You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/10/12 20:51:39 UTC

[ranger] branch master updated: RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 7dec301  RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands
7dec301 is described below

commit 7dec3015ec82b69ba8f724410f12dfce2480cccd
Author: Ramesh Mani <rm...@apache.org>
AuthorDate: Tue Oct 12 11:55:30 2021 -0700

    RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands
---
 .../hive/authorizer/RangerHiveAuthorizer.java      | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index dd758e9..2be4424 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -905,6 +905,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 					//
 					RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
 					requests.add(request);
+				} else if (hiveOpType.equals(HiveOperationType.ALTERTABLE_OWNER)) {
+					RangerHiveAccessRequest request = buildRequestForAlterTableSetOwnerFromCommandString(user, groups, roles, hiveOpType.name(), context, sessionContext);
+					if (request != null) {
+						requests.add(request);
+					} else {
+						throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
+								user, hiveOpType.name()));
+					}
 				} else {
 					if (LOG.isDebugEnabled()) {
 						LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!");
@@ -3079,6 +3087,28 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		}
 		return ret;
 	}
+
+	private RangerHiveAccessRequest buildRequestForAlterTableSetOwnerFromCommandString(String                  user,
+																					   Set<String>             userGroups,
+																					   Set<String>             userRoles,
+																					   String                  hiveOpTypeName,
+																					   HiveAuthzContext        context,
+																					   HiveAuthzSessionContext sessionContext) {
+		RangerHiveResource      resource  = null;
+		RangerHiveAccessRequest request   = null;
+		HiveObj hiveObj  = new HiveObj();
+		hiveObj.fetchHiveObjForAlterTable(context);
+		String dbName    = hiveObj.getDatabaseName();
+		String tableName = hiveObj.getTableName();
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Database: " + dbName + " Table: " + tableName);
+		}
+		if (dbName != null && tableName != null) {
+			resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
+			request  = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.ALTER, context, sessionContext);
+		}
+		return request;
+	}
 }
 
 enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL };
@@ -3088,6 +3118,8 @@ class HiveObj {
 	String databaseName;
 	String tableName;
 
+	HiveObj() {}
+
 	HiveObj(HiveAuthzContext context) {
 	 fetchHiveObj(context);
 	}
@@ -3120,6 +3152,29 @@ class HiveObj {
 		}
 	}
 
+	public void fetchHiveObjForAlterTable(HiveAuthzContext context) {
+		// cmd passed: Alter Table <database.tableName or tableName> set owner user|role  <user_or_role>
+		if (context != null) {
+			String cmdString = context.getCommandString();
+			if (cmdString != null) {
+				String[] cmd = cmdString.trim().split("\\s+");
+				if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) {
+					tableName = cmd[2];
+					if (tableName.contains(".")) {
+						String[] result = splitDBName(tableName);
+						databaseName = result[0];
+						tableName = result[1];
+					} else {
+						SessionState sessionState = SessionState.get();
+						if (sessionState != null) {
+							databaseName = sessionState.getCurrentDatabase();
+						}
+					}
+				}
+			}
+		}
+	}
+
 	private String[] splitDBName(String dbName) {
 		String[] ret = null;
 		ret = dbName.split("\\.");