You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gq...@apache.org on 2015/09/08 01:53:08 UTC

incubator-sentry git commit: SENTRY-861: Add SentryHivePrivilegeObject to enhance hive authorization for Server and URI type (Guoquan Shen, Reviewed by: Dapeng Sun)

Repository: incubator-sentry
Updated Branches:
  refs/heads/hive_plugin_v2 9c3cc49b4 -> 5c2677553


SENTRY-861: Add SentryHivePrivilegeObject to enhance hive authorization for Server and URI type (Guoquan Shen, Reviewed by: Dapeng Sun)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/5c267755
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/5c267755
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/5c267755

Branch: refs/heads/hive_plugin_v2
Commit: 5c267755311c75c1d28ac037686b66f3f5ba5022
Parents: 9c3cc49
Author: Guoquan Shen <gu...@intel.com>
Authored: Tue Sep 8 07:24:43 2015 +0800
Committer: Guoquan Shen <gu...@intel.com>
Committed: Tue Sep 8 07:24:43 2015 +0800

----------------------------------------------------------------------
 .../hive/v2/SentryHivePrivilegeObject.java      | 32 ++++++++++++++++++++
 .../v2/authorizer/SentryHiveAuthorizer.java     | 29 +++++++++++++++++-
 .../ql/exec/SentryHivePrivilegeObjectDesc.java  |  4 +++
 3 files changed, 64 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c267755/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java
new file mode 100644
index 0000000..009cea1
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/SentryHivePrivilegeObject.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.sentry.binding.hive.v2;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+
+public class SentryHivePrivilegeObject extends HivePrivilegeObject {
+
+  boolean isServer = false;
+
+  boolean isUri = false;
+
+  String objectName = "";
+
+  public SentryHivePrivilegeObject(HivePrivilegeObjectType type, String objectName) {
+    super(type, null, objectName);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c267755/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
index 1388121..4aa6948 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
@@ -17,6 +17,7 @@ package org.apache.sentry.binding.hive.v2.authorizer;
 import java.util.List;
 
 import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
 import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
@@ -31,7 +32,9 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.apache.sentry.binding.hive.v2.SentryHivePrivilegeObject;
 
 /**
  * Convenience implementation of HiveAuthorizer. You can customize the behavior by passing different
@@ -162,7 +165,31 @@ public abstract class SentryHiveAuthorizer implements HiveAuthorizer {
   @Override
   public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
       throws HiveException {
-    return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc);
+    SentryHivePrivilegeObjectDesc sPrivSubjectDesc = null;
+    if (privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
+      sPrivSubjectDesc = (SentryHivePrivilegeObjectDesc) privSubjectDesc;
+    }
+    if (sPrivSubjectDesc != null && sPrivSubjectDesc.isSentryPrivObjectDesc()) {
+      HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
+      return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
+    } else {
+      return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc);
+    }
+  }
+
+  protected static HivePrivilegeObjectType getPrivObjectType(
+      SentryHivePrivilegeObjectDesc privSubjectDesc) {
+    if (privSubjectDesc.getObject() == null) {
+      return null;
+    }
+    if (privSubjectDesc.getServer()) {
+      return HivePrivilegeObjectType.GLOBAL;
+    } else if (privSubjectDesc.getUri()) {
+      return HivePrivilegeObjectType.LOCAL_URI;
+    } else {
+      return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW
+          : HivePrivilegeObjectType.DATABASE;
+    }
   }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c267755/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
index 18cdde2..8929357 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java
@@ -47,4 +47,8 @@ public class SentryHivePrivilegeObjectDesc extends PrivilegeObjectDesc {
     this.isServer = isServer;
   }
 
+  public boolean isSentryPrivObjectDesc() {
+    return isServer || isUri;
+  }
+
 }