Revision: 1566401
URL: http://svn.apache.org/r1566401
Log:
HIVE-5953 : SQL std auth - authorize grant/revoke on table/views (Thejas Nair reviwed by Ashutosh Chauhan)
Added:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RequiredPrivileges.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RevokePrivAuthUtils.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLPrivTypeGrant.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLPrivilegeType.java
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/plugin/
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/plugin/sqlstd/
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/plugin/sqlstd/TestOperation2Privilege.java
hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q
hive/trunk/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_revoke_table_fail1.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_revoke_table_fail2.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_create_table_owner_privs.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_revoke_table_priv.q.out
Removed:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationPluginException.java
Modified:
hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
hive/trunk/conf/hive-default.xml.template
hive/trunk/data/conf/hive-site.xml
hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/metadata/TestHive.java
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java
hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
hive/trunk/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
Modified: hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
URL: http://svn.apache.org/viewvc/hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (original)
+++ hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java Sun Feb 9 20:43:37 2014
@@ -830,7 +830,7 @@ public class HiveConf extends Configurat
HIVE_SECURITY_COMMAND_WHITELIST("hive.security.command.whitelist", "set,reset,dfs,add,delete,compile"),
- HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", ""),
+ HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", "hive.security.authenticator.manager,hive.security.authorization.manager"),
// If this is set all move tasks at the end of a multi-insert query will only begin once all
// outputs are ready
@@ -880,7 +880,7 @@ public class HiveConf extends Configurat
HIVE_VECTORIZATION_GROUPBY_CHECKINTERVAL("hive.vectorized.groupby.checkinterval", 100000),
HIVE_VECTORIZATION_GROUPBY_MAXENTRIES("hive.vectorized.groupby.maxentries", 1000000),
HIVE_VECTORIZATION_GROUPBY_FLUSH_PERCENT("hive.vectorized.groupby.flush.percent", (float) 0.1),
-
+
HIVE_TYPE_CHECK_ON_INSERT("hive.typecheck.on.insert", true),
@@ -895,7 +895,7 @@ public class HiveConf extends Configurat
HIVEEXPLAINDEPENDENCYAPPENDTASKTYPES("hive.explain.dependency.append.tasktype", false),
HIVECOUNTERGROUP("hive.counters.group.name", "HIVE"),
-
+
// none, column
// none is the default(past) behavior. Implies only alphaNumeric and underscore are valid characters in identifiers.
// column: implies column names can contain any character.
Modified: hive/trunk/conf/hive-default.xml.template
URL: http://svn.apache.org/viewvc/hive/trunk/conf/hive-default.xml.template?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/conf/hive-default.xml.template (original)
+++ hive/trunk/conf/hive-default.xml.template Sun Feb 9 20:43:37 2014
@@ -1656,7 +1656,7 @@
<property>
<name>hive.conf.restricted.list</name>
- <value></value>
+ <value>hive.security.authenticator.manager,hive.security.authorization.manager</value>
<description>Comma separated list of configuration options which are immutable at runtime</description>
</property>
Modified: hive/trunk/data/conf/hive-site.xml
URL: http://svn.apache.org/viewvc/hive/trunk/data/conf/hive-site.xml?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/data/conf/hive-site.xml (original)
+++ hive/trunk/data/conf/hive-site.xml Sun Feb 9 20:43:37 2014
@@ -197,4 +197,10 @@
<value>0</value>
</property>
+<property>
+ <name>hive.conf.restricted.list</name>
+ <value>dummy.config.value</value>
+ <description>Using dummy config value above because you cannot override config with empty value</description>
+</property>
+
</configuration>
Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java Sun Feb 9 20:43:37 2014
@@ -22,11 +22,12 @@ import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
public class DummyAuthenticator implements HiveAuthenticationProvider {
- private List<String> groupNames;
- private String userName;
+ private final List<String> groupNames;
+ private final String userName;
private Configuration conf;
public DummyAuthenticator() {
@@ -56,8 +57,14 @@ public class DummyAuthenticator implemen
this.conf = conf;
}
+ @Override
public Configuration getConf() {
return this.conf;
}
+ @Override
+ public void setSessionState(SessionState ss) {
+ //no op
+ }
+
}
Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java Sun Feb 9 20:43:37 2014
@@ -22,6 +22,7 @@ import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.metastore.HiveMetaStore.HMSHandler;
import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
/**
*
@@ -80,7 +81,7 @@ public class InjectableDummyAuthenticato
@Override
public void setConf(Configuration config) {
try {
- hmap = (HiveMetastoreAuthenticationProvider) hmapClass.newInstance();
+ hmap = hmapClass.newInstance();
} catch (InstantiationException e) {
throw new RuntimeException("Whoops, could not create an Authenticator of class " +
hmapClass.getName());
@@ -102,4 +103,9 @@ public class InjectableDummyAuthenticato
hmap.destroy();
}
+ @Override
+ public void setSessionState(SessionState arg0) {
+ //no-op
+ }
+
}
Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java Sun Feb 9 20:43:37 2014
@@ -20,7 +20,6 @@ package org.apache.hadoop.hive.metastore
import java.util.List;
import java.util.Map;
-import java.util.Set;
import org.apache.hadoop.hive.metastore.api.AlreadyExistsException;
import org.apache.hadoop.hive.metastore.api.ColumnStatistics;
@@ -931,6 +930,8 @@ public interface IMetaStoreClient {
throws MetaException, TException;
/**
+ * Return the privileges that the user, group have directly and indirectly through roles
+ * on the given hiveObject
* @param hiveObject
* @param user_name
* @param group_names
@@ -943,6 +944,7 @@ public interface IMetaStoreClient {
TException;
/**
+ * Return the privileges that this principal has directly over the object (not through roles).
* @param principal_name
* @param principal_type
* @param hiveObject
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java Sun Feb 9 20:43:37 2014
@@ -55,6 +55,7 @@ import org.apache.hadoop.hive.ql.exec.Ta
import org.apache.hadoop.hive.ql.exec.Utilities;
import org.apache.hadoop.hive.ql.history.HiveHistory.Keys;
import org.apache.hadoop.hive.ql.hooks.Entity;
+import org.apache.hadoop.hive.ql.hooks.Entity.Type;
import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext;
import org.apache.hadoop.hive.ql.hooks.Hook;
import org.apache.hadoop.hive.ql.hooks.HookContext;
@@ -185,6 +186,7 @@ public class Driver implements CommandPr
}
}
+ @Override
public void init() {
Operator.resetId();
}
@@ -728,7 +730,7 @@ public class Driver implements CommandPr
//support for authorization on partitions or uri needs to be added
HivePrivilegeObject hPrivObject = new HivePrivilegeObject(privObjType,
- privObject.getDatabase() == null ? null : privObject.getDatabase().getName(),
+ getDataBaseName(privObject),
privObject.getTable() == null ? null : privObject.getTable().getTableName());
hivePrivobjs.add(hPrivObject);
}
@@ -736,6 +738,13 @@ public class Driver implements CommandPr
}
+ private String getDataBaseName(Entity privObject) {
+ if(privObject.getType() == Type.DATABASE){
+ return privObject.getDatabase() == null ? null : privObject.getDatabase().getName();
+ } else {
+ return privObject.getTable() == null ? null : privObject.getTable().getDbName();
+ }
+ }
private HiveOperationType getHiveOperationType(HiveOperation op) {
return HiveOperationType.valueOf(op.name());
@@ -967,6 +976,7 @@ public class Driver implements CommandPr
perfLogger.PerfLogEnd(CLASS_NAME, PerfLogger.RELEASE_LOCKS);
}
+ @Override
public CommandProcessorResponse run(String command)
throws CommandNeedRetryException {
return run(command, false);
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java Sun Feb 9 20:43:37 2014
@@ -23,6 +23,7 @@ import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.hive.shims.ShimLoader;
import org.apache.hadoop.security.UserGroupInformation;
@@ -30,7 +31,7 @@ public class HadoopDefaultAuthenticator
protected String userName;
protected List<String> groupNames;
-
+
protected Configuration conf;
@Override
@@ -74,4 +75,9 @@ public class HadoopDefaultAuthenticator
return this.conf;
}
+ @Override
+ public void setSessionState(SessionState ss) {
+ //no op
+ }
+
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java Sun Feb 9 20:43:37 2014
@@ -22,17 +22,20 @@ import java.util.List;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
/**
* HiveAuthenticationProvider is an interface for authentication. The
* implementation should return userNames and groupNames.
*/
public interface HiveAuthenticationProvider extends Configurable{
-
+
public String getUserName();
-
+
public List<String> getGroupNames();
-
+
public void destroy() throws HiveException;
+ public void setSessionState(SessionState ss);
+
}
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java Sun Feb 9 20:43:37 2014
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+/**
+ * Authenticator to be used for testing and debugging. This picks the user.name
+ * set in SessionState config, if that is null, it returns value of
+ * System property user.name
+ */
+public class SessionStateConfigUserAuthenticator implements HiveAuthenticationProvider {
+
+ private final List<String> groupNames = new ArrayList<String>();
+
+ protected Configuration conf;
+ private SessionState sessionState;
+
+ @Override
+ public List<String> getGroupNames() {
+ return groupNames;
+ }
+
+ @Override
+ public String getUserName() {
+ String newUserName = sessionState.getConf().get("user.name");
+ return newUserName != null ? newUserName : System.getProperty("user.name");
+ }
+
+ @Override
+ public void destroy() throws HiveException {
+ return;
+ }
+
+ @Override
+ public Configuration getConf() {
+ return null;
+ }
+
+ @Override
+ public void setConf(Configuration arg0) {
+ }
+
+ @Override
+ public void setSessionState(SessionState sessionState) {
+ this.sessionState = sessionState;
+ }
+
+}
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java Sun Feb 9 20:43:37 2014
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+/**
+ * Authenticator that returns the userName set in SessionState. For use when authorizing with HS2
+ * so that HS2 can set the user for the session through SessionState
+ */
+public class SessionStateUserAuthenticator implements HiveAuthenticationProvider {
+
+ private final List<String> groupNames = new ArrayList<String>();
+
+ protected Configuration conf;
+ private SessionState sessionState;
+
+ public SessionStateUserAuthenticator(SessionState sessionState){
+ this.sessionState = sessionState;
+ }
+
+ @Override
+ public List<String> getGroupNames() {
+ return groupNames;
+ }
+
+ @Override
+ public String getUserName() {
+ return sessionState.getUserName();
+ }
+
+ @Override
+ public void destroy() throws HiveException {
+ return;
+ }
+
+ @Override
+ public Configuration getConf() {
+ return null;
+ }
+
+ @Override
+ public void setConf(Configuration arg0) {
+ }
+
+ @Override
+ public void setSessionState(SessionState sessionState) {
+ this.sessionState = sessionState;
+ }
+
+}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java Sun Feb 9 20:43:37 2014
@@ -30,31 +30,16 @@ import org.apache.hadoop.hive.ql.session
public class PrivilegeRegistry {
protected static Map<PrivilegeType, Privilege> Registry = null;
+ protected static Map<PrivilegeType, Privilege> RegistryV2 = null;
public static Privilege getPrivilege(PrivilegeType privilegeType) {
- initializeRegistry();
return Registry.get(privilegeType);
}
- private static void initializeRegistry() {
- if(Registry != null){
- //already initialized, nothing to do
- return;
- }
- //population of registry done in separate synchronized call
- populateRegistry();
- }
-
/**
- * Add entries to registry. This needs to be synchronized to avoid Registry being populated
- * multiple times.
+ * Add entries to registry.
*/
- private static synchronized void populateRegistry() {
- //do check again in synchronized block
- if(Registry != null){
- //already initialized, nothing to do
- return;
- }
+ static {
Registry = new HashMap<PrivilegeType, Privilege>();
//add the privileges supported in authorization mode V1
@@ -68,23 +53,28 @@ public class PrivilegeRegistry {
Registry.put(Privilege.SELECT.getPriv(), Privilege.SELECT);
Registry.put(Privilege.SHOW_DATABASE.getPriv(),
Privilege.SHOW_DATABASE);
- if(SessionState.get().isAuthorizationModeV2()){
- //add the privileges not supported in V1
- //The list of privileges supported in V2 is implementation defined,
- //so just pass everything that syntax supports.
- Registry.put(Privilege.INSERT.getPriv(), Privilege.INSERT);
- Registry.put(Privilege.DELETE.getPriv(), Privilege.DELETE);
- }
+
+ //add the privileges not supported in V1
+ //The list of privileges supported in V2 is implementation defined,
+ //so just pass everything that syntax supports.
+ RegistryV2 = new HashMap<PrivilegeType, Privilege>();
+ RegistryV2.putAll(Registry);
+ RegistryV2.put(Privilege.INSERT.getPriv(), Privilege.INSERT);
+ RegistryV2.put(Privilege.DELETE.getPriv(), Privilege.DELETE);
}
public static Privilege getPrivilege(int privilegeToken) {
- initializeRegistry();
- return Registry.get(PrivilegeType.getPrivTypeByToken(privilegeToken));
+ PrivilegeType ptype = PrivilegeType.getPrivTypeByToken(privilegeToken);
+ return getPrivilegeFromRegistry(ptype);
}
public static Privilege getPrivilege(String privilegeName) {
- initializeRegistry();
- return Registry.get(PrivilegeType.getPrivTypeByName(privilegeName));
+ PrivilegeType ptype = PrivilegeType.getPrivTypeByName(privilegeName);
+ return getPrivilegeFromRegistry(ptype);
+ }
+
+ private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
+ return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) : Registry.get(ptype);
}
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java Sun Feb 9 20:43:37 2014
@@ -67,9 +67,7 @@ public enum PrivilegeType {
* @return corresponding PrivilegeType
*/
public static PrivilegeType getPrivTypeByToken(int token) {
- if(token2Type == null){
- populateToken2Type();
- }
+ populateToken2Type();
PrivilegeType privType = token2Type.get(token);
if(privType != null){
return privType;
@@ -93,9 +91,7 @@ public enum PrivilegeType {
* @return corresponding PrivilegeType
*/
public static PrivilegeType getPrivTypeByName(String privilegeName) {
- if(name2Type == null){
- populateName2Type();
- }
+ populateName2Type();
String canonicalizedName = privilegeName.toLowerCase();
PrivilegeType privType = name2Type.get(canonicalizedName);
if(privType != null){
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java Sun Feb 9 20:43:37 2014
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+
+/**
+ * Exception thrown by the Authorization plugin api (v2). Indicates
+ * an error while performing authorization, and not a authorization being
+ * denied.
+ */
+@LimitedPrivate(value = { "" })
+@Evolving
+public class HiveAccessControlException extends HiveException{
+
+ private static final long serialVersionUID = 1L;
+
+ public HiveAccessControlException(){
+ }
+
+ public HiveAccessControlException(String msg){
+ super(msg);
+ }
+
+ public HiveAccessControlException(String msg, Throwable cause){
+ super(msg, cause);
+ }
+
+ public HiveAccessControlException(Throwable cause){
+ super(cause);
+ }
+
+}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java Sun Feb 9 20:43:37 2014
@@ -19,47 +19,50 @@ package org.apache.hadoop.hive.ql.securi
import java.util.List;
-import org.apache.hadoop.hive.metastore.api.Role;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
/**
* Interface that is invoked by access control commands, including grant/revoke role/privileges,
* create/drop roles, and commands to read the state of authorization rules.
* Methods here have corresponding methods in HiveAuthorizer, check method documentation there.
*/
+@LimitedPrivate(value = { "" })
+@Evolving
public interface HiveAccessController {
void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
- throws HiveAuthorizationPluginException;;
+ throws HiveAuthzPluginException, HiveAccessControlException;
void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
- throws HiveAuthorizationPluginException;;
+ throws HiveAuthzPluginException, HiveAccessControlException;
void createRole(String roleName, HivePrincipal adminGrantor)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
void dropRole(String roleName)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
List<HiveRole> getRoles(HivePrincipal hivePrincipal)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
HivePrincipal grantorPrinc)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
HivePrincipal grantorPrinc)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
List<String> getAllRoles()
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
- void setCurrentRole(String roleName) throws HiveAuthorizationPluginException;
+ void setCurrentRole(String roleName) throws HiveAuthzPluginException;
- List<HiveRole> getCurrentRoles() throws HiveAuthorizationPluginException;
+ List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java Sun Feb 9 20:43:37 2014
@@ -19,24 +19,28 @@ package org.apache.hadoop.hive.ql.securi
import java.util.List;
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
/**
* Interface used to check if user has privileges to perform certain action.
* Methods here have corresponding methods in HiveAuthorizer, check method documentation there.
*/
-@Public
+@LimitedPrivate(value = { "" })
@Evolving
public interface HiveAuthorizationValidator {
+
/**
- * Check if current user has privileges to perform given operation type hiveOpType on the given
- * input and output objects
+ * Check if current user has privileges to perform given operation type
+ * hiveOpType on the given input and output objects
+ *
* @param hiveOpType
* @param inputHObjs
* @param outputHObjs
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs) throws HiveAuthorizationPluginException;
+ List<HivePrivilegeObject> outputHObjs) throws HiveAuthzPluginException, HiveAccessControlException;
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java Sun Feb 9 20:43:37 2014
@@ -19,9 +19,8 @@ package org.apache.hadoop.hive.ql.securi
import java.util.List;
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
-import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider;
/**
@@ -34,7 +33,7 @@ import org.apache.hadoop.hive.ql.securit
* statements and does not make assumptions about the privileges needed for a hive operation.
* This is referred to as V2 authorizer in other parts of the code.
*/
-@Public
+@LimitedPrivate(value = { "" })
@Evolving
public interface HiveAuthorizer {
@@ -52,11 +51,12 @@ public interface HiveAuthorizer {
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* Revoke privileges for principals on the object
@@ -65,38 +65,42 @@ public interface HiveAuthorizer {
* @param hivePrivObject
* @param grantorPrincipal
* @param grantOption
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* Create role
* @param roleName
* @param adminGrantor - The user in "[ WITH ADMIN <user> ]" clause of "create role"
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void createRole(String roleName, HivePrincipal adminGrantor)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* Drop role
* @param roleName
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void dropRole(String roleName)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* Get roles that this user/role belongs to
* @param hivePrincipal - user or role
* @return list of roles
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
List<HiveRole> getRoles(HivePrincipal hivePrincipal)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* Grant roles in given roles list to principals in given hivePrincipals list
@@ -104,11 +108,12 @@ public interface HiveAuthorizer {
* @param roles
* @param grantOption
* @param grantorPrinc
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
HivePrincipal grantorPrinc)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
@@ -117,43 +122,47 @@ public interface HiveAuthorizer {
* @param roles
* @param grantOption
* @param grantorPrinc
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
HivePrincipal grantorPrinc)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* Check if user has privileges to do this action on these objects
* @param hiveOpType
* @param inputsHObjs
* @param outputHObjs
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
List<HivePrivilegeObject> outputHObjs)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* @return all existing roles
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
List<String> getAllRoles()
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
/**
* Show privileges for given principal on given object
* @param principal
* @param privObj
* @return
- * @throws HiveAuthorizationPluginException
+ * @throws HiveAuthzPluginException
+ * @throws HiveAccessControlException
*/
List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
- throws HiveAuthorizationPluginException;
+ throws HiveAuthzPluginException, HiveAccessControlException;
- void setCurrentRole(String roleName) throws HiveAuthorizationPluginException;
+ void setCurrentRole(String roleName) throws HiveAuthzPluginException;
- List<HiveRole> getCurrentRoles() throws HiveAuthorizationPluginException;
+ List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
//other functions to be added -
//showUsersInRole(rolename)
//isSuperuser(username)
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java Sun Feb 9 20:43:37 2014
@@ -17,16 +17,17 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
/**
* Implementation of this interface specified through hive configuration will be used to
* create {@link HiveAuthorizer} instance used for hive authorization.
*
*/
-@Public
+@LimitedPrivate(value = { "" })
@Evolving
public interface HiveAuthorizerFactory {
/**
@@ -35,9 +36,10 @@ public interface HiveAuthorizerFactory {
* for the current thread. Each invocation of method in HiveAuthorizer can happen in
* different thread, so get the current instance in each method invocation.
* @param conf - current HiveConf
- * @param hiveCurrentUser - user for current session
+ * @param hiveAuthenticator - authenticator, provides user name
* @return new instance of HiveAuthorizer
+ * @throws HiveAuthzPluginException
*/
HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf, String hiveCurrentUser) throws HiveAuthorizationPluginException;
+ HiveConf conf, HiveAuthenticationProvider hiveAuthenticator) throws HiveAuthzPluginException;
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java Sun Feb 9 20:43:37 2014
@@ -19,9 +19,8 @@ package org.apache.hadoop.hive.ql.securi
import java.util.List;
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
-import org.apache.hadoop.hive.metastore.api.Role;
/**
* Convenience implementation of HiveAuthorizer.
@@ -29,7 +28,7 @@ import org.apache.hadoop.hive.metastore.
* {@link HiveAccessController} and {@link HiveAuthorizationValidator} to constructor.
*
*/
-@Public
+@LimitedPrivate(value = { "" })
@Evolving
public class HiveAuthorizerImpl implements HiveAuthorizer {
HiveAccessController accessController;
@@ -43,7 +42,7 @@ public class HiveAuthorizerImpl implemen
@Override
public void grantPrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
- HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthorizationPluginException {
+ HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
@@ -51,52 +50,52 @@ public class HiveAuthorizerImpl implemen
@Override
public void revokePrivileges(List<HivePrincipal> hivePrincipals,
List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
- HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthorizationPluginException {
+ HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
@Override
- public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthorizationPluginException {
+ public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException {
accessController.createRole(roleName, adminGrantor);
}
@Override
- public void dropRole(String roleName) throws HiveAuthorizationPluginException {
+ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
accessController.dropRole(roleName);
}
@Override
- public List<HiveRole> getRoles(HivePrincipal hivePrincipal) throws HiveAuthorizationPluginException {
+ public List<HiveRole> getRoles(HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
return accessController.getRoles(hivePrincipal);
}
@Override
public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
- boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthorizationPluginException {
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
}
@Override
public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
- boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthorizationPluginException {
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
}
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs) throws HiveAuthorizationPluginException {
+ List<HivePrivilegeObject> outputHObjs) throws HiveAuthzPluginException, HiveAccessControlException {
authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs);
}
@Override
- public List<String> getAllRoles() throws HiveAuthorizationPluginException {
+ public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
return accessController.getAllRoles();
}
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
- HivePrivilegeObject privObj) throws HiveAuthorizationPluginException {
+ HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException {
return accessController.showPrivileges(principal, privObj);
}
@@ -106,12 +105,12 @@ public class HiveAuthorizerImpl implemen
}
@Override
- public void setCurrentRole(String roleName) throws HiveAuthorizationPluginException {
+ public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
accessController.setCurrentRole(roleName);
}
@Override
- public List<HiveRole> getCurrentRoles() throws HiveAuthorizationPluginException {
+ public List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException {
return accessController.getCurrentRoles();
}
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java Sun Feb 9 20:43:37 2014
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+
+/**
+ * Exception thrown by the Authorization plugin api (v2). Indicates
+ * an error while performing authorization, and not a authorization being
+ * denied.
+ */
+@LimitedPrivate(value = { "" })
+@Evolving
+public class HiveAuthzPluginException extends HiveException{
+
+ private static final long serialVersionUID = 1L;
+
+ public HiveAuthzPluginException(){
+ }
+
+ public HiveAuthzPluginException(String msg){
+ super(msg);
+ }
+
+ public HiveAuthzPluginException(String msg, Throwable cause){
+ super(msg, cause);
+ }
+
+ public HiveAuthzPluginException(Throwable cause){
+ super(cause);
+ }
+
+}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java Sun Feb 9 20:43:37 2014
@@ -17,14 +17,14 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
-import java.io.IOException;
-
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
import org.apache.hadoop.hive.metastore.IMetaStoreClient;
/**
* Factory for getting current valid instance of IMetaStoreClient
*/
-@Public
+@LimitedPrivate(value = { "" })
+@Evolving
public interface HiveMetastoreClientFactory {
- IMetaStoreClient getHiveMetastoreClient() throws IOException;
+ IMetaStoreClient getHiveMetastoreClient() throws HiveAuthzPluginException;
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java Sun Feb 9 20:43:37 2014
@@ -18,8 +18,6 @@
package org.apache.hadoop.hive.ql.security.authorization.plugin;
-import java.io.IOException;
-
import org.apache.hadoop.hive.common.classification.InterfaceAudience.Private;
import org.apache.hadoop.hive.metastore.IMetaStoreClient;
import org.apache.hadoop.hive.metastore.api.MetaException;
@@ -32,13 +30,14 @@ import org.apache.hadoop.hive.ql.metadat
public class HiveMetastoreClientFactoryImpl implements HiveMetastoreClientFactory{
@Override
- public IMetaStoreClient getHiveMetastoreClient() throws IOException {
+ public IMetaStoreClient getHiveMetastoreClient() throws HiveAuthzPluginException {
+ String errMsg = "Error getting metastore client";
try {
return Hive.get().getMSC();
} catch (MetaException e) {
- throw new IOException(e);
+ throw new HiveAuthzPluginException(errMsg, e);
} catch (HiveException e) {
- throw new IOException(e);
+ throw new HiveAuthzPluginException(errMsg, e);
}
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java Sun Feb 9 20:43:37 2014
@@ -17,12 +17,14 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
/**
* List of hive operations types.
*/
-@Public
+@LimitedPrivate(value = { "" })
+@Evolving
public enum HiveOperationType {
EXPLAIN,
LOAD,
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java Sun Feb 9 20:43:37 2014
@@ -17,15 +17,25 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+
/**
* Represents the user or role in grant/revoke statements
*/
+@LimitedPrivate(value = { "" })
+@Evolving
public class HivePrincipal {
public enum HivePrincipalType{
USER, ROLE, UNKNOWN
}
+ @Override
+ public String toString() {
+ return "Principal [name=" + name + ", type=" + type + "]";
+ }
+
private final String name;
private final HivePrincipalType type;
@@ -40,4 +50,32 @@ public class HivePrincipal {
return type;
}
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((name == null) ? 0 : name.hashCode());
+ result = prime * result + ((type == null) ? 0 : type.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (obj == null)
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ HivePrincipal other = (HivePrincipal) obj;
+ if (name == null) {
+ if (other.name != null)
+ return false;
+ } else if (!name.equals(other.name))
+ return false;
+ if (type != other.type)
+ return false;
+ return true;
+ }
+
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java Sun Feb 9 20:43:37 2014
@@ -18,16 +18,27 @@
package org.apache.hadoop.hive.ql.security.authorization.plugin;
import java.util.List;
+import java.util.Locale;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
/**
* Represents the hive privilege being granted/revoked
*/
+@LimitedPrivate(value = { "" })
+@Evolving
public class HivePrivilege {
+ @Override
+ public String toString() {
+ return "Privilege [name=" + name + ", columns=" + columns + "]";
+ }
+
private final String name;
private final List<String> columns;
public HivePrivilege(String name, List<String> columns){
- this.name = name;
+ this.name = name.toUpperCase(Locale.US);
this.columns = columns;
}
@@ -39,4 +50,37 @@ public class HivePrivilege {
return columns;
}
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((columns == null) ? 0 : columns.hashCode());
+ result = prime * result + ((name == null) ? 0 : name.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (obj == null)
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ HivePrivilege other = (HivePrivilege) obj;
+ if (columns == null) {
+ if (other.columns != null)
+ return false;
+ } else if (!columns.equals(other.columns))
+ return false;
+ if (name == null) {
+ if (other.name != null)
+ return false;
+ } else if (!name.equals(other.name))
+ return false;
+ return true;
+ }
+
+
+
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java Sun Feb 9 20:43:37 2014
@@ -17,15 +17,14 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
/**
* Represents a privilege granted for an object to a principal
*/
-@Public
+@LimitedPrivate(value = { "" })
@Evolving
-
public class HivePrivilegeInfo{
private final HivePrincipal principal;
private final HivePrivilege privilege;
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java Sun Feb 9 20:43:37 2014
@@ -17,16 +17,22 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Unstable;
/**
* Represents the object on which privilege is being granted/revoked
*/
-@Public
+@LimitedPrivate(value = { "" })
@Unstable
public class HivePrivilegeObject {
+ @Override
+ public String toString() {
+ return "Hive Object [type=" + type + ", dbname=" + dbname + ", table/viewname="
+ + tableviewname + "]";
+ }
+
public enum HivePrivilegeObjectType { DATABASE, TABLE, VIEW, PARTITION, URI};
private final HivePrivilegeObjectType type;
private final String dbname;
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java Sun Feb 9 20:43:37 2014
@@ -17,9 +17,13 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
import org.apache.hadoop.hive.metastore.api.Role;
// same with thrift.Role
+@LimitedPrivate(value = { "" })
+@Evolving
public class HiveRole {
private String roleName;
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java Sun Feb 9 20:43:37 2014
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * This package provides interfaces and classes that can be used to implement custom authorization for hive.
+ *
+ * How hive code uses this interface:
+ * The interface that hive code invokes is HiveAuthorizer class.
+ * The classes HivePrincipal, HivePrivilege, HivePrivilegeObject, HivePrivilegeInfo, HiveOperationType
+ * are arguments used in the authorization interface.
+ * The methods in the interface throws two types of exceptions - HiveAuthzPluginException (in
+ * case of internal errors), and HiveAuthzPluginDeniedException (when action is not permitted
+ * because authorization has failed).
+ *
+ * Hive uses the HiveAuthorizerFactory interface, whose implementing class is configurable through
+ * hive configuration, to instantiate an instance of this interface.
+ *
+ *
+ * Guide on implementing the interface:
+ * There are two categories of operations to be done by the authorization interface, one is the
+ * actions performed by the access control statements, which updates the privileges that have
+ * been granted (and stores in some where like metastore database), and also retrieves the current
+ * state of privileges. You may choose not to implement this part and juse a no-op implementation
+ * if you are going to manage the authorization externally (eg, if you base it on mapping to
+ * file system permissions).
+ * The 2nd category of operation is authorizing the hive actions by checking against the privileges
+ * the user has on the objects.
+ * HiveAccessController has the interface for the first type of operations and
+ * HiveAuthorizationValidator has interface for second type of operations.
+ *
+ * HiveAuthorizerImpl is a convenience class that you can use by just passing the implementations
+ * of these two interfaces (HiveAuthorizerImpl, HiveAuthorizationValidator) in the constructor.
+ *
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java Sun Feb 9 20:43:37 2014
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.hadoop.hive.metastore.IMetaStoreClient;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+
+/**
+ * Utility class to authorize grant/revoke privileges
+ */
+public class GrantPrivAuthUtils {
+
+ static void authorize(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+ HivePrivilegeObject hivePrivObject, boolean grantOption, IMetaStoreClient metastoreClient,
+ String userName)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+
+ // check if this user has grant privileges for this privileges on this
+ // object
+
+ // map priv being granted to required privileges
+ RequiredPrivileges reqPrivs = getGrantRequiredPrivileges(hivePrivileges);
+
+ // api for checking required privileges for a user
+ checkRequiredPrivileges(hivePrincipals, reqPrivs, hivePrivObject, metastoreClient, userName);
+ }
+
+ private static void checkRequiredPrivileges(List<HivePrincipal> hivePrincipals,
+ RequiredPrivileges reqPrivs, HivePrivilegeObject hivePrivObject,
+ IMetaStoreClient metastoreClient, String userName)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+
+ for (HivePrincipal hivePrincipal : hivePrincipals) {
+ checkRequiredPrivileges(hivePrincipal, reqPrivs, hivePrivObject, metastoreClient, userName);
+ }
+ }
+
+ private static void checkRequiredPrivileges(HivePrincipal hivePrincipal,
+ RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject,
+ IMetaStoreClient metastoreClient, String userName)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+
+ // keep track of the principals on which privileges have been checked for
+ // this object
+
+ // get privileges for this user and its roles on this object
+ RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore(
+ metastoreClient, userName, hivePrivObject);
+
+ // check if required privileges is subset of available privileges
+ Collection<SQLPrivTypeGrant> missingPrivs = reqPrivileges.findMissingPrivs(availPrivs);
+ SQLAuthorizationUtils.assertNoMissingPrivilege(missingPrivs, new HivePrincipal(userName,
+ HivePrincipalType.USER), hivePrivObject);
+ }
+
+ private static RequiredPrivileges getGrantRequiredPrivileges(List<HivePrivilege> hivePrivileges)
+ throws HiveAuthzPluginException {
+ RequiredPrivileges reqPrivs = new RequiredPrivileges();
+ for (HivePrivilege hivePriv : hivePrivileges) {
+ reqPrivs.addPrivilege(hivePriv.getName(), true /* grant priv required */);
+ }
+ return reqPrivs;
+ }
+
+}
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java Sun Feb 9 20:43:37 2014
@@ -0,0 +1,204 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+
+/**
+ * Mapping of operation to its required input and output privileges
+ */
+public class Operation2Privilege {
+
+ private static class InOutPrivs {
+ private final SQLPrivTypeGrant[] inputPrivs;
+ private final SQLPrivTypeGrant[] outputPrivs;
+
+ InOutPrivs(SQLPrivTypeGrant[] inputPrivs, SQLPrivTypeGrant[] outputPrivs) {
+ this.inputPrivs = inputPrivs;
+ this.outputPrivs = outputPrivs;
+ }
+
+ private SQLPrivTypeGrant[] getInputPrivs() {
+ return inputPrivs;
+ }
+
+ private SQLPrivTypeGrant[] getOutputPrivs() {
+ return outputPrivs;
+ }
+ }
+
+ private static Map<HiveOperationType, InOutPrivs> op2Priv;
+
+ private static SQLPrivTypeGrant[] OWNER_PRIV_AR = arr(SQLPrivTypeGrant.OWNER_PRIV);
+ private static SQLPrivTypeGrant[] SEL_NOGRANT_AR = arr(SQLPrivTypeGrant.SELECT_NOGRANT);
+ private static SQLPrivTypeGrant[] SEL_GRANT_AR = arr(SQLPrivTypeGrant.SELECT_WGRANT);
+ private static SQLPrivTypeGrant[] ADMIN_PRIV_AR = arr(SQLPrivTypeGrant.ADMIN_PRIV);
+
+ static {
+ op2Priv = new HashMap<HiveOperationType, InOutPrivs>();
+
+ op2Priv.put(HiveOperationType.EXPLAIN, new InOutPrivs(SEL_NOGRANT_AR,
+ SEL_NOGRANT_AR)); //??
+ op2Priv.put(HiveOperationType.LOAD, new InOutPrivs(ADMIN_PRIV_AR, null));
+ // select with grant for exporting contents
+ op2Priv.put(HiveOperationType.EXPORT, new InOutPrivs(SEL_GRANT_AR, null));
+
+ op2Priv.put(HiveOperationType.IMPORT, new InOutPrivs(ADMIN_PRIV_AR, null));
+
+ op2Priv.put(HiveOperationType.CREATEDATABASE, new InOutPrivs(ADMIN_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.DROPDATABASE, new InOutPrivs(ADMIN_PRIV_AR, null));
+ //this should be database usage privilege once it is supported
+ op2Priv.put(HiveOperationType.SWITCHDATABASE, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.LOCKDB, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.UNLOCKDB, new InOutPrivs(null, null));
+
+ op2Priv.put(HiveOperationType.DROPTABLE, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.DESCTABLE, new InOutPrivs(SEL_NOGRANT_AR, null));
+ op2Priv.put(HiveOperationType.DESCFUNCTION, new InOutPrivs(null, null));
+
+ //meta store check command - require admin priv
+ op2Priv.put(HiveOperationType.MSCK, new InOutPrivs(ADMIN_PRIV_AR, null));
+
+ //alter table commands require table ownership
+ op2Priv.put(HiveOperationType.ALTERTABLE_ADDCOLS, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_REPLACECOLS, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_RENAMECOL, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_RENAMEPART, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_RENAME, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_DROPPARTS, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_ADDPARTS, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_TOUCH, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_ARCHIVE, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_UNARCHIVE, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_PROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_SERIALIZER, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_PARTCOLTYPE, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERPARTITION_SERIALIZER, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_SERDEPROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERPARTITION_SERDEPROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_CLUSTER_SORT, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_BUCKETNUM, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERPARTITION_BUCKETNUM, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_PROTECTMODE, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERPARTITION_PROTECTMODE, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_FILEFORMAT, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERPARTITION_FILEFORMAT, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_LOCATION, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERPARTITION_LOCATION, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_MERGEFILES, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.ALTERPARTITION_MERGEFILES, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.ALTERTABLE_SKEWED, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.ALTERTBLPART_SKEWED_LOCATION, new InOutPrivs(null, null));
+
+ op2Priv.put(HiveOperationType.ANALYZE_TABLE, new InOutPrivs(arr(SQLPrivTypeGrant.SELECT_NOGRANT, SQLPrivTypeGrant.INSERT_NOGRANT), null));
+ op2Priv.put(HiveOperationType.SHOWDATABASES, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.SHOWTABLES, new InOutPrivs(null, null));
+
+ op2Priv.put(HiveOperationType.SHOWCOLUMNS, new InOutPrivs(SEL_NOGRANT_AR, null));
+ op2Priv.put(HiveOperationType.SHOW_TABLESTATUS, new InOutPrivs(SEL_NOGRANT_AR, null));
+ op2Priv.put(HiveOperationType.SHOW_TBLPROPERTIES, new InOutPrivs(SEL_NOGRANT_AR, null));
+
+ //show create table is more sensitive information, includes table properties etc
+ // for now require select WITH GRANT
+ op2Priv.put(HiveOperationType.SHOW_CREATETABLE, new InOutPrivs(SEL_GRANT_AR, null));
+
+ op2Priv.put(HiveOperationType.SHOWFUNCTIONS, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.SHOWINDEXES, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.SHOWPARTITIONS, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.SHOWLOCKS, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.CREATEFUNCTION, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.DROPFUNCTION, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.CREATEMACRO, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.DROPMACRO, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.CREATEVIEW, new InOutPrivs(SEL_GRANT_AR, null));
+
+ // require view ownership
+ op2Priv.put(HiveOperationType.DROPVIEW, new InOutPrivs(OWNER_PRIV_AR, null));
+
+ //table ownership for create/drop/alter index
+ op2Priv.put(HiveOperationType.CREATEINDEX, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.DROPINDEX, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERINDEX_REBUILD, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERINDEX_PROPS, new InOutPrivs(OWNER_PRIV_AR, null));
+
+ // require view ownership for alter/drop view
+ op2Priv.put(HiveOperationType.ALTERVIEW_PROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.DROPVIEW_PROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.ALTERVIEW_RENAME, new InOutPrivs(OWNER_PRIV_AR, null));
+
+ op2Priv.put(HiveOperationType.LOCKTABLE, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.UNLOCKTABLE, new InOutPrivs(null, null));
+
+ // require db ownership
+ op2Priv.put(HiveOperationType.CREATETABLE, new InOutPrivs(OWNER_PRIV_AR, null));
+
+ // require table ownership
+ op2Priv.put(HiveOperationType.TRUNCATETABLE, new InOutPrivs(OWNER_PRIV_AR, null));
+
+ op2Priv.put(HiveOperationType.CREATETABLE_AS_SELECT, new InOutPrivs(OWNER_PRIV_AR, SEL_NOGRANT_AR));
+ op2Priv.put(HiveOperationType.QUERY, new InOutPrivs(SEL_NOGRANT_AR, null));
+
+ op2Priv.put(HiveOperationType.ALTERDATABASE, new InOutPrivs(ADMIN_PRIV_AR, null));
+ op2Priv.put(HiveOperationType.DESCDATABASE, new InOutPrivs(null, null));
+
+ // The following actions are authorized through SQLStdHiveAccessController,
+ // and it is not using this privilege mapping, but it might make sense to move it here
+ op2Priv.put(HiveOperationType.CREATEROLE, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.DROPROLE, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.GRANT_PRIVILEGE, new InOutPrivs(null,
+ null));
+ op2Priv.put(HiveOperationType.REVOKE_PRIVILEGE, new InOutPrivs(null,
+ null));
+ op2Priv.put(HiveOperationType.SHOW_GRANT, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.GRANT_ROLE, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.REVOKE_ROLE, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.SHOW_ROLES, new InOutPrivs(null, null));
+ op2Priv.put(HiveOperationType.SHOW_ROLE_GRANT, new InOutPrivs(null,
+ null));
+
+ }
+
+ /**
+ * Convenience method so that creation of this array in InOutPrivs constructor
+ * is not too verbose
+ *
+ * @param grantList
+ * @return grantList
+ */
+ private static SQLPrivTypeGrant[] arr(SQLPrivTypeGrant... grantList) {
+ return grantList;
+ }
+
+ public static SQLPrivTypeGrant[] getInputPrivs(HiveOperationType opType) {
+ return op2Priv.get(opType).getInputPrivs();
+ }
+
+ public static SQLPrivTypeGrant[] getOutputPrivs(HiveOperationType opType) {
+ return op2Priv.get(opType).getOutputPrivs();
+ }
+
+ // for unit tests
+ public static Set<HiveOperationType> getOperationTypes() {
+ return op2Priv.keySet();
+ }
+
+}