You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2017/11/22 16:30:32 UTC

sentry git commit: SENTRY-2021: MR session ACLs in Hive binding does not handle all types of ACLs (Wilfred Spiegelenburg, reviewed by Sergio Pena)

Repository: sentry
Updated Branches:
  refs/heads/master ef81e0907 -> b9d2107f4


SENTRY-2021: MR session ACLs in Hive binding does not handle all types of ACLs (Wilfred Spiegelenburg, reviewed by Sergio Pena)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/b9d2107f
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/b9d2107f
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/b9d2107f

Branch: refs/heads/master
Commit: b9d2107f47128bd62ee0d8cf268366c71f065d2d
Parents: ef81e09
Author: Sergio Pena <se...@cloudera.com>
Authored: Wed Nov 22 10:23:34 2017 -0600
Committer: Sergio Pena <se...@cloudera.com>
Committed: Wed Nov 22 10:23:34 2017 -0600

----------------------------------------------------------------------
 .../hive/v2/HiveAuthzBindingSessionHookV2.java  | 26 ++++++++++++++++--
 .../hive/HiveAuthzBindingSessionHook.java       | 28 ++++++++++++++++++--
 2 files changed, 50 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/b9d2107f/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
index 9106911..5a47da8 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
@@ -45,6 +45,7 @@ public class HiveAuthzBindingSessionHookV2 implements
       ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, HiveAuthzConf.HIVE_ACCESS_CONF_URL,
       HiveAuthzConf.HIVE_SENTRY_CONF_URL, HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME,
       HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET);
+  public static final String WILDCARD_ACL_VALUE = "*";
 
   /**
    * The session hook for sentry authorization that sets the required session level configuration 1.
@@ -89,8 +90,8 @@ public class HiveAuthzBindingSessionHookV2 implements
     sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser());
 
     // Set MR ACLs to session user
-    appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB, sessionHookContext.getSessionUser());
-    appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, sessionHookContext.getSessionUser());
+    updateJobACL(sessionConf, JobContext.JOB_ACL_VIEW_JOB, sessionHookContext.getSessionUser());
+    updateJobACL(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, sessionHookContext.getSessionUser());
   }
 
   // Setup given sentry hooks
@@ -104,4 +105,25 @@ public class HiveAuthzBindingSessionHookV2 implements
     sessionConf.set(confVar, currentValue);
   }
 
+  // Setup ACL to include session user
+  private void updateJobACL(HiveConf sessionConf, String aclName, String sessionUser) {
+    String aclString = sessionConf.get(aclName, "");
+    // An empty ACL, replace it with the user
+    if (aclString.isEmpty()) {
+      aclString = sessionUser;
+    } else {
+      // ACLs can start with a space if only groups are configured
+      if (aclString.startsWith(" ")) {
+        aclString = sessionUser + aclString;
+      } else {
+        // Do not replace the wildcard ACL, it would restrict access
+        boolean isWildcard = (aclString.contains(WILDCARD_ACL_VALUE) &&
+            aclString.trim().equals(WILDCARD_ACL_VALUE));
+        if (!isWildcard) {
+          aclString = sessionUser + "," + aclString;
+        }
+      }
+    }
+    sessionConf.set(aclName, aclString.trim());
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/b9d2107f/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index 7250891..3e94d09 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -53,6 +53,7 @@ public class HiveAuthzBindingSessionHook
     HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME,
     HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET
     );
+  public static final String WILDCARD_ACL_VALUE = "*";
 
   /**
    * The session hook for sentry authorization that sets the required session level configuration
@@ -90,9 +91,9 @@ public class HiveAuthzBindingSessionHook
     sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser());
 
     // Set MR ACLs to session user
-    appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB,
+    updateJobACL(sessionConf, JobContext.JOB_ACL_VIEW_JOB,
         sessionHookContext.getSessionUser());
-    appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB,
+    updateJobACL(sessionConf, JobContext.JOB_ACL_MODIFY_JOB,
         sessionHookContext.getSessionUser());
 
     // setup restrict list
@@ -117,4 +118,27 @@ public class HiveAuthzBindingSessionHook
     }
     sessionConf.set(confVar, currentValue);
   }
+
+  // Setup ACL to include the session user
+  private void updateJobACL(HiveConf sessionConf, String aclName,
+      String sessionUser) {
+    String aclString = sessionConf.get(aclName, "");
+    // An empty ACL, replace it with the user
+    if (aclString.isEmpty()) {
+      aclString = sessionUser;
+    } else {
+      // ACLs can start with a space if only groups are configured
+      if (aclString.startsWith(" ")) {
+        aclString = sessionUser + aclString;
+      } else {
+        // Do not replace the wildcard ACL, it would restrict access
+        boolean isWildcard = (aclString.contains(WILDCARD_ACL_VALUE) &&
+            aclString.trim().equals(WILDCARD_ACL_VALUE));
+        if (!isWildcard) {
+          aclString = sessionUser + "," + aclString;
+        }
+      }
+    }
+    sessionConf.set(aclName, aclString.trim());
+  }
 }