You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2020/11/14 01:54:09 UTC
[ranger] branch master updated: RANGER-3058: [ranger-hive] create
table fails when ViewDFS(client side HDFS mounting fs) mount points are
targeting to Ozone/S3 FS.
This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6e8873b RANGER-3058: [ranger-hive] create table fails when ViewDFS(client side HDFS mounting fs) mount points are targeting to Ozone/S3 FS.
6e8873b is described below
commit 6e8873b03b8dad9e498af69e1cff73ea1889cda6
Author: Uma Maheswara Rao G <um...@cloudera.com>
AuthorDate: Thu Nov 12 11:12:34 2020 -0800
RANGER-3058: [ranger-hive] create table fails when ViewDFS(client side HDFS mounting fs) mount points are targeting to Ozone/S3 FS.
Signed-off-by: Sailaja Polavarapu <sp...@cloudera.com>
---
.../hive/authorizer/RangerHiveAuthorizer.java | 117 +++++++++++++++++----
1 file changed, 99 insertions(+), 18 deletions(-)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 1bec50b..b909e30 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -19,6 +19,7 @@
package org.apache.ranger.authorization.hive.authorizer;
+import java.io.IOException;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
@@ -808,17 +809,46 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
continue;
}
- String path = hiveObj.getObjectName();
+ String pathStr = hiveObj.getObjectName();
HiveObjectType hiveObjType = resource.getObjectType();
- if(hiveObjType == HiveObjectType.URI && isPathInFSScheme(path)) {
- FsAction permission = getURIAccessType(hiveOpType);
+ if (hiveObjType == HiveObjectType.URI && isPathInFSScheme(pathStr)) {
- if(!isURIAccessAllowed(user, permission, path, getHiveConf())) {
- throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path));
- }
+ FsAction permission = getURIAccessType(hiveOpType);
+ Path path = new Path(pathStr);
+ FileSystem fs = null;
- continue;
+ try {
+ fs = FileSystem.get(path.toUri(), getHiveConf());
+ } catch (IOException e) {
+ LOG.error("Error getting permissions for " + path, e);
+ throw new HiveAccessControlException(
+ String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user,
+ permission.name(), path),
+ e);
+ }
+
+ boolean shouldCheckAccess = true;
+
+ if (isMountedFs(fs)) {
+ Path resolvedPath = resolvePath(path, fs);
+ if (resolvedPath != null) {
+ // we know the resolved path scheme. Let's check the resolved path
+ // scheme is part of hivePlugin.getFSScheme.
+ shouldCheckAccess = isPathInFSScheme(resolvedPath.toUri().toString());
+ }
+ }
+
+ if (shouldCheckAccess) {
+ if (!isURIAccessAllowed(user, permission, path, fs)) {
+ throw new HiveAccessControlException(
+ String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user,
+ permission.name(), path));
+ }
+ continue;
+ }
+ // This means we got resolved path scheme is not part of
+ // hivePlugin.getFSScheme
}
HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, hiveObjType, true);
@@ -869,17 +899,46 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
continue;
}
- String path = hiveObj.getObjectName();
+ String pathStr = hiveObj.getObjectName();
HiveObjectType hiveObjType = resource.getObjectType();
- if(hiveObjType == HiveObjectType.URI && isPathInFSScheme(path)) {
- FsAction permission = getURIAccessType(hiveOpType);
+ if (hiveObjType == HiveObjectType.URI && isPathInFSScheme(pathStr)) {
- if(!isURIAccessAllowed(user, permission, path, getHiveConf())) {
- throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path));
- }
+ FsAction permission = getURIAccessType(hiveOpType);
+ Path path = new Path(pathStr);
+ FileSystem fs = null;
- continue;
+ try {
+ fs = FileSystem.get(path.toUri(), getHiveConf());
+ } catch (IOException e) {
+ LOG.error("Error getting permissions for " + path, e);
+ throw new HiveAccessControlException(
+ String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user,
+ permission.name(), path),
+ e);
+ }
+
+ boolean shouldCheckAccess = true;
+
+ if (isMountedFs(fs)) {
+ Path resolvedPath = resolvePath(path, fs);
+ if (resolvedPath != null) {
+ // we know the resolved path scheme. Let's check the resolved path
+ // scheme is part of hivePlugin.getFSScheme.
+ shouldCheckAccess = isPathInFSScheme(resolvedPath.toUri().toString());
+ }
+ }
+
+ if (shouldCheckAccess) {
+ if (!isURIAccessAllowed(user, permission, path, fs)) {
+ throw new HiveAccessControlException(
+ String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user,
+ permission.name(), path));
+ }
+ continue;
+ }
+ // This means we got resolved path scheme is not part of
+ // hivePlugin.getFSScheme
}
HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, hiveObjType, false);
@@ -2007,15 +2066,13 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
- private boolean isURIAccessAllowed(String userName, FsAction action, String uri, HiveConf conf) {
+ private boolean isURIAccessAllowed(String userName, FsAction action, Path filePath, FileSystem fs) {
boolean ret = false;
if(action == FsAction.NONE) {
ret = true;
} else {
try {
- Path filePath = new Path(uri);
- FileSystem fs = FileSystem.get(filePath.toUri(), conf);
FileStatus[] filestat = fs.globStatus(filePath);
if(filestat != null && filestat.length > 0) {
@@ -2039,7 +2096,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
} catch(Exception excp) {
ret = false;
- LOG.error("Error getting permissions for " + uri, excp);
+ LOG.error("Error getting permissions for " + filePath, excp);
}
}
@@ -2062,6 +2119,30 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
+ /**
+ * Resolves the path to actual target fs path. In the mount based file systems
+ * like ViewHDFS, the resolved target path could be the path of other mounted
+ * target fs path. Returns null if file does not exist or any other IOException.
+ */
+ private Path resolvePath(Path path, FileSystem fs) {
+ try {
+ return fs.resolvePath(path);
+ } catch (IOException e) {
+ return null;
+ }
+ }
+
+ /**
+ * Returns true if the given fs supports mount functionality. In general we can
+ * have child file systems only in the case of mount fs like ViewFileSystem,
+ * ViewFsOverloadScheme or ViewDistributedFileSystem. Returns false if the
+ * getChildFileSystems API returns null.
+ */
+ private boolean isMountedFs(FileSystem fs) {
+ return fs.getChildFileSystems() != null;
+ }
+
+
private void handleDfsCommand(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,