You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by zh...@apache.org on 2017/07/27 01:31:50 UTC
ranger git commit: RANGER:1669:We need to support the original
functionality of hive.show grant user username
Repository: ranger
Updated Branches:
refs/heads/master 1685bacf0 -> edd0bd6a6
RANGER:1669:We need to support the original functionality of hive.show grant user username
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/edd0bd6a
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/edd0bd6a
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/edd0bd6a
Branch: refs/heads/master
Commit: edd0bd6a69b4919745d79119e943ad4b330941d0
Parents: 1685bac
Author: peng.jianhua <pe...@zte.com.cn>
Authored: Fri Jul 14 15:45:11 2017 +0800
Committer: peng.jianhua <pe...@zte.com.cn>
Committed: Wed Jul 26 21:29:45 2017 -0400
----------------------------------------------------------------------
.../hive/authorizer/RangerHiveAuthorizer.java | 100 +++++++++++++++++++
1 file changed, 100 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/edd0bd6a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 85a865a..6872e50 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -36,8 +36,15 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.IMetaStoreClient;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
+import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
@@ -46,6 +53,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClie
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
@@ -1445,6 +1453,98 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
+ @Override
+ public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
+ HivePrivilegeObject privObj) throws HiveAuthzPluginException {
+ try {
+ LOG.debug("RangerHiveAuthorizer.showPrivileges()");
+ IMetaStoreClient mClient = getMetastoreClientFactory()
+ .getHiveMetastoreClient();
+ List<HivePrivilegeInfo> resPrivInfos = new ArrayList<HivePrivilegeInfo>();
+ String principalName = principal == null ? null : principal
+ .getName();
+ PrincipalType principalType = principal == null ? null
+ : AuthorizationUtils.getThriftPrincipalType(principal
+ .getType());
+
+ List<HiveObjectPrivilege> msObjPrivs = mClient.list_privileges(
+ principalName, principalType,
+ this.getThriftHiveObjectRef(privObj));
+
+ for (HiveObjectPrivilege msObjPriv : msObjPrivs) {
+ HivePrincipal resPrincipal = new HivePrincipal(
+ msObjPriv.getPrincipalName(),
+ AuthorizationUtils.getHivePrincipalType(msObjPriv
+ .getPrincipalType()));
+
+ PrivilegeGrantInfo msGrantInfo = msObjPriv.getGrantInfo();
+ HivePrivilege resPrivilege = new HivePrivilege(
+ msGrantInfo.getPrivilege(), null);
+
+ HiveObjectRef msObjRef = msObjPriv.getHiveObject();
+ org.apache.hadoop.hive.metastore.api.HiveObjectType objectType = msObjRef
+ .getObjectType();
+ if (!isSupportedObjectType(msObjRef.getObjectType())) {
+ continue;
+ }
+ HivePrivilegeObject resPrivObj = new HivePrivilegeObject(
+ getPluginPrivilegeObjType(objectType),
+ msObjRef.getDbName(), msObjRef.getObjectName(),
+ msObjRef.getPartValues(), msObjRef.getColumnName());
+
+ HivePrincipal grantorPrincipal = new HivePrincipal(
+ msGrantInfo.getGrantor(),
+ AuthorizationUtils.getHivePrincipalType(msGrantInfo
+ .getGrantorType()));
+
+ HivePrivilegeInfo resPrivInfo = new HivePrivilegeInfo(
+ resPrincipal, resPrivilege, resPrivObj,
+ grantorPrincipal, msGrantInfo.isGrantOption(),
+ msGrantInfo.getCreateTime());
+ resPrivInfos.add(resPrivInfo);
+ }
+ return resPrivInfos;
+
+ } catch (Exception e) {
+ LOG.error("RangerHiveAuthorizer.showPrivileges: showPrivileges returned by showPrivileges is null");
+ throw new HiveAuthzPluginException("hive showPrivileges" + ": "
+ + e.getMessage(), e);
+ }
+ }
+
+ private boolean isSupportedObjectType(
+ org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
+ switch (objectType) {
+ case DATABASE:
+ case TABLE:
+ return true;
+ default:
+ return false;
+ }
+
+ }
+
+ private HivePrivilegeObjectType getPluginPrivilegeObjType(
+ org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
+ switch (objectType) {
+ case DATABASE:
+ return HivePrivilegeObjectType.DATABASE;
+ case TABLE:
+ return HivePrivilegeObjectType.TABLE_OR_VIEW;
+ default:
+ throw new AssertionError("Unexpected object type " + objectType);
+ }
+ }
+
+ static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
+ throws HiveAuthzPluginException {
+ try {
+ return AuthorizationUtils.getThriftHiveObjectRef(privObj);
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
private RangerRequestedResources buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> requests) {
RangerRequestedResources requestedResources = new RangerRequestedResources();