You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ranger.apache.org by rm...@apache.org on 2021/10/12 20:52:39 UTC

[ranger] branch ranger-2.2 updated (c1c22d9 -> c3cc47d)

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a change to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git.


    from c1c22d9  RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 2
     add 8fbee8b  RANGER-3467:Revert RANGER-3368 Ranger HiveAuthorizer improvements to handle uncharted hive commands
     new c3cc47d  RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../hive/authorizer/RangerHiveAuditHandler.java    |  25 --
 .../hive/authorizer/RangerHiveAuthorizer.java      | 251 ++++-----------------
 2 files changed, 40 insertions(+), 236 deletions(-)

[ranger] 01/01: RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands

Posted by rm...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git

commit c3cc47da40f0f7504a3ed6ba7ecc363bc3afb248
Author: Ramesh Mani <rm...@apache.org>
AuthorDate: Tue Oct 12 11:55:30 2021 -0700

    RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands
---
 .../hive/authorizer/RangerHiveAuthorizer.java      | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index dd758e9..2be4424 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -905,6 +905,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 					//
 					RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
 					requests.add(request);
+				} else if (hiveOpType.equals(HiveOperationType.ALTERTABLE_OWNER)) {
+					RangerHiveAccessRequest request = buildRequestForAlterTableSetOwnerFromCommandString(user, groups, roles, hiveOpType.name(), context, sessionContext);
+					if (request != null) {
+						requests.add(request);
+					} else {
+						throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
+								user, hiveOpType.name()));
+					}
 				} else {
 					if (LOG.isDebugEnabled()) {
 						LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!");
@@ -3079,6 +3087,28 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		}
 		return ret;
 	}
+
+	private RangerHiveAccessRequest buildRequestForAlterTableSetOwnerFromCommandString(String                  user,
+																					   Set<String>             userGroups,
+																					   Set<String>             userRoles,
+																					   String                  hiveOpTypeName,
+																					   HiveAuthzContext        context,
+																					   HiveAuthzSessionContext sessionContext) {
+		RangerHiveResource      resource  = null;
+		RangerHiveAccessRequest request   = null;
+		HiveObj hiveObj  = new HiveObj();
+		hiveObj.fetchHiveObjForAlterTable(context);
+		String dbName    = hiveObj.getDatabaseName();
+		String tableName = hiveObj.getTableName();
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Database: " + dbName + " Table: " + tableName);
+		}
+		if (dbName != null && tableName != null) {
+			resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
+			request  = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.ALTER, context, sessionContext);
+		}
+		return request;
+	}
 }
 
 enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL };
@@ -3088,6 +3118,8 @@ class HiveObj {
 	String databaseName;
 	String tableName;
 
+	HiveObj() {}
+
 	HiveObj(HiveAuthzContext context) {
 	 fetchHiveObj(context);
 	}
@@ -3120,6 +3152,29 @@ class HiveObj {
 		}
 	}
 
+	public void fetchHiveObjForAlterTable(HiveAuthzContext context) {
+		// cmd passed: Alter Table <database.tableName or tableName> set owner user|role  <user_or_role>
+		if (context != null) {
+			String cmdString = context.getCommandString();
+			if (cmdString != null) {
+				String[] cmd = cmdString.trim().split("\\s+");
+				if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) {
+					tableName = cmd[2];
+					if (tableName.contains(".")) {
+						String[] result = splitDBName(tableName);
+						databaseName = result[0];
+						tableName = result[1];
+					} else {
+						SessionState sessionState = SessionState.get();
+						if (sessionState != null) {
+							databaseName = sessionState.getCurrentDatabase();
+						}
+					}
+				}
+			}
+		}
+	}
+
 	private String[] splitDBName(String dbName) {
 		String[] ret = null;
 		ret = dbName.split("\\.");