You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2014/12/12 02:30:15 UTC
[32/51] [partial] incubator-ranger git commit: RANGER-194: Rename
packages from xasecure to apache ranger
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java b/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java
deleted file mode 100644
index 68ea92c..0000000
--- a/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package com.xasecure.authorization.hadoop.agent;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.fail;
-
-import java.util.Set;
-
-import org.apache.hadoop.fs.permission.FsAction;
-import org.apache.hadoop.hdfs.server.namenode.INode;
-import org.apache.hadoop.hdfs.server.namenode.XaSecureFSPermissionChecker;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.junit.Test;
-
-import com.xasecure.authorization.hadoop.exceptions.XaSecureAccessControlException;
-
-public class TestXaSecureFSPermissionChecker {
-
- @Test
- public void nullUgiToCheckReturnsFalse() {
-
- UserGroupInformation ugi = null;
- INode inode = null;
- FsAction access = null;
- try {
- boolean result = XaSecureFSPermissionChecker.check(ugi, inode, access);
- assertFalse(result);
- } catch (XaSecureAccessControlException e) {
- fail("Unexpected exception!");
- }
- }
-
- @Test
- public void authorizeAccess() {
- String aPathName = null;
- String aPathOwnerName = null;
- String user = null;
- Set<String> groups = null;
- FsAction access = null;
- try {
- // null access returns false!
- assertFalse(XaSecureFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups));
- // None access type returns true!
- access = FsAction.NONE;
- assertFalse(XaSecureFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups));
- } catch (XaSecureAccessControlException e) {
- e.printStackTrace();
- fail("Unexpected exception!");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java b/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java
new file mode 100644
index 0000000..1405bf3
--- /dev/null
+++ b/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.authorization.hadoop.agent;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.fail;
+
+import java.util.Set;
+
+import org.apache.hadoop.fs.permission.FsAction;
+import org.apache.hadoop.hdfs.server.namenode.INode;
+import org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException;
+import org.junit.Test;
+
+public class TestRangerFSPermissionChecker {
+
+ @Test
+ public void nullUgiToCheckReturnsFalse() {
+
+ UserGroupInformation ugi = null;
+ INode inode = null;
+ FsAction access = null;
+ try {
+ boolean result = RangerFSPermissionChecker.check(ugi, inode, access);
+ assertFalse(result);
+ } catch (RangerAccessControlException e) {
+ fail("Unexpected exception!");
+ }
+ }
+
+ @Test
+ public void authorizeAccess() {
+ String aPathName = null;
+ String aPathOwnerName = null;
+ String user = null;
+ Set<String> groups = null;
+ FsAction access = null;
+ try {
+ // null access returns false!
+ assertFalse(RangerFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups));
+ // None access type returns true!
+ access = FsAction.NONE;
+ assertFalse(RangerFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups));
+ } catch (RangerAccessControlException e) {
+ e.printStackTrace();
+ fail("Unexpected exception!");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/conf/hiveserver2-site-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/hiveserver2-site-changes.cfg b/hive-agent/conf/hiveserver2-site-changes.cfg
index fed28df..e4aab8c 100644
--- a/hive-agent/conf/hiveserver2-site-changes.cfg
+++ b/hive-agent/conf/hiveserver2-site-changes.cfg
@@ -14,7 +14,7 @@
# limitations under the License.
# hive.server2.authentication KERBEROS mod create-if-not-exists
hive.security.authorization.enabled true mod create-if-not-exists
-hive.security.authorization.manager com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory mod create-if-not-exists
+hive.security.authorization.manager org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory mod create-if-not-exists
hive.security.authenticator.manager org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator mod create-if-not-exists
# hive.conf.restricted.list hive.server2.authentication append create-if-not-exists ,
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/conf/xasecure-hive-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-hive-security-changes.cfg b/hive-agent/conf/xasecure-hive-security-changes.cfg
index 5c4b072..75fbdea 100644
--- a/hive-agent/conf/xasecure-hive-security-changes.cfg
+++ b/hive-agent/conf/xasecure-hive-security-changes.cfg
@@ -16,7 +16,7 @@
# Change the original policy parameter to work with policy manager based.
#
#
-hive.authorization.verifier.classname com.xasecure.pdp.hive.XASecureAuthorizer mod create-if-not-exists
+hive.authorization.verifier.classname org.apache.ranger.pdp.hive.RangerAuthorizer mod create-if-not-exists
xasecure.hive.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists
xasecure.hive.policymgr.url.saveAsFile /tmp/hive_%REPOSITORY_NAME%_json mod create-if-not-exists
xasecure.hive.policymgr.url.laststoredfile %POLICY_CACHE_FILE_PATH%/hive_%REPOSITORY_NAME%_json mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/conf/xasecure-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-hive-security.xml b/hive-agent/conf/xasecure-hive-security.xml
index b8cca10..ebc0b92 100644
--- a/hive-agent/conf/xasecure-hive-security.xml
+++ b/hive-agent/conf/xasecure-hive-security.xml
@@ -22,7 +22,7 @@
<!-- The following property is used to select appropriate XASecure Authorizer Module (filebased, policymanager based) -->
<property>
<name>hive.authorization.verifier.classname</name>
- <value>com.xasecure.pdp.hive.XASecureAuthorizer</value>
+ <value>org.apache.ranger.pdp.hive.RangerAuthorizer</value>
<description>
Class Name of the authorization Module
</description>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/scripts/install.sh
----------------------------------------------------------------------
diff --git a/hive-agent/scripts/install.sh b/hive-agent/scripts/install.sh
index 59b9cb9..9c6bb3a 100644
--- a/hive-agent/scripts/install.sh
+++ b/hive-agent/scripts/install.sh
@@ -297,7 +297,7 @@ do
if [ $? -eq 0 ]
then
cp="${install_dir}/installer/lib/*:${hdp_dir}/*:${hdp_lib_dir}/*"
- java -cp "${cp}" com.xasecure.utils.install.XmlConfigChanger -i ${archivefn} -o ${newfn} -c ${f} ${PROP_ARGS}
+ java -cp "${cp}" org.apache.ranger.utils.install.XmlConfigChanger -i ${archivefn} -o ${newfn} -c ${f} ${PROP_ARGS}
if [ $? -eq 0 ]
then
diff -w ${newfn} ${fullpathorgfn} > /dev/null 2>&1
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java
deleted file mode 100644
index 570456c..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive;
-
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
-
-
-public class XaHiveAccessContext {
- private String mClientIpAddress;
- private String mClientType;
- private String mCommandString;
- private String mSessionString;
-
- public XaHiveAccessContext(HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
- if(context != null) {
- mClientIpAddress = context.getIpAddress();
- mCommandString = context.getCommandString();
- }
-
- if(sessionContext != null) {
- mClientType = sessionContext.getClientType().name();
- mSessionString = sessionContext.getSessionString();
- }
- }
-
- public String getClientIpAddress() {
- return mClientIpAddress;
- }
-
- public void setClientIpAddress(String clientIpAddress) {
- this.mClientIpAddress = clientIpAddress;
- }
-
- public String getClientType() {
- return mClientType;
- }
-
- public void setClientType(String clientType) {
- this.mClientType = clientType;
- }
-
- public String getCommandString() {
- return mCommandString;
- }
-
- public void setCommandString(String commandString) {
- this.mCommandString = commandString;
- }
-
- public String getSessionString() {
- return mSessionString;
- }
-
- public void setSessionString(String sessionString) {
- this.mSessionString = sessionString;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java
deleted file mode 100644
index 2dcf5f9..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive;
-
-import org.apache.hadoop.security.UserGroupInformation;
-
-
-public interface XaHiveAccessVerifier {
- public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) ;
-
- public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) ;
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java
deleted file mode 100644
index 057b930..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants;
-
-public class XaHiveAccessVerifierFactory {
-
- private static final Log LOG = LogFactory.getLog(XaHiveAccessVerifierFactory.class) ;
-
- private static XaHiveAccessVerifier hiveAccessVerififer = null ;
-
- public static XaHiveAccessVerifier getInstance() {
- if (hiveAccessVerififer == null) {
- synchronized(XaHiveAccessVerifierFactory.class) {
- XaHiveAccessVerifier temp = hiveAccessVerififer ;
- if (temp == null) {
- String hiveAccessVerifierClassName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP, XaSecureHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE ) ;
-
- if (hiveAccessVerifierClassName != null) {
- LOG.info("Hive Access Verification class [" + hiveAccessVerifierClassName + "] - Being built");
- try {
- hiveAccessVerififer = (XaHiveAccessVerifier) (Class.forName(hiveAccessVerifierClassName).newInstance()) ;
- LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification.");
- } catch (InstantiationException e) {
- LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e);
- } catch (IllegalAccessException e) {
- LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e);
- } catch (ClassNotFoundException e) {
- LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e);
- } catch (Throwable t) {
- LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", t);
- }
- finally {
- LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification. (" + hiveAccessVerififer + ")");
- }
- }
- }
- else {
- LOG.error("Unable to obtain hiveAccessVerifier [" + XaSecureHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP + "]");
- }
- }
- }
- return hiveAccessVerififer ;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
deleted file mode 100644
index 36a6a42..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java
+++ /dev/null
@@ -1,240 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import com.xasecure.authorization.utils.StringUtil;
-
-public class XaHiveObjectAccessInfo {
- public enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI };
- public enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, ALL, ADMIN };
-
- private String mOperType = null;
- private XaHiveAccessContext mContext = null;
- private HiveAccessType mAccessType = HiveAccessType.NONE;
- private HiveObjectType mObjectType = HiveObjectType.NONE;
- private String mDatabase = null;
- private String mTable = null;
- private String mView = null;
- private String mPartition = null;
- private String mIndex = null;
- private List<String> mColumns = null;
- private String mFunction = null;
- private String mUri = null;
- private String mDeniedObjectName = null;
-
- public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName) {
- this(operType, context, accessType, dbName, null, HiveObjectType.DATABASE, dbName);
- }
-
- public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName) {
- this(operType, context, accessType, dbName, tblName, HiveObjectType.TABLE, tblName);
- }
-
- public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, HiveObjectType objType, String objName) {
- this(operType, context, accessType, dbName, null, objType, objName);
- }
-
- public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, HiveObjectType objType, String objName) {
- this(operType, context, accessType, null, null, objType, objName);
- }
-
- public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, String tblOrViewName, List<String> columns) {
- mOperType = operType;
- mContext = context;
- mAccessType = accessType;
- mObjectType = HiveObjectType.COLUMN;
- mDatabase = dbName;
- mTable = tblOrViewName;
- mView = tblOrViewName;
- mColumns = columns;
- }
-
- public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName, HiveObjectType objType, String objName) {
- mOperType = operType;
- mContext = context;
- mAccessType = accessType;
- mObjectType = objType;
- mDatabase = dbName;
- mTable = tblName;
- mView = tblName;
-
- if(objName != null && ! objName.trim().isEmpty()) {
- switch(objType) {
- case DATABASE:
- mDatabase = objName;
- break;
-
- case TABLE:
- mTable = objName;
- break;
-
- case VIEW:
- mView = objName;
- break;
-
- case PARTITION:
- mPartition = objName;
- break;
-
- case INDEX:
- mIndex = objName;
- break;
-
- case COLUMN:
- mColumns = new ArrayList<String>();
- mColumns.add(objName);
- break;
-
- case FUNCTION:
- mFunction = objName;
- break;
-
- case URI:
- mUri = objName;
- break;
-
- case NONE:
- break;
- }
- }
- }
-
- public String getOperType() {
- return mOperType;
- }
-
- public XaHiveAccessContext getContext() {
- return mContext;
- }
-
- public HiveAccessType getAccessType() {
- return mAccessType;
- }
-
- public HiveObjectType getObjectType() {
- return mObjectType;
- }
-
- public String getDatabase() {
- return mDatabase;
- }
-
- public String getTable() {
- return mTable;
- }
-
- public String getView() {
- return mView;
- }
-
- public String getPartition() {
- return mPartition;
- }
-
- public String getIndex() {
- return mIndex;
- }
-
- public List<String> getColumns() {
- return mColumns;
- }
-
- public String getFunction() {
- return mFunction;
- }
-
- public String getUri() {
- return mUri;
- }
-
- public void setDeinedObjectName(String deniedObjectName) {
- mDeniedObjectName = deniedObjectName;
- }
-
- public String getDeinedObjectName() {
- return mDeniedObjectName;
- }
-
- public String getObjectName() {
- String objName = null;
-
- if(this.mObjectType == HiveObjectType.URI) {
- objName = mUri;
- } else {
- String tblName = null;
- String colName = null;
-
- if(! StringUtil.isEmpty(mTable))
- tblName = mTable;
- else if(! StringUtil.isEmpty(mView))
- tblName = mView;
- else if(! StringUtil.isEmpty(mFunction))
- tblName = mFunction;
-
- if(! StringUtil.isEmpty(mColumns))
- colName = StringUtil.toString(mColumns);
- else if(! StringUtil.isEmpty(mIndex))
- colName = mIndex;
-
- objName = getObjectName(mDatabase, tblName, colName);
- }
-
- return objName;
- }
-
- public static String getObjectName(String dbName, String tblName, String colName) {
- String objName = StringUtil.isEmpty(dbName) ? "" : dbName;
-
- if(!StringUtil.isEmpty(tblName)) {
- objName += ("/" + tblName);
-
- if(!StringUtil.isEmpty(colName)) {
- objName += ("/" + colName);
- }
- }
-
- return objName;
- }
-
- @Override
- public boolean equals(Object obj) {
- boolean ret = false;
-
- if(obj != null && obj instanceof XaHiveObjectAccessInfo) {
- XaHiveObjectAccessInfo that = (XaHiveObjectAccessInfo)obj;
-
- ret = StringUtil.equalsIgnoreCase(mOperType, that.mOperType)
- && mAccessType == that.mAccessType
- && mObjectType == that.mObjectType
- && StringUtil.equalsIgnoreCase(mDatabase, that.mDatabase)
- && StringUtil.equalsIgnoreCase(mTable, that.mTable)
- && StringUtil.equalsIgnoreCase(mView, that.mView)
- && StringUtil.equalsIgnoreCase(mPartition, that.mPartition)
- && StringUtil.equalsIgnoreCase(mIndex, that.mIndex)
- && StringUtil.equalsIgnoreCase(mColumns, that.mColumns)
- ;
- }
-
- return ret;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
deleted file mode 100644
index 2c2dd80..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
+++ /dev/null
@@ -1,850 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive.authorizer;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.fs.FileStatus;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.fs.permission.FsAction;
-import org.apache.hadoop.hive.common.FileUtils;
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
-import org.apache.hadoop.security.UserGroupInformation;
-
-import com.xasecure.admin.client.XaAdminRESTClient;
-import com.xasecure.admin.client.datatype.GrantRevokeData;
-import com.xasecure.audit.model.EnumRepositoryType;
-import com.xasecure.audit.model.HiveAuditEvent;
-import com.xasecure.audit.provider.AuditProviderFactory;
-import com.xasecure.authorization.hadoop.config.XaSecureConfiguration;
-import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants;
-import com.xasecure.authorization.hive.XaHiveAccessContext;
-import com.xasecure.authorization.hive.XaHiveAccessVerifier;
-import com.xasecure.authorization.hive.XaHiveAccessVerifierFactory;
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo;
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveAccessType;
-import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveObjectType;
-import com.xasecure.authorization.utils.StringUtil;
-
-public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase {
- private static final Log LOG = LogFactory.getLog(XaSecureHiveAuthorizer.class) ;
-
- private static final String XaSecureModuleName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_XASECURE_MODULE_ACL_NAME_PROP , XaSecureHadoopConstants.DEFAULT_XASECURE_MODULE_ACL_NAME) ;
- private static final String repositoryName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP);
- private static final boolean UpdateXaPoliciesOnGrantRevoke = XaSecureConfiguration.getInstance().getBoolean(XaSecureHadoopConstants.HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP, XaSecureHadoopConstants.HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
-
- private XaHiveAccessVerifier mHiveAccessVerifier = null ;
-
-
- public XaSecureHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf hiveConf,
- HiveAuthenticationProvider hiveAuthenticator,
- HiveAuthzSessionContext sessionContext) {
- super(metastoreClientFactory, hiveConf, hiveAuthenticator, sessionContext);
-
- LOG.debug("XaSecureHiveAuthorizer.XaSecureHiveAuthorizer()");
-
- mHiveAccessVerifier = XaHiveAccessVerifierFactory.getInstance() ;
-
- if(!XaSecureConfiguration.getInstance().isAuditInitDone()) {
- if(sessionContext != null) {
- AuditProviderFactory.ApplicationType appType = AuditProviderFactory.ApplicationType.Unknown;
-
- switch(sessionContext.getClientType()) {
- case HIVECLI:
- appType = AuditProviderFactory.ApplicationType.HiveCLI;
- break;
-
- case HIVESERVER2:
- appType = AuditProviderFactory.ApplicationType.HiveServer2;
- break;
- }
-
- XaSecureConfiguration.getInstance().initAudit(appType);
- }
- }
- }
-
-
- /**
- * Grant privileges for principals on the object
- * @param hivePrincipals
- * @param hivePrivileges
- * @param hivePrivObject
- * @param grantorPrincipal
- * @param grantOption
- * @throws HiveAuthzPluginException
- * @throws HiveAccessControlException
- */
- @Override
- public void grantPrivileges(List<HivePrincipal> hivePrincipals,
- List<HivePrivilege> hivePrivileges,
- HivePrivilegeObject hivePrivObject,
- HivePrincipal grantorPrincipal,
- boolean grantOption)
- throws HiveAuthzPluginException, HiveAccessControlException {
- if(! UpdateXaPoliciesOnGrantRevoke) {
- throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Argus HiveAuthorizer. Please use Argus Security Admin to setup access control.");
- }
-
- boolean isSuccess = false;
- XaHiveObjectAccessInfo objAccessInfo = getObjectAccessInfo(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, new XaHiveAccessContext(null, getHiveAuthzSessionContext()), true);
-
- try {
- GrantRevokeData grData = createGrantRevokeData(objAccessInfo, hivePrincipals, hivePrivileges, getGrantorUsername(grantorPrincipal), grantOption);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("grantPrivileges(): " + grData.toJson());
- }
-
- XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
-
- xaAdmin.grantPrivilege(grData);
-
- isSuccess = true;
- } catch(Exception excp) {
- throw new HiveAccessControlException(excp);
- } finally {
- if(mHiveAccessVerifier.isAudited(objAccessInfo)) {
- UserGroupInformation ugi = this.getCurrentUserGroupInfo();
-
- // Note: failed return from REST call will be logged as 'DENIED'
- logAuditEvent(ugi, objAccessInfo, isSuccess);
- }
- }
- }
-
- /**
- * Revoke privileges for principals on the object
- * @param hivePrincipals
- * @param hivePrivileges
- * @param hivePrivObject
- * @param grantorPrincipal
- * @param grantOption
- * @throws HiveAuthzPluginException
- * @throws HiveAccessControlException
- */
- @Override
- public void revokePrivileges(List<HivePrincipal> hivePrincipals,
- List<HivePrivilege> hivePrivileges,
- HivePrivilegeObject hivePrivObject,
- HivePrincipal grantorPrincipal,
- boolean grantOption)
- throws HiveAuthzPluginException, HiveAccessControlException {
- if(! UpdateXaPoliciesOnGrantRevoke) {
- throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Argus HiveAuthorizer. Please use Argus Security Admin to setup access control.");
- }
-
- boolean isSuccess = false;
- XaHiveObjectAccessInfo objAccessInfo = getObjectAccessInfo(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, new XaHiveAccessContext(null, getHiveAuthzSessionContext()), true);
-
- try {
- GrantRevokeData grData = createGrantRevokeData(objAccessInfo, hivePrincipals, hivePrivileges, getGrantorUsername(grantorPrincipal), grantOption);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("revokePrivileges(): " + grData.toJson());
- }
-
- XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
-
- xaAdmin.revokePrivilege(grData);
-
- isSuccess = true;
- } catch(Exception excp) {
- throw new HiveAccessControlException(excp);
- } finally {
- if(mHiveAccessVerifier.isAudited(objAccessInfo)) {
- UserGroupInformation ugi = this.getCurrentUserGroupInfo();
-
- // Note: failed return from REST call will be logged as 'DENIED'
- logAuditEvent(ugi, objAccessInfo, isSuccess);
- }
- }
- }
-
- /**
- * Check if user has privileges to do this action on these objects
- * @param hiveOpType
- * @param inputsHObjs
- * @param outputHObjs
- * @param context
- * @throws HiveAuthzPluginException
- * @throws HiveAccessControlException
- */
- @Override
- public void checkPrivileges(HiveOperationType hiveOpType,
- List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs,
- HiveAuthzContext context)
- throws HiveAuthzPluginException, HiveAccessControlException {
-
- UserGroupInformation ugi = this.getCurrentUserGroupInfo();
-
- if(ugi == null) {
- throw new HiveAccessControlException("Permission denied: user information not available");
- }
-
- XaHiveAccessContext hiveContext = this.getAccessContext(context);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, hiveContext));
- }
-
- if(hiveOpType == HiveOperationType.DFS) {
- handleDfsCommand(hiveOpType, inputHObjs, outputHObjs, hiveContext);
-
- return;
- }
-
- List<XaHiveObjectAccessInfo> objAccessList = getObjectAccessInfo(hiveOpType, inputHObjs, outputHObjs, hiveContext);
-
- for(XaHiveObjectAccessInfo objAccessInfo : objAccessList) {
- boolean ret = false;
-
- if(objAccessInfo.getObjectType() == HiveObjectType.URI) {
- ret = isURIAccessAllowed(ugi, objAccessInfo.getAccessType(), objAccessInfo.getUri(), getHiveConf());
- } else if(objAccessInfo.getAccessType() != HiveAccessType.ADMIN) {
- ret = mHiveAccessVerifier.isAccessAllowed(ugi, objAccessInfo);
- }
-
- if(! ret) {
- if(mHiveAccessVerifier.isAudited(objAccessInfo)) {
- logAuditEvent(ugi, objAccessInfo, false);
- }
-
- String deniedObjectName = objAccessInfo.getDeinedObjectName();
-
- if(StringUtil.isEmpty(deniedObjectName)) {
- deniedObjectName = objAccessInfo.getObjectName();
- }
-
- throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]",
- ugi.getShortUserName(), objAccessInfo.getAccessType().name(), deniedObjectName));
- }
- }
-
- // access is allowed; audit all accesses
- for(XaHiveObjectAccessInfo objAccessInfo : objAccessList) {
- if(mHiveAccessVerifier.isAudited(objAccessInfo)) {
- logAuditEvent(ugi, objAccessInfo, true);
- }
- }
- }
-
- private List<XaHiveObjectAccessInfo> getObjectAccessInfo(HiveOperationType hiveOpType,
- List<HivePrivilegeObject> inputsHObjs,
- List<HivePrivilegeObject> outputHObjs,
- XaHiveAccessContext context) {
- List<XaHiveObjectAccessInfo> ret = new ArrayList<XaHiveObjectAccessInfo>();
-
- if(inputsHObjs != null) {
- for(HivePrivilegeObject hiveObj : inputsHObjs) {
- XaHiveObjectAccessInfo hiveAccessObj = getObjectAccessInfo(hiveOpType, hiveObj, context, true);
-
- if( hiveAccessObj != null
- && hiveAccessObj.getAccessType() != HiveAccessType.ADMIN // access check is performed at the Argus policy server, as a part of updating the permissions
- && !ret.contains(hiveAccessObj)) {
- ret.add(hiveAccessObj);
- }
- }
- }
-
- if(outputHObjs != null) {
- for(HivePrivilegeObject hiveObj : outputHObjs) {
- XaHiveObjectAccessInfo hiveAccessObj = getObjectAccessInfo(hiveOpType, hiveObj, context, false);
-
- if( hiveAccessObj != null
- && hiveAccessObj.getAccessType() != HiveAccessType.ADMIN // access check is performed at the Argus policy server, as a part of updating the permissions
- && !ret.contains(hiveAccessObj)) {
- ret.add(hiveAccessObj);
- }
- }
- }
-
- if(ret.size() == 0 && LOG.isDebugEnabled()) {
- LOG.debug("getObjectAccessInfo(): no objects found for access check! " + toString(hiveOpType, inputsHObjs, outputHObjs, context));
- }
-
- return ret;
- }
-
- private XaHiveObjectAccessInfo getObjectAccessInfo(HiveOperationType hiveOpType, HivePrivilegeObject hiveObj, XaHiveAccessContext context, boolean isInput) {
- XaHiveObjectAccessInfo ret = null;
-
- HiveObjectType objectType = getObjectType(hiveObj, hiveOpType);
- HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, isInput);
- String operType = hiveOpType.name();
-
- switch(objectType) {
- case DATABASE:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname());
- break;
-
- case TABLE:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.TABLE, hiveObj.getObjectName());
- break;
-
- case VIEW:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.VIEW, hiveObj.getObjectName());
- break;
-
- case PARTITION:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.PARTITION, hiveObj.getObjectName());
- break;
-
- case INDEX:
- String indexName = "?"; // TODO:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), hiveObj.getObjectName(), HiveObjectType.INDEX, indexName);
- break;
-
- case COLUMN:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), hiveObj.getObjectName(), hiveObj.getColumns());
- break;
-
- case FUNCTION:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.FUNCTION, hiveObj.getObjectName());
- break;
-
- case URI:
- ret = new XaHiveObjectAccessInfo(operType, context, accessType, HiveObjectType.URI, hiveObj.getObjectName());
- break;
-
- case NONE:
- break;
- }
-
- return ret;
- }
-
- private HiveObjectType getObjectType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType) {
- HiveObjectType objType = HiveObjectType.NONE;
-
- switch(hiveObj.getType()) {
- case DATABASE:
- objType = HiveObjectType.DATABASE;
- break;
-
- case PARTITION:
- objType = HiveObjectType.PARTITION;
- break;
-
- case TABLE_OR_VIEW:
- String hiveOpTypeName = hiveOpType.name().toLowerCase();
- if(hiveOpTypeName.contains("index")) {
- objType = HiveObjectType.INDEX;
- } else if(! StringUtil.isEmpty(hiveObj.getColumns())) {
- objType = HiveObjectType.COLUMN;
- } else if(hiveOpTypeName.contains("view")) {
- objType = HiveObjectType.VIEW;
- } else {
- objType = HiveObjectType.TABLE;
- }
- break;
-
- case FUNCTION:
- objType = HiveObjectType.FUNCTION;
- break;
-
- case DFS_URI:
- case LOCAL_URI:
- objType = HiveObjectType.URI;
- break;
-
- case COMMAND_PARAMS:
- case GLOBAL:
- break;
-
- case COLUMN:
- // Thejas: this value is unused in Hive; the case should not be hit.
- break;
- }
-
- return objType;
- }
-
- private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType, boolean isInput) {
- HiveAccessType accessType = HiveAccessType.NONE;
- HivePrivObjectActionType objectActionType = hiveObj.getActionType();
-
- switch(objectActionType) {
- case INSERT:
- case INSERT_OVERWRITE:
- case UPDATE:
- case DELETE:
- accessType = HiveAccessType.UPDATE;
- break;
- case OTHER:
- switch(hiveOpType) {
- case CREATEDATABASE:
- if(hiveObj.getType() == HivePrivilegeObjectType.DATABASE) {
- accessType = HiveAccessType.CREATE;
- }
- break;
-
- case CREATEFUNCTION:
- if(hiveObj.getType() == HivePrivilegeObjectType.FUNCTION) {
- accessType = HiveAccessType.CREATE;
- }
- break;
-
- case CREATETABLE:
- case CREATEVIEW:
- case CREATETABLE_AS_SELECT:
- if(hiveObj.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW) {
- accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE;
- }
- break;
-
- case ALTERDATABASE:
- case ALTERDATABASE_OWNER:
- case ALTERINDEX_PROPS:
- case ALTERINDEX_REBUILD:
- case ALTERPARTITION_BUCKETNUM:
- case ALTERPARTITION_FILEFORMAT:
- case ALTERPARTITION_LOCATION:
- case ALTERPARTITION_MERGEFILES:
- case ALTERPARTITION_PROTECTMODE:
- case ALTERPARTITION_SERDEPROPERTIES:
- case ALTERPARTITION_SERIALIZER:
- case ALTERTABLE_ADDCOLS:
- case ALTERTABLE_ADDPARTS:
- case ALTERTABLE_ARCHIVE:
- case ALTERTABLE_BUCKETNUM:
- case ALTERTABLE_CLUSTER_SORT:
- case ALTERTABLE_COMPACT:
- case ALTERTABLE_DROPPARTS:
- case ALTERTABLE_FILEFORMAT:
- case ALTERTABLE_LOCATION:
- case ALTERTABLE_MERGEFILES:
- case ALTERTABLE_PARTCOLTYPE:
- case ALTERTABLE_PROPERTIES:
- case ALTERTABLE_PROTECTMODE:
- case ALTERTABLE_RENAME:
- case ALTERTABLE_RENAMECOL:
- case ALTERTABLE_RENAMEPART:
- case ALTERTABLE_REPLACECOLS:
- case ALTERTABLE_SERDEPROPERTIES:
- case ALTERTABLE_SERIALIZER:
- case ALTERTABLE_SKEWED:
- case ALTERTABLE_TOUCH:
- case ALTERTABLE_UNARCHIVE:
- case ALTERTABLE_UPDATEPARTSTATS:
- case ALTERTABLE_UPDATETABLESTATS:
- case ALTERTBLPART_SKEWED_LOCATION:
- case ALTERVIEW_AS:
- case ALTERVIEW_PROPERTIES:
- case ALTERVIEW_RENAME:
- case DROPVIEW_PROPERTIES:
- accessType = HiveAccessType.ALTER;
- break;
-
- case DROPFUNCTION:
- case DROPINDEX:
- case DROPTABLE:
- case DROPVIEW:
- case DROPDATABASE:
- accessType = HiveAccessType.DROP;
- break;
-
- case CREATEINDEX:
- accessType = HiveAccessType.INDEX;
- break;
-
- case IMPORT:
- case EXPORT:
- case LOAD:
- accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE;
- break;
-
- case LOCKDB:
- case LOCKTABLE:
- case UNLOCKDB:
- case UNLOCKTABLE:
- accessType = HiveAccessType.LOCK;
- break;
-
- case QUERY:
- case SHOW_TABLESTATUS:
- case SHOW_CREATETABLE:
- case SHOWCOLUMNS:
- case SHOWINDEXES:
- case SHOWPARTITIONS:
- case SHOW_TBLPROPERTIES:
- case DESCTABLE:
- case ANALYZE_TABLE:
- accessType = HiveAccessType.SELECT;
- break;
-
- case SWITCHDATABASE:
- case DESCDATABASE:
- accessType = HiveAccessType.USE;
- break;
-
- case TRUNCATETABLE:
- accessType = HiveAccessType.UPDATE;
- break;
-
- case GRANT_PRIVILEGE:
- case REVOKE_PRIVILEGE:
- accessType = HiveAccessType.ADMIN;
- break;
-
- case ADD:
- case DELETE:
- case COMPILE:
- case CREATEMACRO:
- case CREATEROLE:
- case DESCFUNCTION:
- case DFS:
- case DROPMACRO:
- case DROPROLE:
- case EXPLAIN:
- case GRANT_ROLE:
- case MSCK:
- case REVOKE_ROLE:
- case RESET:
- case SET:
- case SHOWCONF:
- case SHOWDATABASES:
- case SHOWFUNCTIONS:
- case SHOWLOCKS:
- case SHOWTABLES:
- case SHOW_COMPACTIONS:
- case SHOW_GRANT:
- case SHOW_ROLES:
- case SHOW_ROLE_GRANT:
- case SHOW_ROLE_PRINCIPALS:
- case SHOW_TRANSACTIONS:
- break;
- }
- break;
- }
-
- return accessType;
- }
-
- private boolean isURIAccessAllowed(UserGroupInformation ugi, HiveAccessType accessType, String uri, HiveConf conf) {
- boolean ret = false;
-
- FsAction action = FsAction.NONE;
-
- switch(accessType) {
- case ALTER:
- case CREATE:
- case UPDATE:
- case DROP:
- case INDEX:
- case LOCK:
- case ADMIN:
- case ALL:
- action = FsAction.WRITE;
- break;
-
- case SELECT:
- case USE:
- action = FsAction.READ;
- break;
-
- case NONE:
- break;
- }
-
- if(action == FsAction.NONE) {
- ret = true;
- } else {
- try {
- Path filePath = new Path(uri);
- FileSystem fs = FileSystem.get(filePath.toUri(), conf);
- Path path = FileUtils.getPathOrParentThatExists(fs, filePath);
- FileStatus fileStatus = fs.getFileStatus(path);
- String userName = ugi.getShortUserName();
-
- if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) {
- ret = true;
- } else {
- ret = FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, action);
- }
- } catch(Exception excp) {
- LOG.error("Error getting permissions for " + uri, excp);
- }
- }
-
- return ret;
- }
-
- private void handleDfsCommand(HiveOperationType hiveOpType,
- List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs,
- XaHiveAccessContext context)
- throws HiveAuthzPluginException, HiveAccessControlException {
-
- String dfsCommandParams = null;
-
- if(inputHObjs != null) {
- for(HivePrivilegeObject hiveObj : inputHObjs) {
- if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
- dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());
-
- if(! StringUtil.isEmpty(dfsCommandParams)) {
- break;
- }
- }
- }
- }
-
- UserGroupInformation ugi = this.getCurrentUserGroupInfo();
-
- logAuditEventForDfs(ugi, dfsCommandParams, false);
-
- throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
- ugi.getShortUserName(), hiveOpType.name()));
- }
-
- private String getGrantorUsername(HivePrincipal grantorPrincipal) {
- String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null;
-
- if(StringUtil.isEmpty(grantor)) {
- UserGroupInformation ugi = this.getCurrentUserGroupInfo();
-
- grantor = ugi != null ? ugi.getShortUserName() : null;
- }
-
- return grantor;
- }
-
- private GrantRevokeData createGrantRevokeData(XaHiveObjectAccessInfo objAccessInfo,
- List<HivePrincipal> hivePrincipals,
- List<HivePrivilege> hivePrivileges,
- String grantor,
- boolean grantOption)
- throws HiveAccessControlException {
- if(objAccessInfo == null ||
- ! ( objAccessInfo.getObjectType() == HiveObjectType.DATABASE
- || objAccessInfo.getObjectType() == HiveObjectType.TABLE
- || objAccessInfo.getObjectType() == HiveObjectType.VIEW
- || objAccessInfo.getObjectType() == HiveObjectType.COLUMN
- )
- ) {
- throw new HiveAccessControlException("grantPrivileges(): unexpected object type '" + objAccessInfo.getObjectType().name());
- }
-
- String database = objAccessInfo.getDatabase();
- String table = objAccessInfo.getObjectType() == HiveObjectType.VIEW ? objAccessInfo.getView() : objAccessInfo.getTable();
- String columns = StringUtil.toString(objAccessInfo.getColumns());
-
- GrantRevokeData.PermMap permMap = new GrantRevokeData.PermMap ();
-
- for(HivePrivilege privilege : hivePrivileges) {
- String privName = privilege.getName();
-
- if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.ALL.name())) {
- permMap.addPerm(HiveAccessType.ALL.name());
- } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.ALTER.name())) {
- permMap.addPerm(HiveAccessType.ALTER.name());
- } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.CREATE.name())) {
- permMap.addPerm(HiveAccessType.CREATE.name());
- } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.DROP.name())) {
- permMap.addPerm(HiveAccessType.DROP.name());
- } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.INDEX.name())) {
- permMap.addPerm(HiveAccessType.INDEX.name());
- } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.LOCK.name())) {
- permMap.addPerm(HiveAccessType.LOCK.name());
- } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.SELECT.name())) {
- permMap.addPerm(HiveAccessType.SELECT.name());
- } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.UPDATE.name())) {
- permMap.addPerm(HiveAccessType.UPDATE.name());
- }
- }
-
- if(grantOption) {
- permMap.addPerm(HiveAccessType.ADMIN.name());
- }
-
- for(HivePrincipal principal : hivePrincipals) {
- switch(principal.getType()) {
- case USER:
- permMap.addUser(principal.getName());
- break;
-
- case GROUP:
- case ROLE:
- permMap.addGroup(principal.getName());
- break;
-
- default:
- break;
- }
- }
-
- GrantRevokeData grData = new GrantRevokeData();
-
- grData.setHiveData(grantor, repositoryName, database, table, columns, permMap);
-
- return grData;
- }
-
- private void logAuditEventForDfs(UserGroupInformation ugi, String dfsCommand, boolean accessGranted) {
- HiveAuditEvent auditEvent = new HiveAuditEvent();
-
- try {
- auditEvent.setAclEnforcer(XaSecureModuleName);
- auditEvent.setResourceType("@dfs"); // to be consistent with earlier release
- auditEvent.setAccessType("DFS");
- auditEvent.setAction("DFS");
- auditEvent.setUser(ugi.getShortUserName());
- auditEvent.setAccessResult((short)(accessGranted ? 1 : 0));
- auditEvent.setEventTime(StringUtil.getUTCDate());
- auditEvent.setRepositoryType(EnumRepositoryType.HIVE);
- auditEvent.setRepositoryName(repositoryName) ;
- auditEvent.setRequestData(dfsCommand);
-
- auditEvent.setResourcePath(dfsCommand);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("logAuditEvent [" + auditEvent + "] - START");
- }
-
- AuditProviderFactory.getAuditProvider().log(auditEvent);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("logAuditEvent [" + auditEvent + "] - END");
- }
- }
- catch(Throwable t) {
- LOG.error("ERROR logEvent [" + auditEvent + "]", t);
- }
- }
-
- private void logAuditEvent(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo, boolean accessGranted) {
- HiveAuditEvent auditEvent = new HiveAuditEvent();
-
- try {
- auditEvent.setAclEnforcer(XaSecureModuleName);
- auditEvent.setSessionId(objAccessInfo.getContext().getSessionString());
- auditEvent.setResourceType("@" + StringUtil.toLower(objAccessInfo.getObjectType().name())); // to be consistent with earlier release
- auditEvent.setAccessType(objAccessInfo.getAccessType().toString());
- auditEvent.setAction(objAccessInfo.getOperType());
- auditEvent.setUser(ugi.getShortUserName());
- auditEvent.setAccessResult((short)(accessGranted ? 1 : 0));
- auditEvent.setClientIP(objAccessInfo.getContext().getClientIpAddress());
- auditEvent.setClientType(objAccessInfo.getContext().getClientType());
- auditEvent.setEventTime(StringUtil.getUTCDate());
- auditEvent.setRepositoryType(EnumRepositoryType.HIVE);
- auditEvent.setRepositoryName(repositoryName) ;
- auditEvent.setRequestData(objAccessInfo.getContext().getCommandString());
-
- if(! accessGranted && !StringUtil.isEmpty(objAccessInfo.getDeinedObjectName())) {
- auditEvent.setResourcePath(objAccessInfo.getDeinedObjectName());
- } else {
- auditEvent.setResourcePath(objAccessInfo.getObjectName());
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("logAuditEvent [" + auditEvent + "] - START");
- }
-
- AuditProviderFactory.getAuditProvider().log(auditEvent);
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("logAuditEvent [" + auditEvent + "] - END");
- }
- }
- catch(Throwable t) {
- LOG.error("ERROR logEvent [" + auditEvent + "]", t);
- }
- }
-
- private String toString(HiveOperationType hiveOpType,
- List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs,
- XaHiveAccessContext context) {
- StringBuilder sb = new StringBuilder();
-
- sb.append("'checkPrivileges':{");
- sb.append("'hiveOpType':").append(hiveOpType);
-
- sb.append(", 'inputHObjs':[");
- toString(inputHObjs, sb);
- sb.append("]");
-
- sb.append(", 'outputHObjs':[");
- toString(outputHObjs, sb);
- sb.append("]");
-
- sb.append(", 'context':{");
- if(context != null) {
- sb.append("'clientType':").append(context.getClientType());
- sb.append(", 'commandString':").append(context.getCommandString());
- sb.append(", 'ipAddress':").append(context.getClientIpAddress());
- sb.append(", 'sessionString':").append(context.getSessionString());
- }
- sb.append("}");
-
- sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
- sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
-
- sb.append("}");
-
- return sb.toString();
- }
-
- private StringBuilder toString(List<HivePrivilegeObject> privObjs, StringBuilder sb) {
- if(privObjs != null && privObjs.size() > 0) {
- toString(privObjs.get(0), sb);
- for(int i = 1; i < privObjs.size(); i++) {
- sb.append(",");
- toString(privObjs.get(i), sb);
- }
- }
-
- return sb;
- }
-
- private StringBuilder toString(HivePrivilegeObject privObj, StringBuilder sb) {
- sb.append("'HivePrivilegeObject':{");
- sb.append("'type':").append(privObj.getType().toString());
- sb.append(", 'dbName':").append(privObj.getDbname());
- sb.append(", 'objectType':").append(privObj.getType());
- sb.append(", 'objectName':").append(privObj.getObjectName());
- sb.append(", 'columns':[").append(StringUtil.toString(privObj.getColumns())).append("]");
- sb.append(", 'partKeys':[").append(StringUtil.toString(privObj.getPartKeys())).append("]");
- sb.append(", 'commandParams':[").append(StringUtil.toString(privObj.getCommandParams())).append("]");
- sb.append(", 'actionType':").append(privObj.getActionType().toString());
- sb.append("}");
-
- return sb;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
deleted file mode 100644
index 8a63035..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive.authorizer;
-
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
-import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater;
-import org.apache.hadoop.security.UserGroupInformation;
-
-import com.xasecure.authorization.hive.XaHiveAccessContext;
-import com.xasecure.authorization.utils.StringUtil;
-
-public abstract class XaSecureHiveAuthorizerBase implements HiveAuthorizer {
-
- private static final Log LOG = LogFactory.getLog(XaSecureHiveAuthorizerBase.class);
-
- private HiveMetastoreClientFactory mMetastoreClientFactory;
- private HiveConf mHiveConf;
- private HiveAuthenticationProvider mHiveAuthenticator;
- private HiveAuthzSessionContext mSessionContext;
- private UserGroupInformation mUgi;
-
- public XaSecureHiveAuthorizerBase(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf hiveConf,
- HiveAuthenticationProvider hiveAuthenticator,
- HiveAuthzSessionContext context) {
- mMetastoreClientFactory = metastoreClientFactory;
- mHiveConf = hiveConf;
- mHiveAuthenticator = hiveAuthenticator;
- mSessionContext = context;
-
- String userName = mHiveAuthenticator == null ? null : mHiveAuthenticator.getUserName();
-
- mUgi = userName == null ? null : UserGroupInformation.createRemoteUser(userName);
-
- if(mHiveAuthenticator == null) {
- LOG.warn("XaSecureHiveAuthorizerBase.XaSecureHiveAuthorizerBase(): hiveAuthenticator is null");
- } else if(StringUtil.isEmpty(userName)) {
- LOG.warn("XaSecureHiveAuthorizerBase.XaSecureHiveAuthorizerBase(): hiveAuthenticator.getUserName() returned null/empty");
- } else if(mUgi == null) {
- LOG.warn(String.format("XaSecureHiveAuthorizerBase.XaSecureHiveAuthorizerBase(): UserGroupInformation.createRemoteUser(%s) returned null", userName));
- }
- }
-
- public HiveMetastoreClientFactory getMetastoreClientFactory() {
- return mMetastoreClientFactory;
- }
-
- public HiveConf getHiveConf() {
- return mHiveConf;
- }
-
- public HiveAuthenticationProvider getHiveAuthenticator() {
- return mHiveAuthenticator;
- }
-
- public HiveAuthzSessionContext getHiveAuthzSessionContext() {
- return mSessionContext;
- }
-
- public UserGroupInformation getCurrentUserGroupInfo() {
- return mUgi;
- }
-
- public XaHiveAccessContext getAccessContext(HiveAuthzContext context) {
- return new XaHiveAccessContext(context, mSessionContext);
- }
-
- @Override
- public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
- LOG.debug("XaSecureHiveAuthorizerBase.applyAuthorizationConfigPolicy()");
-
- // from SQLStdHiveAccessController.applyAuthorizationConfigPolicy()
- if (mSessionContext != null && mSessionContext.getClientType() == CLIENT_TYPE.HIVESERVER2) {
- // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries
- String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim();
- if (hooks.isEmpty()) {
- hooks = DisallowTransformHook.class.getName();
- } else {
- hooks = hooks + "," + DisallowTransformHook.class.getName();
- }
-
- hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks);
-
- SettableConfigUpdater.setHiveConfWhiteList(hiveConf);
- }
- }
-
- /**
- * Show privileges for given principal on given object
- * @param principal
- * @param privObj
- * @return
- * @throws HiveAuthzPluginException
- * @throws HiveAccessControlException
- */
- @Override
- public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.showPrivileges()");
-
- throwNotImplementedException("showPrivileges");
-
- return null;
- }
-
- @Override
- public void createRole(String roleName, HivePrincipal adminGrantor)
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.createRole()");
-
- throwNotImplementedException("createRole");
- }
-
- @Override
- public void dropRole(String roleName)
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.dropRole()");
-
- throwNotImplementedException("dropRole");
- }
-
- @Override
- public List<String> getAllRoles()
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.getAllRoles()");
-
- throwNotImplementedException("getAllRoles");
-
- return null;
- }
-
- @Override
- public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
- LOG.debug("XaSecureHiveAuthorizerBase.getCurrentRoleNames()");
-
- throwNotImplementedException("getCurrentRoleNames");
-
- return null;
- }
-
- @Override
- public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.getPrincipalGrantInfoForRole()");
-
- throwNotImplementedException("getPrincipalGrantInfoForRole");
-
- return null;
- }
-
- @Override
- public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.getRoleGrantInfoForPrincipal()");
-
- throwNotImplementedException("getRoleGrantInfoForPrincipal");
-
- return null;
- }
-
- @Override
- public VERSION getVersion() {
- return VERSION.V1;
- }
-
- @Override
- public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
- boolean grantOption, HivePrincipal grantorPrinc)
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.grantRole()");
-
- throwNotImplementedException("grantRole");
- }
-
- @Override
- public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
- boolean grantOption, HivePrincipal grantorPrinc)
- throws HiveAuthzPluginException, HiveAccessControlException {
- LOG.debug("XaSecureHiveAuthorizerBase.revokeRole()");
-
- throwNotImplementedException("revokeRole");
- }
-
- @Override
- public void setCurrentRole(String roleName)
- throws HiveAccessControlException, HiveAuthzPluginException {
- LOG.debug("XaSecureHiveAuthorizerBase.setCurrentRole()");
-
- throwNotImplementedException("setCurrentRole");
- }
-
- private void throwNotImplementedException(String method) throws HiveAuthzPluginException {
- throw new HiveAuthzPluginException(method + "() not implemented in Argus HiveAuthorizer");
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java
deleted file mode 100644
index 50fd55c..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive.authorizer;
-
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
-
-public class XaSecureHiveAuthorizerFactory implements HiveAuthorizerFactory {
- @Override
- public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf,
- HiveAuthenticationProvider hiveAuthenticator,
- HiveAuthzSessionContext sessionContext)
- throws HiveAuthzPluginException {
- return new XaSecureHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java
deleted file mode 100644
index 45fbce0..0000000
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- package com.xasecure.authorization.hive.constants;
-
-public final class XaSecureHiveConstants {
- public static final String WILDCARD_OBJECT = "*" ;
- public static final String HAS_ANY_PERMISSION = "any" ;
- public static final String SHOW_META_INFO_PERMISSION = "show" ;
- public static final String PUBLIC_ACCESS_ROLE = "public" ;
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java
new file mode 100644
index 0000000..50b0aa0
--- /dev/null
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.authorization.hive;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+
+
+public class RangerHiveAccessContext {
+ private String mClientIpAddress;
+ private String mClientType;
+ private String mCommandString;
+ private String mSessionString;
+
+ public RangerHiveAccessContext(HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
+ if(context != null) {
+ mClientIpAddress = context.getIpAddress();
+ mCommandString = context.getCommandString();
+ }
+
+ if(sessionContext != null) {
+ mClientType = sessionContext.getClientType().name();
+ mSessionString = sessionContext.getSessionString();
+ }
+ }
+
+ public String getClientIpAddress() {
+ return mClientIpAddress;
+ }
+
+ public void setClientIpAddress(String clientIpAddress) {
+ this.mClientIpAddress = clientIpAddress;
+ }
+
+ public String getClientType() {
+ return mClientType;
+ }
+
+ public void setClientType(String clientType) {
+ this.mClientType = clientType;
+ }
+
+ public String getCommandString() {
+ return mCommandString;
+ }
+
+ public void setCommandString(String commandString) {
+ this.mCommandString = commandString;
+ }
+
+ public String getSessionString() {
+ return mSessionString;
+ }
+
+ public void setSessionString(String sessionString) {
+ this.mSessionString = sessionString;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java
new file mode 100644
index 0000000..ef4ad56
--- /dev/null
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.authorization.hive;
+
+import org.apache.hadoop.security.UserGroupInformation;
+
+
+public interface RangerHiveAccessVerifier {
+ public boolean isAccessAllowed(UserGroupInformation ugi, RangerHiveObjectAccessInfo objAccessInfo) ;
+
+ public boolean isAudited(RangerHiveObjectAccessInfo objAccessInfo) ;
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java
new file mode 100644
index 0000000..f02bfe8
--- /dev/null
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.authorization.hive;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
+import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
+
+public class RangerHiveAccessVerifierFactory {
+
+ private static final Log LOG = LogFactory.getLog(RangerHiveAccessVerifierFactory.class) ;
+
+ private static RangerHiveAccessVerifier hiveAccessVerififer = null ;
+
+ public static RangerHiveAccessVerifier getInstance() {
+ if (hiveAccessVerififer == null) {
+ synchronized(RangerHiveAccessVerifierFactory.class) {
+ RangerHiveAccessVerifier temp = hiveAccessVerififer ;
+ if (temp == null) {
+ String hiveAccessVerifierClassName = RangerConfiguration.getInstance().get(RangerHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP, RangerHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE ) ;
+
+ if (hiveAccessVerifierClassName != null) {
+ LOG.info("Hive Access Verification class [" + hiveAccessVerifierClassName + "] - Being built");
+ try {
+ hiveAccessVerififer = (RangerHiveAccessVerifier) (Class.forName(hiveAccessVerifierClassName).newInstance()) ;
+ LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification.");
+ } catch (InstantiationException e) {
+ LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e);
+ } catch (IllegalAccessException e) {
+ LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e);
+ } catch (ClassNotFoundException e) {
+ LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e);
+ } catch (Throwable t) {
+ LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", t);
+ }
+ finally {
+ LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification. (" + hiveAccessVerififer + ")");
+ }
+ }
+ }
+ else {
+ LOG.error("Unable to obtain hiveAccessVerifier [" + RangerHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP + "]");
+ }
+ }
+ }
+ return hiveAccessVerififer ;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java
new file mode 100644
index 0000000..73b5b57
--- /dev/null
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+ package org.apache.ranger.authorization.hive;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.ranger.authorization.utils.StringUtil;
+
+public class RangerHiveObjectAccessInfo {
+ public enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI };
+ public enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, ALL, ADMIN };
+
+ private String mOperType = null;
+ private RangerHiveAccessContext mContext = null;
+ private HiveAccessType mAccessType = HiveAccessType.NONE;
+ private HiveObjectType mObjectType = HiveObjectType.NONE;
+ private String mDatabase = null;
+ private String mTable = null;
+ private String mView = null;
+ private String mPartition = null;
+ private String mIndex = null;
+ private List<String> mColumns = null;
+ private String mFunction = null;
+ private String mUri = null;
+ private String mDeniedObjectName = null;
+
+ public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName) {
+ this(operType, context, accessType, dbName, null, HiveObjectType.DATABASE, dbName);
+ }
+
+ public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName) {
+ this(operType, context, accessType, dbName, tblName, HiveObjectType.TABLE, tblName);
+ }
+
+ public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, HiveObjectType objType, String objName) {
+ this(operType, context, accessType, dbName, null, objType, objName);
+ }
+
+ public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, HiveObjectType objType, String objName) {
+ this(operType, context, accessType, null, null, objType, objName);
+ }
+
+ public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, String tblOrViewName, List<String> columns) {
+ mOperType = operType;
+ mContext = context;
+ mAccessType = accessType;
+ mObjectType = HiveObjectType.COLUMN;
+ mDatabase = dbName;
+ mTable = tblOrViewName;
+ mView = tblOrViewName;
+ mColumns = columns;
+ }
+
+ public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName, HiveObjectType objType, String objName) {
+ mOperType = operType;
+ mContext = context;
+ mAccessType = accessType;
+ mObjectType = objType;
+ mDatabase = dbName;
+ mTable = tblName;
+ mView = tblName;
+
+ if(objName != null && ! objName.trim().isEmpty()) {
+ switch(objType) {
+ case DATABASE:
+ mDatabase = objName;
+ break;
+
+ case TABLE:
+ mTable = objName;
+ break;
+
+ case VIEW:
+ mView = objName;
+ break;
+
+ case PARTITION:
+ mPartition = objName;
+ break;
+
+ case INDEX:
+ mIndex = objName;
+ break;
+
+ case COLUMN:
+ mColumns = new ArrayList<String>();
+ mColumns.add(objName);
+ break;
+
+ case FUNCTION:
+ mFunction = objName;
+ break;
+
+ case URI:
+ mUri = objName;
+ break;
+
+ case NONE:
+ break;
+ }
+ }
+ }
+
+ public String getOperType() {
+ return mOperType;
+ }
+
+ public RangerHiveAccessContext getContext() {
+ return mContext;
+ }
+
+ public HiveAccessType getAccessType() {
+ return mAccessType;
+ }
+
+ public HiveObjectType getObjectType() {
+ return mObjectType;
+ }
+
+ public String getDatabase() {
+ return mDatabase;
+ }
+
+ public String getTable() {
+ return mTable;
+ }
+
+ public String getView() {
+ return mView;
+ }
+
+ public String getPartition() {
+ return mPartition;
+ }
+
+ public String getIndex() {
+ return mIndex;
+ }
+
+ public List<String> getColumns() {
+ return mColumns;
+ }
+
+ public String getFunction() {
+ return mFunction;
+ }
+
+ public String getUri() {
+ return mUri;
+ }
+
+ public void setDeinedObjectName(String deniedObjectName) {
+ mDeniedObjectName = deniedObjectName;
+ }
+
+ public String getDeinedObjectName() {
+ return mDeniedObjectName;
+ }
+
+ public String getObjectName() {
+ String objName = null;
+
+ if(this.mObjectType == HiveObjectType.URI) {
+ objName = mUri;
+ } else {
+ String tblName = null;
+ String colName = null;
+
+ if(! StringUtil.isEmpty(mTable))
+ tblName = mTable;
+ else if(! StringUtil.isEmpty(mView))
+ tblName = mView;
+ else if(! StringUtil.isEmpty(mFunction))
+ tblName = mFunction;
+
+ if(! StringUtil.isEmpty(mColumns))
+ colName = StringUtil.toString(mColumns);
+ else if(! StringUtil.isEmpty(mIndex))
+ colName = mIndex;
+
+ objName = getObjectName(mDatabase, tblName, colName);
+ }
+
+ return objName;
+ }
+
+ public static String getObjectName(String dbName, String tblName, String colName) {
+ String objName = StringUtil.isEmpty(dbName) ? "" : dbName;
+
+ if(!StringUtil.isEmpty(tblName)) {
+ objName += ("/" + tblName);
+
+ if(!StringUtil.isEmpty(colName)) {
+ objName += ("/" + colName);
+ }
+ }
+
+ return objName;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ boolean ret = false;
+
+ if(obj != null && obj instanceof RangerHiveObjectAccessInfo) {
+ RangerHiveObjectAccessInfo that = (RangerHiveObjectAccessInfo)obj;
+
+ ret = StringUtil.equalsIgnoreCase(mOperType, that.mOperType)
+ && mAccessType == that.mAccessType
+ && mObjectType == that.mObjectType
+ && StringUtil.equalsIgnoreCase(mDatabase, that.mDatabase)
+ && StringUtil.equalsIgnoreCase(mTable, that.mTable)
+ && StringUtil.equalsIgnoreCase(mView, that.mView)
+ && StringUtil.equalsIgnoreCase(mPartition, that.mPartition)
+ && StringUtil.equalsIgnoreCase(mIndex, that.mIndex)
+ && StringUtil.equalsIgnoreCase(mColumns, that.mColumns)
+ ;
+ }
+
+ return ret;
+ }
+}