You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2020/12/04 15:51:24 UTC
[ranger] 03/03: RANGER-3033: hive authorior should impl
getRoleGrantInfoForPrincipal() interface
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 4195eab099682024827fd88f4d2d3a93ce1f250d
Author: rujia1019 <82...@163.com>
AuthorDate: Tue Oct 13 16:01:32 2020 +0800
RANGER-3033: hive authorior should impl getRoleGrantInfoForPrincipal() interface
Signed-off-by: pradeep <pr...@apache.org>
---
.../hive/authorizer/RangerHiveAuthorizer.java | 48 ++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index b909e30..5e64e34 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -2351,6 +2351,54 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
+ @Override
+ public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHiveAuthorizer.getRoleGrantInfoForPrincipal ==> principal: " + principal);
+ }
+ boolean result = false;
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ UserGroupInformation ugi = getCurrentUserGroupInfo();
+
+ if(ugi == null) {
+ throw new HiveAccessControlException("Permission denied: user information not available");
+ }
+
+ List<HiveRoleGrant> ret = new ArrayList<>();
+ String currentUserName = ugi.getShortUserName();
+ List<String> userNames = Arrays.asList(currentUserName);
+
+ try {
+ List<String> roleStringList = hivePlugin.getUserRoles(principal.getName(), auditHandler);
+
+ for (String roleName : roleStringList) {
+ RangerRole role = hivePlugin.getRole(ugi.getShortUserName(), roleName, auditHandler);
+ HiveRoleGrant hiveRoleGrant = new HiveRoleGrant();
+ hiveRoleGrant.setGrantOption(true);
+ hiveRoleGrant.setGrantor(role.getCreatedBy());
+ hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
+ hiveRoleGrant.setGrantTime((int) (role.getUpdateTime().getTime()/1000));
+ hiveRoleGrant.setRoleName(roleName);
+ ret.add(hiveRoleGrant);
+ }
+ result = true;
+ } catch (Exception e) {
+ LOG.error("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() error", e);
+ throw new HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() error: " + e.getMessage(), e);
+ } finally {
+ RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, null, result);
+ auditHandler.processResult(accessResult);
+ auditHandler.flushAudit();
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() Result: " + ret);
+ }
+
+ return ret;
+ }
+
private HivePrivilegeObjectType getPluginPrivilegeObjType(
org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
switch (objectType) {