You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by gs...@apache.org on 2022/12/12 17:39:35 UTC
[hive] branch master updated: HIVE-26247: Filter out results 'show connectors' on HMS server-side (#3545) (Butao Zhang, reviewed by Sai Hemanth)
This is an automated email from the ASF dual-hosted git repository.
gsaihemanth pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new d803f78bb61 HIVE-26247: Filter out results 'show connectors' on HMS server-side (#3545) (Butao Zhang, reviewed by Sai Hemanth)
d803f78bb61 is described below
commit d803f78bb610a805fd05feef490753c804197074
Author: Butao Zhang <zh...@cmss.chinamobile.com>
AuthorDate: Tue Dec 13 01:39:22 2022 +0800
HIVE-26247: Filter out results 'show connectors' on HMS server-side (#3545) (Butao Zhang, reviewed by Sai Hemanth)
---
.../plugin/metastore/HiveMetaStoreAuthorizer.java | 52 ++++++++++++++-
.../filtercontext/DataConnectorFilterContext.java | 76 ++++++++++++++++++++++
.../hadoop/hive/metastore/TestFilterHooks.java | 1 +
3 files changed, 128 insertions(+), 1 deletion(-)
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
index 971e174ad21..2ec1d3bf315 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
@@ -50,6 +50,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionC
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext.DataConnectorFilterContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext.DatabaseFilterContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext.TableFilterContext;
import org.apache.hadoop.security.UserGroupInformation;
@@ -235,7 +236,22 @@ public class HiveMetaStoreAuthorizer extends MetaStorePreEventListener implement
@Override
public List<String> filterDataConnectors(List<String> dcList) throws MetaException {
- return dcList;
+ LOG.debug("HiveMetaStoreAuthorizer.filterDataConnector()");
+
+ if (dcList == null) {
+ return Collections.emptyList();
+ }
+
+ DataConnectorFilterContext dataConnectorFilterContext = new DataConnectorFilterContext(dcList);
+ HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo = dataConnectorFilterContext.getAuthzContext();
+ List<String> filteredDataConnector = filterDataConnectorObjects(hiveMetaStoreAuthzInfo);
+ if (CollectionUtils.isEmpty(filteredDataConnector)) {
+ filteredDataConnector = Collections.emptyList();
+ }
+
+ LOG.debug("HiveMetaStoreAuthorizer.filterDataConnectors() :" + filteredDataConnector);
+
+ return filteredDataConnector;
}
private List<String> filterDatabaseObjects(HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo) throws MetaException {
@@ -263,6 +279,40 @@ public class HiveMetaStoreAuthorizer extends MetaStorePreEventListener implement
return ret;
}
+ private List<String> filterDataConnectorObjects(HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo) throws MetaException {
+ List<String> ret = null;
+
+ LOG.debug("==> HiveMetaStoreAuthorizer.filterDataConnectorObjects()");
+
+ try {
+ HiveAuthorizer hiveAuthorizer = createHiveMetaStoreAuthorizer();
+ List<HivePrivilegeObject> hivePrivilegeObjects = hiveMetaStoreAuthzInfo.getInputHObjs();
+ HiveAuthzContext hiveAuthzContext = hiveMetaStoreAuthzInfo.getHiveAuthzContext();
+ List<HivePrivilegeObject> filteredHivePrivilegeObjects =
+ hiveAuthorizer.filterListCmdObjects(hivePrivilegeObjects, hiveAuthzContext);
+ if (CollectionUtils.isNotEmpty(filteredHivePrivilegeObjects)) {
+ ret = getFilteredDataConnectorList(filteredHivePrivilegeObjects);
+ }
+ LOG.info(String.format("Filtered %d connectors out of %d", filteredHivePrivilegeObjects.size(),
+ hivePrivilegeObjects.size()));
+ } catch (Exception e) {
+ throw new MetaException("Error in HiveMetaStoreAuthorizer.filterDataConnector()" + e.getMessage());
+ }
+
+ LOG.debug("<== HiveMetaStoreAuthorizer.filterDataConnectorObjects() :" + ret );
+
+ return ret;
+ }
+
+ private List<String> getFilteredDataConnectorList(List<HivePrivilegeObject> hivePrivilegeObjects) {
+ List<String> ret = new ArrayList<>();
+ for(HivePrivilegeObject hivePrivilegeObject: hivePrivilegeObjects) {
+ String dcName = hivePrivilegeObject.getObjectName();
+ ret.add(dcName);
+ }
+ return ret;
+ }
+
private List<Table> filterTableObjects(HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo, List<Table> tableList)
throws MetaException {
List<Table> ret = null;
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/filtercontext/DataConnectorFilterContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/filtercontext/DataConnectorFilterContext.java
new file mode 100644
index 00000000000..f6a933b6b65
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/filtercontext/DataConnectorFilterContext.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.filtercontext;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class DataConnectorFilterContext extends HiveMetaStoreAuthorizableEvent {
+
+ private static final Logger LOG = LoggerFactory.getLogger(DataConnectorFilterContext.class);
+
+ List<String> connectors = null;
+
+ public DataConnectorFilterContext(List<String> connectors) {
+ super(null);
+ this.connectors = connectors;
+ getAuthzContext();
+ }
+
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveMetaStoreAuthzInfo ret =
+ new HiveMetaStoreAuthzInfo(preEventContext, HiveOperationType.QUERY, getInputHObjs(), getOutputHObjs(), null);
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getInputHObjs() {
+ LOG.debug("==> DataConnectorFilterContext.getInputHObjs()");
+
+ List<HivePrivilegeObject> ret = new ArrayList<>();
+ for (String connector : connectors) {
+ HivePrivilegeObject.HivePrivilegeObjectType type = HivePrivilegeObject.HivePrivilegeObjectType.DATACONNECTOR;
+ HivePrivilegeObject.HivePrivObjectActionType objectActionType =
+ HivePrivilegeObject.HivePrivObjectActionType.OTHER;
+ HivePrivilegeObject hivePrivilegeObject =
+ new HivePrivilegeObject(type, null, connector, null, null, objectActionType, null, null);
+ ret.add(hivePrivilegeObject);
+ }
+ LOG.debug("<== DataConnectorFilterContext.getInputHObjs(): ret=" + ret);
+
+ return ret;
+ }
+
+ private List<HivePrivilegeObject> getOutputHObjs() {
+ return Collections.emptyList();
+ }
+
+ public List<String> getDataConnectors() {
+ return connectors;
+ }
+}
\ No newline at end of file
diff --git a/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java b/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java
index 3f91c92e1cb..5d555a5f1a5 100644
--- a/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java
+++ b/standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java
@@ -313,6 +313,7 @@ public class TestFilterHooks {
testFilterForTables(true);
testFilterForPartition(true);
testFilterForCompaction();
+ testFilterForDataConnector();
}
/**