You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/10/12 20:52:39 UTC
[ranger] branch ranger-2.2 updated (c1c22d9 -> c3cc47d)
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a change to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git.
from c1c22d9 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
add 8fbee8b RANGER-3467:Revert RANGER-3368 Ranger HiveAuthorizer improvements to handle uncharted hive commands
new c3cc47d RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../hive/authorizer/RangerHiveAuditHandler.java | 25 --
.../hive/authorizer/RangerHiveAuthorizer.java | 251 ++++-----------------
2 files changed, 40 insertions(+), 236 deletions(-)
[ranger] 01/01: RANGER-3474:RangerHivePlugin enhancement to handle
new Hive commands
Posted by rm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit c3cc47da40f0f7504a3ed6ba7ecc363bc3afb248
Author: Ramesh Mani <rm...@apache.org>
AuthorDate: Tue Oct 12 11:55:30 2021 -0700
RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands
---
.../hive/authorizer/RangerHiveAuthorizer.java | 55 ++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index dd758e9..2be4424 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -905,6 +905,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
//
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
requests.add(request);
+ } else if (hiveOpType.equals(HiveOperationType.ALTERTABLE_OWNER)) {
+ RangerHiveAccessRequest request = buildRequestForAlterTableSetOwnerFromCommandString(user, groups, roles, hiveOpType.name(), context, sessionContext);
+ if (request != null) {
+ requests.add(request);
+ } else {
+ throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
+ user, hiveOpType.name()));
+ }
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!");
@@ -3079,6 +3087,28 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
return ret;
}
+
+ private RangerHiveAccessRequest buildRequestForAlterTableSetOwnerFromCommandString(String user,
+ Set<String> userGroups,
+ Set<String> userRoles,
+ String hiveOpTypeName,
+ HiveAuthzContext context,
+ HiveAuthzSessionContext sessionContext) {
+ RangerHiveResource resource = null;
+ RangerHiveAccessRequest request = null;
+ HiveObj hiveObj = new HiveObj();
+ hiveObj.fetchHiveObjForAlterTable(context);
+ String dbName = hiveObj.getDatabaseName();
+ String tableName = hiveObj.getTableName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Database: " + dbName + " Table: " + tableName);
+ }
+ if (dbName != null && tableName != null) {
+ resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
+ request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.ALTER, context, sessionContext);
+ }
+ return request;
+ }
}
enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL };
@@ -3088,6 +3118,8 @@ class HiveObj {
String databaseName;
String tableName;
+ HiveObj() {}
+
HiveObj(HiveAuthzContext context) {
fetchHiveObj(context);
}
@@ -3120,6 +3152,29 @@ class HiveObj {
}
}
+ public void fetchHiveObjForAlterTable(HiveAuthzContext context) {
+ // cmd passed: Alter Table <database.tableName or tableName> set owner user|role <user_or_role>
+ if (context != null) {
+ String cmdString = context.getCommandString();
+ if (cmdString != null) {
+ String[] cmd = cmdString.trim().split("\\s+");
+ if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) {
+ tableName = cmd[2];
+ if (tableName.contains(".")) {
+ String[] result = splitDBName(tableName);
+ databaseName = result[0];
+ tableName = result[1];
+ } else {
+ SessionState sessionState = SessionState.get();
+ if (sessionState != null) {
+ databaseName = sessionState.getCurrentDatabase();
+ }
+ }
+ }
+ }
+ }
+ }
+
private String[] splitDBName(String dbName) {
String[] ret = null;
ret = dbName.split("\\.");