You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gq...@apache.org on 2015/09/08 01:53:08 UTC
incubator-sentry git commit: SENTRY-861: Add
SentryHivePrivilegeObject to enhance hive authorization for Server and URI
type (Guoquan Shen, Reviewed by: Dapeng Sun)
Repository: incubator-sentry
Updated Branches:
refs/heads/hive_plugin_v2 9c3cc49b4 -> 5c2677553
SENTRY-861: Add SentryHivePrivilegeObject to enhance hive authorization for Server and URI type (Guoquan Shen, Reviewed by: Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/5c267755
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/5c267755
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/5c267755
Branch: refs/heads/hive_plugin_v2
Commit: 5c267755311c75c1d28ac037686b66f3f5ba5022
Parents: 9c3cc49
Author: Guoquan Shen <gu...@intel.com>
Authored: Tue Sep 8 07:24:43 2015 +0800
Committer: Guoquan Shen <gu...@intel.com>
Committed: Tue Sep 8 07:24:43 2015 +0800
----------------------------------------------------------------------
.../hive/v2/SentryHivePrivilegeObject.java | 32 ++++++++++++++++++++
.../v2/authorizer/SentryHiveAuthorizer.java | 29 +++++++++++++++++-
.../ql/exec/SentryHivePrivilegeObjectDesc.java | 4 +++
3 files changed, 64 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c267755/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java
new file mode 100644
index 0000000..009cea1
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.sentry.binding.hive.v2;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+
+public class SentryHivePrivilegeObject extends HivePrivilegeObject {
+
+ boolean isServer = false;
+
+ boolean isUri = false;
+
+ String objectName = "";
+
+ public SentryHivePrivilegeObject(HivePrivilegeObjectType type, String objectName) {
+ super(type, null, objectName);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c267755/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
index 1388121..4aa6948 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
@@ -17,6 +17,7 @@ package org.apache.sentry.binding.hive.v2.authorizer;
import java.util.List;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
@@ -31,7 +32,9 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.apache.sentry.binding.hive.v2.SentryHivePrivilegeObject;
/**
* Convenience implementation of HiveAuthorizer. You can customize the behavior by passing different
@@ -162,7 +165,31 @@ public abstract class SentryHiveAuthorizer implements HiveAuthorizer {
@Override
public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
throws HiveException {
- return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc);
+ SentryHivePrivilegeObjectDesc sPrivSubjectDesc = null;
+ if (privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
+ sPrivSubjectDesc = (SentryHivePrivilegeObjectDesc) privSubjectDesc;
+ }
+ if (sPrivSubjectDesc != null && sPrivSubjectDesc.isSentryPrivObjectDesc()) {
+ HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
+ return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
+ } else {
+ return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc);
+ }
+ }
+
+ protected static HivePrivilegeObjectType getPrivObjectType(
+ SentryHivePrivilegeObjectDesc privSubjectDesc) {
+ if (privSubjectDesc.getObject() == null) {
+ return null;
+ }
+ if (privSubjectDesc.getServer()) {
+ return HivePrivilegeObjectType.GLOBAL;
+ } else if (privSubjectDesc.getUri()) {
+ return HivePrivilegeObjectType.LOCAL_URI;
+ } else {
+ return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW
+ : HivePrivilegeObjectType.DATABASE;
+ }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c267755/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
index 18cdde2..8929357 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
@@ -47,4 +47,8 @@ public class SentryHivePrivilegeObjectDesc extends PrivilegeObjectDesc {
this.isServer = isServer;
}
+ public boolean isSentryPrivObjectDesc() {
+ return isServer || isUri;
+ }
+
}