You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2017/11/22 16:30:32 UTC
sentry git commit: SENTRY-2021: MR session ACLs in Hive binding does
not handle all types of ACLs (Wilfred Spiegelenburg, reviewed by Sergio Pena)
Repository: sentry
Updated Branches:
refs/heads/master ef81e0907 -> b9d2107f4
SENTRY-2021: MR session ACLs in Hive binding does not handle all types of ACLs (Wilfred Spiegelenburg, reviewed by Sergio Pena)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/b9d2107f
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/b9d2107f
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/b9d2107f
Branch: refs/heads/master
Commit: b9d2107f47128bd62ee0d8cf268366c71f065d2d
Parents: ef81e09
Author: Sergio Pena <se...@cloudera.com>
Authored: Wed Nov 22 10:23:34 2017 -0600
Committer: Sergio Pena <se...@cloudera.com>
Committed: Wed Nov 22 10:23:34 2017 -0600
----------------------------------------------------------------------
.../hive/v2/HiveAuthzBindingSessionHookV2.java | 26 ++++++++++++++++--
.../hive/HiveAuthzBindingSessionHook.java | 28 ++++++++++++++++++--
2 files changed, 50 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/b9d2107f/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
index 9106911..5a47da8 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java
@@ -45,6 +45,7 @@ public class HiveAuthzBindingSessionHookV2 implements
ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, HiveAuthzConf.HIVE_ACCESS_CONF_URL,
HiveAuthzConf.HIVE_SENTRY_CONF_URL, HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME,
HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET);
+ public static final String WILDCARD_ACL_VALUE = "*";
/**
* The session hook for sentry authorization that sets the required session level configuration 1.
@@ -89,8 +90,8 @@ public class HiveAuthzBindingSessionHookV2 implements
sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser());
// Set MR ACLs to session user
- appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB, sessionHookContext.getSessionUser());
- appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, sessionHookContext.getSessionUser());
+ updateJobACL(sessionConf, JobContext.JOB_ACL_VIEW_JOB, sessionHookContext.getSessionUser());
+ updateJobACL(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, sessionHookContext.getSessionUser());
}
// Setup given sentry hooks
@@ -104,4 +105,25 @@ public class HiveAuthzBindingSessionHookV2 implements
sessionConf.set(confVar, currentValue);
}
+ // Setup ACL to include session user
+ private void updateJobACL(HiveConf sessionConf, String aclName, String sessionUser) {
+ String aclString = sessionConf.get(aclName, "");
+ // An empty ACL, replace it with the user
+ if (aclString.isEmpty()) {
+ aclString = sessionUser;
+ } else {
+ // ACLs can start with a space if only groups are configured
+ if (aclString.startsWith(" ")) {
+ aclString = sessionUser + aclString;
+ } else {
+ // Do not replace the wildcard ACL, it would restrict access
+ boolean isWildcard = (aclString.contains(WILDCARD_ACL_VALUE) &&
+ aclString.trim().equals(WILDCARD_ACL_VALUE));
+ if (!isWildcard) {
+ aclString = sessionUser + "," + aclString;
+ }
+ }
+ }
+ sessionConf.set(aclName, aclString.trim());
+ }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/b9d2107f/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index 7250891..3e94d09 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -53,6 +53,7 @@ public class HiveAuthzBindingSessionHook
HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME,
HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET
);
+ public static final String WILDCARD_ACL_VALUE = "*";
/**
* The session hook for sentry authorization that sets the required session level configuration
@@ -90,9 +91,9 @@ public class HiveAuthzBindingSessionHook
sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser());
// Set MR ACLs to session user
- appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB,
+ updateJobACL(sessionConf, JobContext.JOB_ACL_VIEW_JOB,
sessionHookContext.getSessionUser());
- appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB,
+ updateJobACL(sessionConf, JobContext.JOB_ACL_MODIFY_JOB,
sessionHookContext.getSessionUser());
// setup restrict list
@@ -117,4 +118,27 @@ public class HiveAuthzBindingSessionHook
}
sessionConf.set(confVar, currentValue);
}
+
+ // Setup ACL to include the session user
+ private void updateJobACL(HiveConf sessionConf, String aclName,
+ String sessionUser) {
+ String aclString = sessionConf.get(aclName, "");
+ // An empty ACL, replace it with the user
+ if (aclString.isEmpty()) {
+ aclString = sessionUser;
+ } else {
+ // ACLs can start with a space if only groups are configured
+ if (aclString.startsWith(" ")) {
+ aclString = sessionUser + aclString;
+ } else {
+ // Do not replace the wildcard ACL, it would restrict access
+ boolean isWildcard = (aclString.contains(WILDCARD_ACL_VALUE) &&
+ aclString.trim().equals(WILDCARD_ACL_VALUE));
+ if (!isWildcard) {
+ aclString = sessionUser + "," + aclString;
+ }
+ }
+ }
+ sessionConf.set(aclName, aclString.trim());
+ }
}