You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by px...@apache.org on 2016/04/07 22:40:47 UTC
hive git commit: HIVE-13360: Refactoring Hive Authorization
(Pengcheng Xiong, reviewed by Ashutosh Chauhan)
Repository: hive
Updated Branches:
refs/heads/master 4f9194d16 -> 7e0b08c1d
HIVE-13360: Refactoring Hive Authorization (Pengcheng Xiong, reviewed by Ashutosh Chauhan)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/7e0b08c1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/7e0b08c1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/7e0b08c1
Branch: refs/heads/master
Commit: 7e0b08c1d1b05ae647921ecf7ea4998908ed9c66
Parents: 4f9194d
Author: Pengcheng Xiong <px...@apache.org>
Authored: Thu Apr 7 13:38:50 2016 -0700
Committer: Pengcheng Xiong <px...@apache.org>
Committed: Thu Apr 7 13:38:50 2016 -0700
----------------------------------------------------------------------
.../TestHiveAuthorizerCheckInvocation.java | 2 +-
.../plugin/TestHiveAuthorizerShowFilters.java | 4 +-
.../jdbc/authorization/TestHS2AuthzContext.java | 14 ++--
.../authorization/TestJdbcMetadataApiAuth.java | 4 +-
.../hive/ql/security/DummyAuthenticator.java | 5 ++
.../security/InjectableDummyAuthenticator.java | 5 ++
...SQLStdHiveAuthorizationValidatorForTest.java | 47 ++++++-----
.../java/org/apache/hadoop/hive/ql/Driver.java | 5 +-
.../hadoop/hive/ql/parse/MaskAndFilterInfo.java | 33 ++++++++
.../hadoop/hive/ql/parse/SemanticAnalyzer.java | 36 ++++++---
.../apache/hadoop/hive/ql/parse/TableMask.java | 78 ++++++++++--------
.../hadoop/hive/ql/processors/CommandUtil.java | 5 +-
.../ql/security/HadoopDefaultAuthenticator.java | 5 ++
.../ql/security/HiveAuthenticationProvider.java | 2 +
.../SessionStateConfigUserAuthenticator.java | 5 ++
.../security/SessionStateUserAuthenticator.java | 5 ++
.../AuthorizationMetaStoreFilterHook.java | 3 +-
.../plugin/HiveAuthorizationValidator.java | 12 +--
.../authorization/plugin/HiveAuthorizer.java | 68 +++++-----------
.../plugin/HiveAuthorizerImpl.java | 20 ++---
.../authorization/plugin/HiveAuthzContext.java | 83 --------------------
.../plugin/HivePrivilegeObject.java | 31 ++++++++
.../authorization/plugin/HiveV1Authorizer.java | 20 +----
.../authorization/plugin/QueryContext.java | 61 ++++++++++++++
.../sqlstd/DummyHiveAuthorizationValidator.java | 21 ++---
.../SQLStdHiveAuthorizationValidator.java | 22 ++----
.../cli/operation/MetadataOperation.java | 5 +-
27 files changed, 315 insertions(+), 286 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
index 9f47f84..acf2663 100644
--- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
+++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
@@ -373,7 +373,7 @@ public class TestHiveAuthorizerCheckInvocation {
verify(mockedAuthorizer).checkPrivileges(any(HiveOperationType.class),
inputsCapturer.capture(), outputsCapturer.capture(),
- any(HiveAuthzContext.class));
+ any(QueryContext.class));
return new ImmutablePair(inputsCapturer.getValue(), outputsCapturer.getValue());
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java
index 5922a8c..0209044 100644
--- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java
+++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java
@@ -77,7 +77,7 @@ public class TestHiveAuthorizerShowFilters {
protected abstract class AuthorizerWithFilterCmdImpl implements HiveAuthorizer {
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
- HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
+ QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException {
// capture arguments in static
filterArguments = listObjs;
// return static variable with results, if it is set to some set of
@@ -101,7 +101,7 @@ public class TestHiveAuthorizerShowFilters {
try {
Mockito.when(
mockedAuthorizer.filterListCmdObjects((List<HivePrivilegeObject>) any(),
- (HiveAuthzContext) any())).thenCallRealMethod();
+ (QueryContext) any())).thenCallRealMethod();
} catch (Exception e) {
org.junit.Assert.fail("Caught exception " + e);
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
index c43776b..96e922b 100644
--- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
+++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
@@ -36,12 +36,12 @@ import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hive.jdbc.miniHS2.MiniHS2;
import org.junit.AfterClass;
import org.junit.BeforeClass;
@@ -55,6 +55,7 @@ import org.mockito.Mockito;
public class TestHS2AuthzContext {
private static MiniHS2 miniHS2 = null;
static HiveAuthorizer mockedAuthorizer;
+ static HiveAuthenticationProvider authenticator;
/**
* This factory creates a mocked HiveAuthorizer class.
@@ -65,6 +66,7 @@ public class TestHS2AuthzContext {
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) {
TestHS2AuthzContext.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class);
+ TestHS2AuthzContext.authenticator = authenticator;
return TestHS2AuthzContext.mockedAuthorizer;
}
}
@@ -110,19 +112,19 @@ public class TestHS2AuthzContext {
stmt.close();
hs2Conn.close();
- ArgumentCaptor<HiveAuthzContext> contextCapturer = ArgumentCaptor
- .forClass(HiveAuthzContext.class);
+ ArgumentCaptor<QueryContext> contextCapturer = ArgumentCaptor
+ .forClass(QueryContext.class);
verify(mockedAuthorizer).checkPrivileges(any(HiveOperationType.class),
Matchers.anyListOf(HivePrivilegeObject.class),
Matchers.anyListOf(HivePrivilegeObject.class), contextCapturer.capture());
- HiveAuthzContext context = contextCapturer.getValue();
+ QueryContext context = contextCapturer.getValue();
assertEquals("Command ", ctxCmd, context.getCommandString());
- assertTrue("ip address pattern check", context.getIpAddress().matches("[.:a-fA-F0-9]+"));
+ assertTrue("ip address pattern check", authenticator.getUserIpAddress().matches("[.:a-fA-F0-9]+"));
// ip address size check - check for something better than non zero
- assertTrue("ip address size check", context.getIpAddress().length() > 7);
+ assertTrue("ip address size check", authenticator.getUserIpAddress().length() > 7);
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
----------------------------------------------------------------------
diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
index 692bfa0..f67f5c3 100644
--- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
+++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java
@@ -39,7 +39,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControl
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
@@ -76,7 +76,7 @@ public class TestJdbcMetadataApiAuth {
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
+ List<HivePrivilegeObject> outputHObjs, QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
if (!allowActions) {
throw new HiveAccessControlException(DENIED_ERR);
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
----------------------------------------------------------------------
diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
index a296ac5..8dc801f 100644
--- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
+++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
@@ -67,4 +67,9 @@ public class DummyAuthenticator implements HiveAuthenticationProvider {
//no op
}
+ @Override
+ public String getUserIpAddress() {
+ return null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
----------------------------------------------------------------------
diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
index 322834e..40b0185 100644
--- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
+++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
@@ -105,4 +105,9 @@ public class InjectableDummyAuthenticator implements HiveMetastoreAuthentication
//no-op
}
+ @Override
+ public String getUserIpAddress() {
+ return null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
----------------------------------------------------------------------
diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
index c0387e2..04c1887 100644
--- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
+++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
@@ -17,6 +17,7 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
+import java.util.ArrayList;
import java.util.List;
import java.util.HashSet;
import java.util.Set;
@@ -28,7 +29,7 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
@@ -92,7 +93,7 @@ public class SQLStdHiveAuthorizationValidatorForTest extends SQLStdHiveAuthoriza
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException,
+ List<HivePrivilegeObject> outputHObjs, QueryContext context) throws HiveAuthzPluginException,
HiveAccessControlException {
switch (hiveOpType) {
case DFS:
@@ -105,15 +106,6 @@ public class SQLStdHiveAuthorizationValidatorForTest extends SQLStdHiveAuthoriza
}
- public String getRowFilterExpression(String database, String table) throws SemanticException {
- if (table.equals("masking_test")) {
- return "key % 2 = 0 and key < 10";
- } else if (table.equals("masking_test_subq")) {
- return "key in (select key from src where src.key = masking_test_subq.key)";
- }
- return null;
- }
-
public boolean needTransform() {
// In the future, we can add checking for username, groupname, etc based on
// HiveAuthenticationProvider. For example,
@@ -121,16 +113,31 @@ public class SQLStdHiveAuthorizationValidatorForTest extends SQLStdHiveAuthoriza
return true;
}
- public boolean needTransform(String database, String table) {
- return "masking_test".equals(table) || "masking_test_subq".equals(table);
- }
-
- public String getCellValueTransformer(String database, String table, String columnName)
- throws SemanticException {
- if (table.equals("masking_test") && columnName.equals("value")) {
- return "reverse(value)";
+ // Please take a look at the instructions in HiveAuthorizer.java before
+ // implementing applyRowFilterAndColumnMasking
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context,
+ List<HivePrivilegeObject> privObjs) throws SemanticException {
+ List<HivePrivilegeObject> needRewritePrivObjs = new ArrayList<>();
+ for (HivePrivilegeObject privObj : privObjs) {
+ if (privObj.getObjectName().equals("masking_test")) {
+ privObj.setRowFilterExpression("key % 2 = 0 and key < 10");
+ List<String> cellValueTransformers = new ArrayList<>();
+ for (String columnName : privObj.getColumns()) {
+ if (columnName.equals("value")) {
+ cellValueTransformers.add("reverse(value)");
+ } else {
+ cellValueTransformers.add(columnName);
+ }
+ }
+ privObj.setCellValueTransformers(cellValueTransformers);
+ needRewritePrivObjs.add(privObj);
+ } else if (privObj.getObjectName().equals("masking_test_subq")) {
+ privObj
+ .setRowFilterExpression("key in (select key from src where src.key = masking_test_subq.key)");
+ needRewritePrivObjs.add(privObj);
+ }
}
- return columnName;
+ return needRewritePrivObjs;
}
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
index 7276e31..65ed1db 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
@@ -104,7 +104,7 @@ import org.apache.hadoop.hive.ql.processors.CommandProcessor;
import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
@@ -847,8 +847,7 @@ public class Driver implements CommandProcessor {
since the insert will get passed the columns from the select.
*/
- HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder();
- authzContextBuilder.setUserIpAddress(ss.getUserIpAddress());
+ QueryContext.Builder authzContextBuilder = new QueryContext.Builder();
authzContextBuilder.setCommandString(command);
HiveOperationType hiveOpType = getHiveOperationType(op);
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/parse/MaskAndFilterInfo.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/MaskAndFilterInfo.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/MaskAndFilterInfo.java
new file mode 100644
index 0000000..1678d2c
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/MaskAndFilterInfo.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.parse;
+
+public class MaskAndFilterInfo {
+ String additionalTabInfo;
+ String alias;
+ ASTNode astNode;
+
+ public MaskAndFilterInfo(String additionalTabInfo, String alias, ASTNode astNode) {
+ super();
+ this.additionalTabInfo = additionalTabInfo;
+ this.alias = alias;
+ this.astNode = astNode;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
index e81d46e..987f25d 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
@@ -190,6 +190,8 @@ import org.apache.hadoop.hive.ql.plan.UnionDesc;
import org.apache.hadoop.hive.ql.plan.ptf.OrderExpressionDef;
import org.apache.hadoop.hive.ql.plan.ptf.PTFExpressionDef;
import org.apache.hadoop.hive.ql.plan.ptf.PartitionedTableFunctionDef;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.hive.ql.session.SessionState.ResourceType;
import org.apache.hadoop.hive.ql.udf.generic.GenericUDAFEvaluator;
@@ -314,7 +316,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
*/
boolean rootTasksResolved;
- private final TableMask tableMask;
+ private TableMask tableMask;
CreateTableDesc tableDesc;
@@ -371,7 +373,6 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
globalLimitCtx = new GlobalLimitCtx();
viewAliasToInput = new HashMap<String, ReadEntity>();
noscan = partialscan = false;
- tableMask = new TableMask(this, conf);
tabNameToTabObject = new HashMap<>();
}
@@ -10361,6 +10362,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
throws SemanticException {
Queue<Node> queue = new LinkedList<>();
queue.add(ast);
+ Map<HivePrivilegeObject, MaskAndFilterInfo> basicInfos = new LinkedHashMap<>();
while (!queue.isEmpty()) {
ASTNode astNode = (ASTNode) queue.poll();
if (astNode.getToken().getType() == HiveParser.TOK_TABREF) {
@@ -10368,8 +10370,6 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
StringBuffer additionalTabInfo = new StringBuffer();
for (int index = 1; index < astNode.getChildCount(); index++) {
ASTNode ct = (ASTNode) astNode.getChild(index);
- // TODO: support TOK_TABLEBUCKETSAMPLE, TOK_TABLESPLITSAMPLE, and
- // TOK_TABLEPROPERTIES
if (ct.getToken().getType() == HiveParser.TOK_TABLEBUCKETSAMPLE
|| ct.getToken().getType() == HiveParser.TOK_TABLESPLITSAMPLE
|| ct.getToken().getType() == HiveParser.TOK_TABLEPROPERTIES) {
@@ -10408,14 +10408,13 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
throw new SemanticException("Table " + tabIdName + " is not found.");
}
- if (tableMask.needTransform(table.getDbName(), table.getTableName())) {
- replacementText = tableMask.create(table, additionalTabInfo.toString(), alias);
- }
- if (replacementText != null) {
- tableMask.setNeedsRewrite(true);
- // we replace the tabref with replacementText here.
- tableMask.addTableMasking(astNode, replacementText);
+ List<String> columns = new ArrayList<>();
+ for (FieldSchema col : table.getAllCols()) {
+ columns.add(col.getName());
}
+
+ basicInfos.put(new HivePrivilegeObject(table.getDbName(), table.getTableName(), columns),
+ new MaskAndFilterInfo(additionalTabInfo.toString(), alias, astNode));
}
if (astNode.getChildCount() > 0 && !ignoredTokens.contains(astNode.getToken().getType())) {
for (Node child : astNode.getChildren()) {
@@ -10423,8 +10422,20 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
}
}
}
+ List<HivePrivilegeObject> basicPrivObjs = new ArrayList<>();
+ basicPrivObjs.addAll(basicInfos.keySet());
+ List<HivePrivilegeObject> needRewritePrivObjs = tableMask
+ .applyRowFilterAndColumnMasking(basicPrivObjs);
+ if (needRewritePrivObjs != null && !needRewritePrivObjs.isEmpty()) {
+ tableMask.setNeedsRewrite(true);
+ for (HivePrivilegeObject privObj : needRewritePrivObjs) {
+ MaskAndFilterInfo info = basicInfos.get(privObj);
+ String replacementText = tableMask.create(privObj, info);
+ tableMask.addTableMasking(info.astNode, replacementText);
+ }
+ }
}
-
+
// We walk through the AST.
// We replace all the TOK_TABREF by adding additional masking and filter if
// the table needs to be masked or filtered.
@@ -10544,6 +10555,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
// masking and filtering should be done here
// the basic idea is similar to unparseTranslator.
+ tableMask = new TableMask(this, conf);
if (!unparseTranslator.isEnabled() && tableMask.isEnabled()) {
child = rewriteASTWithMaskAndFilter(ast);
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java
index c47c2bd..f030da2 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java
@@ -17,6 +17,7 @@
*/
package org.apache.hadoop.hive.ql.parse;
+import java.util.ArrayList;
import java.util.List;
import org.antlr.runtime.TokenRewriteStream;
@@ -24,6 +25,9 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
import org.apache.hadoop.hive.ql.metadata.Table;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -41,10 +45,15 @@ public class TableMask {
private UnparseTranslator translator;
private boolean enable;
private boolean needsRewrite;
+ private QueryContext queryContext;
public TableMask(SemanticAnalyzer analyzer, HiveConf conf) throws SemanticException {
try {
authorizer = SessionState.get().getAuthorizerV2();
+ String cmdString = analyzer.ctx.getCmd();
+ QueryContext.Builder ctxBuilder = new QueryContext.Builder();
+ ctxBuilder.setCommandString(cmdString);
+ queryContext = ctxBuilder.build();
if (authorizer != null && needTransform()) {
enable = true;
translator = new UnparseTranslator(conf);
@@ -56,12 +65,9 @@ public class TableMask {
}
}
- private String createRowMask(String db, String name) throws SemanticException {
- return authorizer.getRowFilterExpression(db, name);
- }
-
- private String createExpressions(String db, String tbl, String colName) throws SemanticException {
- return authorizer.getCellValueTransformer(db, tbl, colName);
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(List<HivePrivilegeObject> privObjs)
+ throws SemanticException {
+ return authorizer.applyRowFilterAndColumnMasking(queryContext, privObjs);
}
public boolean isEnabled() throws SemanticException {
@@ -72,48 +78,58 @@ public class TableMask {
return authorizer.needTransform();
}
- public boolean needTransform(String database, String table) throws SemanticException {
- return authorizer.needTransform(database, table);
- }
-
- public String create(Table table, String additionalTabInfo, String alias) throws SemanticException {
- String db = table.getDbName();
- String tbl = table.getTableName();
+ public String create(HivePrivilegeObject privObject, MaskAndFilterInfo maskAndFilterInfo)
+ throws SemanticException {
StringBuilder sb = new StringBuilder();
sb.append("(SELECT ");
- List<FieldSchema> cols = table.getAllCols();
boolean firstOne = true;
- for (FieldSchema fs : cols) {
- if (!firstOne) {
- sb.append(", ");
- } else {
- firstOne = false;
+ List<String> exprs = privObject.getCellValueTransformers();
+ if (exprs != null) {
+ if (exprs.size() != privObject.getColumns().size()) {
+ throw new SemanticException("Expect " + privObject.getColumns().size() + " columns in "
+ + privObject.getObjectName() + ", but only find " + exprs.size());
+ }
+ for (int index = 0; index < exprs.size(); index++) {
+ String expr = exprs.get(index);
+ if (expr == null) {
+ throw new SemanticException("Expect string type CellValueTransformer in "
+ + privObject.getObjectName() + ", but only find null");
+ }
+ if (!firstOne) {
+ sb.append(", ");
+ } else {
+ firstOne = false;
+ }
+ sb.append(expr + " AS " + privObject.getColumns().get(index));
}
- String colName = fs.getName();
- String expr = createExpressions(db, tbl, colName);
- if (expr == null) {
- sb.append(colName);
- } else {
- sb.append(expr + " AS " + colName);
+ } else {
+ for (int index = 0; index < privObject.getColumns().size(); index++) {
+ String expr = privObject.getColumns().get(index);
+ if (!firstOne) {
+ sb.append(", ");
+ } else {
+ firstOne = false;
+ }
+ sb.append(expr);
}
}
- sb.append(" FROM " + tbl);
- sb.append(" " + additionalTabInfo);
- String filter = createRowMask(db, tbl);
+ sb.append(" FROM " + privObject.getObjectName());
+ sb.append(" " + maskAndFilterInfo.additionalTabInfo);
+ String filter = privObject.getRowFilterExpression();
if (filter != null) {
sb.append(" WHERE " + filter);
}
- sb.append(")" + alias);
+ sb.append(")" + maskAndFilterInfo.alias);
LOG.debug("TableMask creates `" + sb.toString() + "`");
return sb.toString();
}
void addTableMasking(ASTNode node, String replacementText) throws SemanticException {
- translator.addTranslation(node, replacementText);
+ translator.addTranslation(node, replacementText);
}
void applyTableMasking(TokenRewriteStream tokenRewriteStream) throws SemanticException {
- translator.applyTranslations(tokenRewriteStream);
+ translator.applyTranslations(tokenRewriteStream);
}
public boolean needsRewrite() {
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java
index d98b30c..7971dab 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java
@@ -25,7 +25,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
@@ -80,9 +80,8 @@ class CommandUtil {
static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type,
List<String> command) throws HiveAuthzPluginException, HiveAccessControlException {
HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command);
- HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder();
+ QueryContext.Builder ctxBuilder = new QueryContext.Builder();
ctxBuilder.setCommandString(Joiner.on(' ').join(command));
- ctxBuilder.setUserIpAddress(ss.getUserIpAddress());
ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build());
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
index 18e4e00..8a036ac 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
@@ -81,4 +81,9 @@ public class HadoopDefaultAuthenticator implements HiveAuthenticationProvider {
//no op
}
+ @Override
+ public String getUserIpAddress() {
+ return null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
index 7befff8..761352a 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
@@ -32,6 +32,8 @@ public interface HiveAuthenticationProvider extends Configurable{
public String getUserName();
+ public String getUserIpAddress();
+
public List<String> getGroupNames();
public void destroy() throws HiveException;
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
index 8c7809e..87f4afa 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
@@ -71,4 +71,9 @@ public class SessionStateConfigUserAuthenticator implements HiveAuthenticationPr
this.sessionState = sessionState;
}
+ @Override
+ public String getUserIpAddress() {
+ return this.sessionState.getUserIpAddress();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
index a77e93f..8f10914 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
@@ -65,4 +65,9 @@ public class SessionStateUserAuthenticator implements HiveAuthenticationProvider
this.sessionState = sessionState;
}
+ @Override
+ public String getUserIpAddress() {
+ return this.sessionState.getUserIpAddress();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java
index 6bad99b..a9ad015 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java
@@ -73,8 +73,7 @@ public class AuthorizationMetaStoreFilterHook extends DefaultMetaStoreFilterHook
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException {
SessionState ss = SessionState.get();
- HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder();
- authzContextBuilder.setUserIpAddress(ss.getUserIpAddress());
+ QueryContext.Builder authzContextBuilder = new QueryContext.Builder();
try {
return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build());
} catch (HiveAuthzPluginException e) {
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
index 1b366c2..5e8b66a 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
@@ -34,21 +34,17 @@ public interface HiveAuthorizationValidator {
* see HiveAuthorizer.checkPrivileges
*/
void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException;
+ List<HivePrivilegeObject> outputHObjs, QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException;
/**
* see HiveAuthorizer.filterListCmdObjects
*/
List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
- HiveAuthzContext context);
+ QueryContext context);
- public String getRowFilterExpression(String database, String table) throws SemanticException;
-
- public String getCellValueTransformer(String database, String table, String columnName)
- throws SemanticException;
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context,
+ List<HivePrivilegeObject> privObjs) throws SemanticException;
public boolean needTransform();
- public boolean needTransform(String database, String table);
-
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
index 6e2ef8d..4f27137 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
@@ -161,7 +161,7 @@ public interface HiveAuthorizer {
* @throws HiveAccessControlException
*/
void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
+ List<HivePrivilegeObject> outputHObjs, QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException;
@@ -175,7 +175,7 @@ public interface HiveAuthorizer {
* @throws HiveAccessControlException
*/
List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
- HiveAuthzContext context)
+ QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException;
@@ -242,50 +242,14 @@ public interface HiveAuthorizer {
* user, role or location.
*/
/**
- * getRowFilterExpression is called once for each table in a query. It expects
- * a valid filter condition to be returned. Null indicates no filtering is
+ * applyRowFilterAndColumnMasking is called once for each table in a query.
+ * (part 1) It expects a valid filter condition to be returned. Null indicates no filtering is
* required.
*
* Example: table foo(c int) -> "c > 0 && c % 2 = 0"
*
- * @param database
- * the name of the database in which the table lives
- * @param table
- * the name of the table in question
- * @return
- * @throws SemanticException
- */
- public String getRowFilterExpression(String database, String table) throws SemanticException;
-
- /**
- * needTransform() is called once per user in a query. If the function returns
- * true a call to needTransform(String database, String table) will happen.
- * Returning false short-circuits the generation of row/column transforms.
- *
- * @return
- * @throws SemanticException
- */
- public boolean needTransform();
-
- /**
- * needTransform(String database, String table) is called once per table in a
- * query. If the function returns true a call to getRowFilterExpression and
- * getCellValueTransformer will happen. Returning false short-circuits the
- * generation of row/column transforms.
- *
- * @param database
- * the name of the database in which the table lives
- * @param table
- * the name of the table in question
- * @return
- * @throws SemanticException
- */
- public boolean needTransform(String database, String table);
-
- /**
- * getCellValueTransformer is called once per column in each table accessed by
- * the query. It expects a valid expression as used in a select clause. Null
- * is not a valid option. If no transformation is needed simply return the
+ * (part 2) It expects a valid expression as used in a select clause. Null
+ * is NOT a valid option. If no transformation is needed simply return the
* column name.
*
* Example: column a -> "a" (no transform)
@@ -294,14 +258,22 @@ public interface HiveAuthorizer {
*
* Example: column a -> "5" (replace column a with the constant 5)
*
- * @param database
- * @param table
- * @param columnName
+ * @return List<HivePrivilegeObject>
+ * please return the list of HivePrivilegeObjects that need to be rewritten.
+ *
+ * @throws SemanticException
+ */
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context,
+ List<HivePrivilegeObject> privObjs) throws SemanticException;
+
+ /**
+ * needTransform() is called once per user in a query.
+ * Returning false short-circuits the generation of row/column transforms.
+ *
* @return
* @throws SemanticException
*/
- public String getCellValueTransformer(String database, String table, String columnName)
- throws SemanticException;
-
+ public boolean needTransform();
+
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
index c73d667..b9ef483 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
@@ -82,7 +82,7 @@ public class HiveAuthorizerImpl extends AbstractHiveAuthorizer {
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
+ List<HivePrivilegeObject> outputHObjs, QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context);
}
@@ -90,7 +90,7 @@ public class HiveAuthorizerImpl extends AbstractHiveAuthorizer {
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
- HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
+ QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException {
return authValidator.filterListCmdObjects(listObjs, context);
}
@@ -138,24 +138,14 @@ public class HiveAuthorizerImpl extends AbstractHiveAuthorizer {
}
@Override
- public String getRowFilterExpression(String database, String table) throws SemanticException {
- return authValidator.getRowFilterExpression(table, table);
- }
-
- @Override
- public String getCellValueTransformer(String database, String table, String columnName)
- throws SemanticException {
- return authValidator.getCellValueTransformer(database, table, columnName);
- }
-
- @Override
public boolean needTransform() {
return authValidator.needTransform();
}
@Override
- public boolean needTransform(String database, String table) {
- return authValidator.needTransform(database, table);
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context,
+ List<HivePrivilegeObject> privObjs) throws SemanticException {
+ return authValidator.applyRowFilterAndColumnMasking(context, privObjs);
}
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java
deleted file mode 100644
index 195e341..0000000
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java
+++ /dev/null
@@ -1,83 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.hive.ql.security.authorization.plugin;
-
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
-import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
-
-/**
- * Provides context information in authorization check call that can be used for
- * auditing and/or authorization.
- * It is an immutable class. Builder inner class is used instantiate it.
- */
-@LimitedPrivate(value = { "Apache Argus (incubating)" })
-@Evolving
-public final class HiveAuthzContext {
-
- public static class Builder {
- private String userIpAddress;
- private String commandString;
-
- /**
- * Get user's ip address. This is set only if the authorization
- * api is invoked from a HiveServer2 instance in standalone mode.
- * @return ip address
- */
- public String getUserIpAddress() {
- return userIpAddress;
- }
- public void setUserIpAddress(String userIpAddress) {
- this.userIpAddress = userIpAddress;
- }
- public String getCommandString() {
- return commandString;
- }
- public void setCommandString(String commandString) {
- this.commandString = commandString;
- }
- public HiveAuthzContext build(){
- return new HiveAuthzContext(this);
- }
-
-
- }
-
- private final String userIpAddress;
- private final String commandString;
-
- private HiveAuthzContext(Builder builder) {
- this.userIpAddress = builder.userIpAddress;
- this.commandString = builder.commandString;
-
- }
-
- public String getIpAddress() {
- return userIpAddress;
- }
-
- public String getCommandString() {
- return commandString;
- }
-
- @Override
- public String toString() {
- return "HiveAuthzContext [userIpAddress=" + userIpAddress + ", commandString=" + commandString
- + "]";
- }
-
-}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
index 0364627..180006f 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
@@ -17,6 +17,7 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
@@ -107,6 +108,16 @@ public class HivePrivilegeObject implements Comparable<HivePrivilegeObject> {
private final List<String> partKeys;
private final List<String> columns;
private final HivePrivObjectActionType actionType;
+ // cellValueTransformers is corresponding to the columns.
+ // Its size should be the same as columns.
+ // For example, if a table has two columns, "key" and "value"
+ // we may mask "value" as "reverse(value)". Then cellValueTransformers
+ // should be "key" and "reverse(value)"
+ private List<String> cellValueTransformers;
+ // rowFilterExpression is applied to the whole table, i.e., dbname.objectName
+ // For example, rowFilterExpression can be "key % 2 = 0 and key < 10" and it
+ // is applied to the table.
+ private String rowFilterExpression;
public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName) {
this(type, dbname, objectName, HivePrivObjectActionType.OTHER);
@@ -139,6 +150,10 @@ public class HivePrivilegeObject implements Comparable<HivePrivilegeObject> {
this(type, dbname, objectName, partKeys, columns, HivePrivObjectActionType.OTHER, commandParams);
}
+ public HivePrivilegeObject(String dbname, String objectName, List<String> columns) {
+ this(null, dbname, objectName, null, columns, null);
+ }
+
public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName,
List<String> partKeys, List<String> columns, HivePrivObjectActionType actionType,
List<String> commandParams) {
@@ -242,4 +257,20 @@ public class HivePrivilegeObject implements Comparable<HivePrivilegeObject> {
private String getDbObjectName(String dbname2, String objectName2) {
return (dbname == null ? "" : dbname + ".") + objectName;
}
+
+ public List<String> getCellValueTransformers() {
+ return cellValueTransformers;
+ }
+
+ public void setCellValueTransformers(List<String> cellValueTransformers) {
+ this.cellValueTransformers = cellValueTransformers;
+ }
+
+ public String getRowFilterExpression() {
+ return rowFilterExpression;
+ }
+
+ public void setRowFilterExpression(String rowFilterExpression) {
+ this.rowFilterExpression = rowFilterExpression;
+ }
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java
index c8aa9db..845fd85 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java
@@ -66,7 +66,7 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer {
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
+ List<HivePrivilegeObject> outputHObjs, QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
throw new UnsupportedOperationException("Should not be called for v1 authorizer");
}
@@ -391,31 +391,19 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer {
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
- HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
+ QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException {
// do no filtering in old authorizer
return listObjs;
}
-
- @Override
- public String getRowFilterExpression(String database, String table) throws SemanticException {
- return null;
- }
-
-
@Override
public boolean needTransform() {
return false;
}
@Override
- public boolean needTransform(String database, String table) {
- return false;
- }
-
- @Override
- public String getCellValueTransformer(String database, String table, String columnName)
- throws SemanticException {
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context,
+ List<HivePrivilegeObject> privObjs) throws SemanticException {
return null;
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java
new file mode 100644
index 0000000..318343c
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+
+/**
+ * Provides context information in authorization check call that can be used for
+ * auditing and/or authorization.
+ * It is an immutable class. Builder inner class is used instantiate it.
+ */
+@LimitedPrivate(value = { "Apache Argus (incubating)" })
+@Evolving
+public final class QueryContext {
+
+ public static class Builder {
+ private String commandString;
+
+ public String getCommandString() {
+ return commandString;
+ }
+ public void setCommandString(String commandString) {
+ this.commandString = commandString;
+ }
+ public QueryContext build(){
+ return new QueryContext(this);
+ }
+ }
+
+ private final String commandString;
+
+ private QueryContext(Builder builder) {
+ this.commandString = builder.commandString;
+ }
+
+ public String getCommandString() {
+ return commandString;
+ }
+
+ @Override
+ public String toString() {
+ return "QueryContext [commandString=" + commandString + "]";
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java
index e4ddc9b..1356e29 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java
@@ -25,7 +25,7 @@ import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
@@ -39,27 +39,17 @@ public class DummyHiveAuthorizationValidator implements HiveAuthorizationValidat
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
+ List<HivePrivilegeObject> outputHObjs, QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
// no-op
}
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
- HiveAuthzContext context) {
+ QueryContext context) {
return listObjs;
}
- @Override
- public String getRowFilterExpression(String database, String table) throws SemanticException {
- return null;
- }
-
- @Override
- public String getCellValueTransformer(String database, String table, String columnName)
- throws SemanticException {
- return null;
- }
@Override
public boolean needTransform() {
@@ -67,8 +57,9 @@ public class DummyHiveAuthorizationValidator implements HiveAuthorizationValidat
}
@Override
- public boolean needTransform(String database, String table) {
- return false;
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context,
+ List<HivePrivilegeObject> privObjs) throws SemanticException {
+ return null;
}
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
index c5d60b3..0edfb64 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
@@ -31,7 +31,7 @@ import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
@@ -65,7 +65,7 @@ public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValida
@Override
public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
+ List<HivePrivilegeObject> outputHObjs, QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
@@ -141,7 +141,7 @@ public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValida
@Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
- HiveAuthzContext context) {
+ QueryContext context) {
if (LOG.isDebugEnabled()) {
String msg = "Obtained following objects in filterListCmdObjects " + listObjs + " for user "
+ authenticator.getUserName() + ". Context Info: " + context;
@@ -151,24 +151,14 @@ public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValida
}
@Override
- public String getRowFilterExpression(String database, String table) throws SemanticException {
- return null;
- }
-
- @Override
- public String getCellValueTransformer(String database, String table, String columnName)
- throws SemanticException {
- return null;
- }
-
- @Override
public boolean needTransform() {
return false;
}
@Override
- public boolean needTransform(String database, String table) {
- return false;
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context,
+ List<HivePrivilegeObject> privObjs) throws SemanticException {
+ return null;
}
}
http://git-wip-us.apache.org/repos/asf/hive/blob/7e0b08c1/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java b/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java
index 285b4f9..c4a7e69 100644
--- a/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java
+++ b/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java
@@ -22,7 +22,7 @@ import java.util.List;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
@@ -134,8 +134,7 @@ public abstract class MetadataOperation extends Operation {
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs,
String cmdString) throws HiveSQLException {
SessionState ss = SessionState.get();
- HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder();
- ctxBuilder.setUserIpAddress(ss.getUserIpAddress());
+ QueryContext.Builder ctxBuilder = new QueryContext.Builder();
ctxBuilder.setCommandString(cmdString);
try {
ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null,