You are viewing a plain text version of this content. The canonical link for it is here.
Posted to gitbox@hive.apache.org by GitBox <gi...@apache.org> on 2022/05/23 10:00:35 UTC
[GitHub] [hive] zhangbutao opened a new pull request, #3312: HIVE-26248: Add data connector authorization on HMS server-side
zhangbutao opened a new pull request, #3312:
URL: https://github.com/apache/hive/pull/3312
<!--
Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines: https://cwiki.apache.org/confluence/display/Hive/HowToContribute
2. Ensure that you have created an issue on the Hive project JIRA: https://issues.apache.org/jira/projects/HIVE/summary
3. Ensure you have added or run the appropriate tests for your PR:
4. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP]HIVE-XXXXX: Your PR title ...'.
5. Be sure to keep the PR description updated to reflect all changes.
6. Please write your PR title to summarize what this PR proposes.
7. If possible, provide a concise example to reproduce the issue for a faster review.
-->
### What changes were proposed in this pull request?
<!--
Please clarify what changes you are proposing. The purpose of this section is to outline the changes and how this PR fixes the issue.
If possible, please consider writing useful notes for better and faster reviews in your PR. See the examples below.
1. If you refactor some codes with changing classes, showing the class hierarchy will help reviewers.
2. If you fix some SQL features, you can provide some references of other DBMSes.
3. If there is design documentation, please add the link.
4. If there is a discussion in the mailing list, please add the link.
-->
Add data connector authorization on HMS server-side
### Why are the changes needed?
<!--
Please clarify why the changes are needed. For instance,
1. If you propose a new API, clarify the use case for a new API.
2. If you fix a bug, you can clarify why it is a bug.
-->
With this pr, user can authorize DDL operation of 'connector' on HMS server-side.
### Does this PR introduce _any_ user-facing change?
<!--
Note that it means *any* user-facing change including all aspects such as the documentation fix.
If yes, please clarify the previous behavior and the change this PR proposes - provide the console output, description, screenshot and/or a reproducable example to show the behavior difference if possible.
If possible, please also clarify if this is a user-facing change compared to the released Hive versions or within the unreleased branches such as master.
If no, write 'No'.
-->
No
### How was this patch tested?
<!--
If tests were added, say they were added here. Please make sure to add some test cases that check the changes thoroughly including negative and positive cases if possible.
If it was tested in a way different from regular unit tests, please clarify how you tested step by step, ideally copy and paste-able, so that other reviewers can test and check, and descendants can verify in the future.
If tests were not added, please describe why they were not added and/or why it was difficult to add.
-->
UT
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] zhangbutao commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
zhangbutao commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1220137251
@nrg4878 Gentle ping :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] zhangbutao commented on a diff in pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
zhangbutao commented on code in PR #3312:
URL: https://github.com/apache/hive/pull/3312#discussion_r944193223
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ return Collections.emptyList();
Review Comment:
Make sense. fixed!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] nrg4878 commented on a diff in pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
nrg4878 commented on code in PR #3312:
URL: https://github.com/apache/hive/pull/3312#discussion_r946296512
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -360,4 +362,53 @@ public void testQShowTablesUnauthorizedUser() throws Exception {
}
}
}
+
+ @Test
+ public void testR_CreateDataConnector_unAuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(unAuthorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ String err = e.getMessage();
+ String expected = "Operation type " + HiveOperationType.CREATEDATACONNECTOR+ " not allowed for user:" + unAuthorizedUser;
+ assertEquals(expected, err);
+ }
+ }
+
+ @Test
+ public void testS_CreateDataConnector_authorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ // No Exception for create database for authorized user
+ }
+ }
+
+ @Test
+ public void testT_AlterDataConnector_AuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+
+ DataConnector newConnector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3308/hive");
+ hmsHandler.create_dataconnector(connector);
+ hmsHandler.alter_dataconnector(dcName, newConnector);
+ } catch (Exception e) {
+ // No Exception for create table for authorized user
+ }
+ }
+
+ @Test
+ public void testU_DropDataConnector_authorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ hmsHandler.drop_dataconnector(dcName, true, true);
+ } catch (Exception e) {
+ // No Exception for dropDatabase for authorized user
Review Comment:
ditto as above. This method seems to catch Exception and ignore it. So this will never throw an exception. Shouldn't the test fail if we got an exception?
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -360,4 +362,53 @@ public void testQShowTablesUnauthorizedUser() throws Exception {
}
}
}
+
+ @Test
+ public void testR_CreateDataConnector_unAuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(unAuthorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ String err = e.getMessage();
+ String expected = "Operation type " + HiveOperationType.CREATEDATACONNECTOR+ " not allowed for user:" + unAuthorizedUser;
+ assertEquals(expected, err);
+ }
+ }
+
+ @Test
+ public void testS_CreateDataConnector_authorizedUser() throws Exception {
Review Comment:
This method catches Exception within the try/catch, will not throw an exception.
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getOldDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== AlterDataConnectorEvent.getInputHObjs(): ret={}", ret);
+ }
+
+ return ret;
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateDataConnectorEvent.java:
##########
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreCreateDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation CreateDataConnector
+ */
+
+public class CreateDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(CreateDataConnectorEvent.class);
+
+ private String COMMAND_STR = "create connector";
+
+ public CreateDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.CREATEDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ return Collections.emptyList();
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ LOG.debug("==> CreateDataConnectorEvent.getOutputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreCreateDataConnectorEvent event = (PreCreateDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== CreateDataConnectorEvent.getOutputHObjs(): ret={}", ret);
+ }
+
+ return ret;
+
Review Comment:
nit: remove empty line
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -360,4 +362,53 @@ public void testQShowTablesUnauthorizedUser() throws Exception {
}
}
}
+
+ @Test
+ public void testR_CreateDataConnector_unAuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(unAuthorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ String err = e.getMessage();
+ String expected = "Operation type " + HiveOperationType.CREATEDATACONNECTOR+ " not allowed for user:" + unAuthorizedUser;
+ assertEquals(expected, err);
+ }
+ }
+
+ @Test
+ public void testS_CreateDataConnector_authorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ // No Exception for create database for authorized user
Review Comment:
This method seems to catch Exception and ignore it. So this will never throw an exception. Shouldn't the test fail if we got an exception?
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -360,4 +362,53 @@ public void testQShowTablesUnauthorizedUser() throws Exception {
}
}
}
+
+ @Test
+ public void testR_CreateDataConnector_unAuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(unAuthorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ String err = e.getMessage();
+ String expected = "Operation type " + HiveOperationType.CREATEDATACONNECTOR+ " not allowed for user:" + unAuthorizedUser;
+ assertEquals(expected, err);
+ }
+ }
+
+ @Test
+ public void testS_CreateDataConnector_authorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ // No Exception for create database for authorized user
+ }
+ }
+
+ @Test
+ public void testT_AlterDataConnector_AuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+
+ DataConnector newConnector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3308/hive");
+ hmsHandler.create_dataconnector(connector);
+ hmsHandler.alter_dataconnector(dcName, newConnector);
+ } catch (Exception e) {
+ // No Exception for create table for authorized user
Review Comment:
ditto as above. This method seems to catch Exception and ignore it. So this will never throw an exception. Shouldn't the test fail if we got an exception?
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getOldDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getOldDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getOldDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== AlterDataConnectorEvent.getInputHObjs(): ret={}", ret);
+ }
+
+ return ret;
+
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getOutputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getNewDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== AlterDataConnectorEvent.getOutputHObjs(): ret={}", ret);
+ }
+
+ return ret;
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getOldDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== AlterDataConnectorEvent.getInputHObjs(): ret={}", ret);
+ }
+
+ return ret;
+
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getOutputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getNewDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateDataConnectorEvent.java:
##########
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreCreateDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation CreateDataConnector
+ */
+
+public class CreateDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(CreateDataConnectorEvent.class);
+
+ private String COMMAND_STR = "create connector";
+
+ public CreateDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.CREATEDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ return Collections.emptyList();
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ LOG.debug("==> CreateDataConnectorEvent.getOutputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreCreateDataConnectorEvent event = (PreCreateDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== CreateDataConnectorEvent.getOutputHObjs(): ret={}", ret);
+ }
+
+ return ret;
+
+ }
+
+ private String buildCommandString(String cmdStr, DataConnector connector) {
+ String ret = cmdStr;
+
+ if (connector != null) {
+ String dcName = connector.getName();
+ ret = ret + (StringUtils.isNotEmpty(dcName) ? " " + dcName : "");
+ }
+
+ return ret;
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/DropDataConnectorEvent.java:
##########
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreDropDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation DropDataConnector
+ */
+
+public class DropDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(DropDataConnectorEvent.class);
+
+ private String COMMAND_STR = "drop connector";
+
+ public DropDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.DROPDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> DropDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreDropDataConnectorEvent event = (PreDropDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getDataConnector();
+
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== DropDataConnectorEvent.getInputHObjs(): ret={}", ret);
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateDataConnectorEvent.java:
##########
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreCreateDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation CreateDataConnector
+ */
+
+public class CreateDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(CreateDataConnectorEvent.class);
+
+ private String COMMAND_STR = "create connector";
+
+ public CreateDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.CREATEDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ return Collections.emptyList();
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ LOG.debug("==> CreateDataConnectorEvent.getOutputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreCreateDataConnectorEvent event = (PreCreateDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
Review Comment:
nit: remove empty line
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -360,4 +362,53 @@ public void testQShowTablesUnauthorizedUser() throws Exception {
}
}
}
+
+ @Test
+ public void testR_CreateDataConnector_unAuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(unAuthorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ String err = e.getMessage();
+ String expected = "Operation type " + HiveOperationType.CREATEDATACONNECTOR+ " not allowed for user:" + unAuthorizedUser;
+ assertEquals(expected, err);
+ }
+ }
+
+ @Test
+ public void testS_CreateDataConnector_authorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+ } catch (Exception e) {
+ // No Exception for create database for authorized user
+ }
+ }
+
+ @Test
+ public void testT_AlterDataConnector_AuthorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ DataConnector connector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3306/hive");
+ hmsHandler.create_dataconnector(connector);
+
+ DataConnector newConnector = new DataConnector(dcName, "mysql", "jdbc:mysql://localhost:3308/hive");
+ hmsHandler.create_dataconnector(connector);
+ hmsHandler.alter_dataconnector(dcName, newConnector);
+ } catch (Exception e) {
+ // No Exception for create table for authorized user
+ }
+ }
+
+ @Test
+ public void testU_DropDataConnector_authorizedUser() throws Exception {
+ UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+ try {
+ hmsHandler.drop_dataconnector(dcName, true, true);
+ } catch (Exception e) {
+ // No Exception for dropDatabase for authorized user
Review Comment:
nit: comment says "dropDatabase". It should say "dropConnector"
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/DropDataConnectorEvent.java:
##########
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreDropDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation DropDataConnector
+ */
+
+public class DropDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(DropDataConnectorEvent.class);
+
+ private String COMMAND_STR = "drop connector";
+
+ public DropDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.DROPDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> DropDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreDropDataConnectorEvent event = (PreDropDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getDataConnector();
+
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateDataConnectorEvent.java:
##########
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreCreateDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation CreateDataConnector
+ */
+
+public class CreateDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(CreateDataConnectorEvent.class);
+
+ private String COMMAND_STR = "create connector";
+
+ public CreateDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.CREATEDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ return Collections.emptyList();
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ LOG.debug("==> CreateDataConnectorEvent.getOutputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreCreateDataConnectorEvent event = (PreCreateDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/DropDataConnectorEvent.java:
##########
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreDropDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation DropDataConnector
+ */
+
+public class DropDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(DropDataConnectorEvent.class);
+
+ private String COMMAND_STR = "drop connector";
+
+ public DropDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.DROPDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> DropDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreDropDataConnectorEvent event = (PreDropDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getDataConnector();
+
+ ret.add(getHivePrivilegeObject(connector));
+
Review Comment:
nit: remove empty line
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getOldDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
+ LOG.debug("<== AlterDataConnectorEvent.getInputHObjs(): ret={}", ret);
+ }
+
+ return ret;
+
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ LOG.debug("==> AlterDataConnectorEvent.getOutputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ PreAlterDataConnectorEvent event = (PreAlterDataConnectorEvent) preEventContext;
+ DataConnector connector = event.getNewDataConnector();
+
+ if (connector != null) {
+ ret.add(getHivePrivilegeObject(connector));
+
+ COMMAND_STR = buildCommandString(COMMAND_STR, connector);
+
Review Comment:
nit: remove empty line
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] github-actions[bot] commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1200319092
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Feel free to reach out on the dev@hive.apache.org list if the patch is in need of reviews.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sonarcloud[bot] commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1217329891
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache_hive&pullRequest=3312)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [103 Bugs](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [33 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [1776 Code Smells](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=coverage&view=list) No Coverage information
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=duplicated_lines_density&view=list) No Duplication information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] github-actions[bot] closed pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
github-actions[bot] closed pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
URL: https://github.com/apache/hive/pull/3312
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] nrg4878 commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
nrg4878 commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1207324966
@zhangbutao I missed this somehow. Can you please re-base this patch?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sonarcloud[bot] commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1217493605
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache_hive&pullRequest=3312)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [103 Bugs](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [33 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [1776 Code Smells](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=coverage&view=list) No Coverage information
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=duplicated_lines_density&view=list) No Duplication information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] zhangbutao commented on a diff in pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
zhangbutao commented on code in PR #3312:
URL: https://github.com/apache/hive/pull/3312#discussion_r944184031
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java:
##########
@@ -71,4 +72,10 @@ protected HivePrivilegeObject getHivePrivilegeObjectLocalUri(String uri) {
return new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI, null, uri);
}
+ protected HivePrivilegeObject getHivePrivilegeObject(DataConnector connector) {
+ return new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.DATACONNECTOR, null,
+ connector.getName(), null, null, HivePrivilegeObject.HivePrivObjectActionType.OTHER, null, null,
Review Comment:
`connector url` and `connector type` can not be added as a param here. At present, we think all alter operations have same permission check logical, and no need to specially check` connector url` or `connector type`.
Also, there is no related privilege types of `connector url` and `connector type` in `HivePrivilegeObject `class:
https://github.com/apache/hive/blob/18501dd2e6f0c68038600b4dc69b7197a7827cbd/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java#L108-L116
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] zhangbutao commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
zhangbutao commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1207562073
> I missed this somehow. Can you please re-base this patch?
@nrg4878 Rebased. Please take a look, thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sonarcloud[bot] commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1216232246
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache_hive&pullRequest=3312)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [103 Bugs](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [33 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [1778 Code Smells](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=coverage&view=list) No Coverage information
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=duplicated_lines_density&view=list) No Duplication information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] sonarcloud[bot] commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1216726786
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache_hive&pullRequest=3312)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG) [103 Bugs](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT) [33 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_hive&pullRequest=3312&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL) [1776 Code Smells](https://sonarcloud.io/project/issues?id=apache_hive&pullRequest=3312&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=coverage&view=list) No Coverage information
[](https://sonarcloud.io/component_measures?id=apache_hive&pullRequest=3312&metric=duplicated_lines_density&view=list) No Duplication information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] saihemanth-cloudera commented on a diff in pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
saihemanth-cloudera commented on code in PR #3312:
URL: https://github.com/apache/hive/pull/3312#discussion_r946016978
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java:
##########
@@ -71,4 +72,10 @@ protected HivePrivilegeObject getHivePrivilegeObjectLocalUri(String uri) {
return new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI, null, uri);
}
+ protected HivePrivilegeObject getHivePrivilegeObject(DataConnector connector) {
+ return new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.DATACONNECTOR, null,
+ connector.getName(), null, null, HivePrivilegeObject.HivePrivObjectActionType.OTHER, null, null,
Review Comment:
Ack
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] nrg4878 merged pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
nrg4878 merged PR #3312:
URL: https://github.com/apache/hive/pull/3312
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] zhangbutao commented on pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
zhangbutao commented on PR #3312:
URL: https://github.com/apache/hive/pull/3312#issuecomment-1139260519
@nrg4878 Could you please review this pr? thx
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] saihemanth-cloudera commented on a diff in pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
saihemanth-cloudera commented on code in PR #3312:
URL: https://github.com/apache/hive/pull/3312#discussion_r942718845
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+ private static final Logger LOG = LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+ private String COMMAND_STR = "alter connector";
+
+ public AlterDataConnectorEvent(PreEventContext preEventContext) {
+ super(preEventContext);
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+ getOutputHObjs(), COMMAND_STR);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ return Collections.emptyList();
Review Comment:
Instead of sending an empty list, we need to send the old dataconnector object, so that the authorization service can check if the current user has required access/privilege on this connector. Anyway we have oldDC object in the PreAlterDataConnectorEvent, so let's just pass it in here.
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java:
##########
@@ -71,4 +72,10 @@ protected HivePrivilegeObject getHivePrivilegeObjectLocalUri(String uri) {
return new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI, null, uri);
}
+ protected HivePrivilegeObject getHivePrivilegeObject(DataConnector connector) {
+ return new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.DATACONNECTOR, null,
+ connector.getName(), null, null, HivePrivilegeObject.HivePrivObjectActionType.OTHER, null, null,
Review Comment:
We might need connector type and connector url in authorization service right? Can we include them here instead of passing null?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org
[GitHub] [hive] saihemanth-cloudera commented on a diff in pull request #3312: HIVE-26248: Add data connector authorization on HMS server-side
Posted by GitBox <gi...@apache.org>.
saihemanth-cloudera commented on code in PR #3312:
URL: https://github.com/apache/hive/pull/3312#discussion_r950617222
##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HMSHandler.java:
##########
@@ -1926,7 +1926,7 @@ public void create_dataconnector(final DataConnector connector)
} catch (NoSuchObjectException e) {
// expected
}
-
+ firePreEvent(new PreCreateDataConnectorEvent(connector, this));
Review Comment:
We are calling firePreevent for PreCreateDataConnectorEvent here and at L#1887 (create_dataconnector_core api). Also, create_dataconnector_core() API is a private method and is only being called in this method. So I don't think we would need this firePreEvent here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscribe@hive.apache.org
For additional commands, e-mail: gitbox-help@hive.apache.org