You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by zh...@apache.org on 2017/07/27 01:31:50 UTC

ranger git commit: RANGER:1669:We need to support the original functionality of hive.show grant user username

Repository: ranger
Updated Branches:
  refs/heads/master 1685bacf0 -> edd0bd6a6


RANGER:1669:We need to support the original functionality of hive.show grant user username

Signed-off-by: peng.jianhua <pe...@zte.com.cn>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/edd0bd6a
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/edd0bd6a
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/edd0bd6a

Branch: refs/heads/master
Commit: edd0bd6a69b4919745d79119e943ad4b330941d0
Parents: 1685bac
Author: peng.jianhua <pe...@zte.com.cn>
Authored: Fri Jul 14 15:45:11 2017 +0800
Committer: peng.jianhua <pe...@zte.com.cn>
Committed: Wed Jul 26 21:29:45 2017 -0400

----------------------------------------------------------------------
 .../hive/authorizer/RangerHiveAuthorizer.java   | 100 +++++++++++++++++++
 1 file changed, 100 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/edd0bd6a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 85a865a..6872e50 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -36,8 +36,15 @@ import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hive.common.FileUtils;
 import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.IMetaStoreClient;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
+import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.parse.SemanticException;
 import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
@@ -46,6 +53,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClie
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
@@ -1445,6 +1453,98 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		return ret;
 	}
 
+	@Override
+	public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
+			HivePrivilegeObject privObj) throws HiveAuthzPluginException {
+		try {
+			LOG.debug("RangerHiveAuthorizer.showPrivileges()");
+			IMetaStoreClient mClient = getMetastoreClientFactory()
+					.getHiveMetastoreClient();
+			List<HivePrivilegeInfo> resPrivInfos = new ArrayList<HivePrivilegeInfo>();
+			String principalName = principal == null ? null : principal
+					.getName();
+			PrincipalType principalType = principal == null ? null
+					: AuthorizationUtils.getThriftPrincipalType(principal
+							.getType());
+
+			List<HiveObjectPrivilege> msObjPrivs = mClient.list_privileges(
+					principalName, principalType,
+					this.getThriftHiveObjectRef(privObj));
+
+			for (HiveObjectPrivilege msObjPriv : msObjPrivs) {
+				HivePrincipal resPrincipal = new HivePrincipal(
+						msObjPriv.getPrincipalName(),
+						AuthorizationUtils.getHivePrincipalType(msObjPriv
+								.getPrincipalType()));
+
+				PrivilegeGrantInfo msGrantInfo = msObjPriv.getGrantInfo();
+				HivePrivilege resPrivilege = new HivePrivilege(
+						msGrantInfo.getPrivilege(), null);
+
+				HiveObjectRef msObjRef = msObjPriv.getHiveObject();
+				org.apache.hadoop.hive.metastore.api.HiveObjectType objectType = msObjRef
+						.getObjectType();
+				if (!isSupportedObjectType(msObjRef.getObjectType())) {
+					continue;
+				}
+				HivePrivilegeObject resPrivObj = new HivePrivilegeObject(
+						getPluginPrivilegeObjType(objectType),
+						msObjRef.getDbName(), msObjRef.getObjectName(),
+						msObjRef.getPartValues(), msObjRef.getColumnName());
+
+				HivePrincipal grantorPrincipal = new HivePrincipal(
+						msGrantInfo.getGrantor(),
+						AuthorizationUtils.getHivePrincipalType(msGrantInfo
+								.getGrantorType()));
+
+				HivePrivilegeInfo resPrivInfo = new HivePrivilegeInfo(
+						resPrincipal, resPrivilege, resPrivObj,
+						grantorPrincipal, msGrantInfo.isGrantOption(),
+						msGrantInfo.getCreateTime());
+				resPrivInfos.add(resPrivInfo);
+			}
+			return resPrivInfos;
+
+		} catch (Exception e) {
+			LOG.error("RangerHiveAuthorizer.showPrivileges: showPrivileges returned by showPrivileges is null");
+			throw new HiveAuthzPluginException("hive showPrivileges" + ": "
+					+ e.getMessage(), e);
+		}
+	}
+
+	private boolean isSupportedObjectType(
+			org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
+		switch (objectType) {
+		case DATABASE:
+		case TABLE:
+			return true;
+		default:
+			return false;
+		}
+
+	}
+
+	private HivePrivilegeObjectType getPluginPrivilegeObjType(
+			org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
+		switch (objectType) {
+		case DATABASE:
+			return HivePrivilegeObjectType.DATABASE;
+		case TABLE:
+			return HivePrivilegeObjectType.TABLE_OR_VIEW;
+		default:
+			throw new AssertionError("Unexpected object type " + objectType);
+		}
+	}
+
+	static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
+			throws HiveAuthzPluginException {
+		try {
+			return AuthorizationUtils.getThriftHiveObjectRef(privObj);
+		} catch (HiveException e) {
+			throw new HiveAuthzPluginException(e);
+		}
+	}
+
 	private RangerRequestedResources buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> requests) {
 
 		RangerRequestedResources requestedResources = new RangerRequestedResources();