You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by gs...@apache.org on 2022/12/12 17:39:35 UTC

[hive] branch master updated: HIVE-26247: Filter out results 'show connectors' on HMS server-side (#3545) (Butao Zhang, reviewed by Sai Hemanth)

This is an automated email from the ASF dual-hosted git repository.

gsaihemanth pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new d803f78bb61 HIVE-26247: Filter out results 'show connectors' on HMS server-side (#3545) (Butao Zhang, reviewed by Sai Hemanth)
d803f78bb61 is described below

commit d803f78bb610a805fd05feef490753c804197074
Author: Butao Zhang <zh...@cmss.chinamobile.com>
AuthorDate: Tue Dec 13 01:39:22 2022 +0800

    HIVE-26247: Filter out results 'show connectors' on HMS server-side (#3545) (Butao Zhang, reviewed by Sai Hemanth)
---
 .../plugin/metastore/HiveMetaStoreAuthorizer.java  | 52 ++++++++++++++-
 .../filtercontext/DataConnectorFilterContext.java  | 76 ++++++++++++++++++++++
 .../hadoop/hive/metastore/TestFilterHooks.java     |  1 +
 3 files changed, 128 insertions(+), 1 deletion(-)

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
index 971e174ad21..2ec1d3bf315 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
@@ -50,6 +50,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionC
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext.DataConnectorFilterContext;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext.DatabaseFilterContext;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext.TableFilterContext;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -235,7 +236,22 @@ public class HiveMetaStoreAuthorizer extends MetaStorePreEventListener implement
 
   @Override
   public List<String> filterDataConnectors(List<String> dcList) throws MetaException {
-    return dcList;
+    LOG.debug("HiveMetaStoreAuthorizer.filterDataConnector()");
+
+    if (dcList == null) {
+      return Collections.emptyList();
+    }
+
+    DataConnectorFilterContext dataConnectorFilterContext = new DataConnectorFilterContext(dcList);
+    HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo = dataConnectorFilterContext.getAuthzContext();
+    List<String> filteredDataConnector = filterDataConnectorObjects(hiveMetaStoreAuthzInfo);
+    if (CollectionUtils.isEmpty(filteredDataConnector)) {
+      filteredDataConnector = Collections.emptyList();
+    }
+
+    LOG.debug("HiveMetaStoreAuthorizer.filterDataConnectors() :" + filteredDataConnector);
+
+    return filteredDataConnector;
   }
 
   private List<String> filterDatabaseObjects(HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo) throws MetaException {
@@ -263,6 +279,40 @@ public class HiveMetaStoreAuthorizer extends MetaStorePreEventListener implement
     return ret;
   }
 
+  private List<String> filterDataConnectorObjects(HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo) throws MetaException {
+    List<String> ret = null;
+
+    LOG.debug("==> HiveMetaStoreAuthorizer.filterDataConnectorObjects()");
+
+    try {
+      HiveAuthorizer hiveAuthorizer = createHiveMetaStoreAuthorizer();
+      List<HivePrivilegeObject> hivePrivilegeObjects = hiveMetaStoreAuthzInfo.getInputHObjs();
+      HiveAuthzContext hiveAuthzContext = hiveMetaStoreAuthzInfo.getHiveAuthzContext();
+      List<HivePrivilegeObject> filteredHivePrivilegeObjects =
+              hiveAuthorizer.filterListCmdObjects(hivePrivilegeObjects, hiveAuthzContext);
+      if (CollectionUtils.isNotEmpty(filteredHivePrivilegeObjects)) {
+        ret = getFilteredDataConnectorList(filteredHivePrivilegeObjects);
+      }
+      LOG.info(String.format("Filtered %d connectors out of %d", filteredHivePrivilegeObjects.size(),
+              hivePrivilegeObjects.size()));
+    } catch (Exception e) {
+      throw new MetaException("Error in HiveMetaStoreAuthorizer.filterDataConnector()" + e.getMessage());
+    }
+
+    LOG.debug("<== HiveMetaStoreAuthorizer.filterDataConnectorObjects() :" + ret );
+
+    return ret;
+  }
+
+  private List<String> getFilteredDataConnectorList(List<HivePrivilegeObject> hivePrivilegeObjects) {
+    List<String> ret = new ArrayList<>();
+    for(HivePrivilegeObject hivePrivilegeObject: hivePrivilegeObjects) {
+      String dcName = hivePrivilegeObject.getObjectName();
+      ret.add(dcName);
+    }
+    return ret;
+  }
+
   private List<Table> filterTableObjects(HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo, List<Table> tableList)
       throws MetaException {
     List<Table> ret = null;
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/filtercontext/DataConnectorFilterContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/filtercontext/DataConnectorFilterContext.java
new file mode 100644
index 00000000000..f6a933b6b65
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/filtercontext/DataConnectorFilterContext.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class DataConnectorFilterContext extends HiveMetaStoreAuthorizableEvent {
+
+    private static final Logger LOG = LoggerFactory.getLogger(DataConnectorFilterContext.class);
+
+    List<String> connectors = null;
+
+    public DataConnectorFilterContext(List<String> connectors) {
+        super(null);
+        this.connectors = connectors;
+        getAuthzContext();
+    }
+
+    @Override
+    public HiveMetaStoreAuthzInfo getAuthzContext() {
+        HiveMetaStoreAuthzInfo ret =
+                new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.QUERY, getInputHObjs(), getOutputHObjs(), null);
+        return ret;
+    }
+
+    private List<HivePrivilegeObject> getInputHObjs() {
+        LOG.debug("==> DataConnectorFilterContext.getInputHObjs()");
+
+        List<HivePrivilegeObject> ret = new ArrayList<>();
+        for (String connector : connectors) {
+            HivePrivilegeObject.HivePrivilegeObjectType type = HivePrivilegeObject.HivePrivilegeObjectType.DATACONNECTOR;
+            HivePrivilegeObject.HivePrivObjectActionType objectActionType =
+                    HivePrivilegeObject.HivePrivObjectActionType.OTHER;
+            HivePrivilegeObject hivePrivilegeObject =
+                    new HivePrivilegeObject(type, null, connector, null, null, objectActionType, null, null);
+            ret.add(hivePrivilegeObject);
+        }
+        LOG.debug("<== DataConnectorFilterContext.getInputHObjs(): ret=" + ret);
+
+        return ret;
+    }
+
+    private List<HivePrivilegeObject> getOutputHObjs() {
+        return Collections.emptyList();
+    }
+
+    public List<String> getDataConnectors() {
+        return connectors;
+    }
+}
\ No newline at end of file
diff --git a/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java b/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java
index 3f91c92e1cb..5d555a5f1a5 100644
--- a/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java
+++ b/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java
@@ -313,6 +313,7 @@ public class TestFilterHooks {
     testFilterForTables(true);
     testFilterForPartition(true);
     testFilterForCompaction();
+    testFilterForDataConnector();
   }
 
   /**