You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2018/03/01 01:08:22 UTC
hive git commit: HIVE-18777 : Add Authorization interface to support
information_schema integration with external authorization (Thejas Nair,
reviewed by Daniel Dai)
Repository: hive
Updated Branches:
refs/heads/master f99c89388 -> bd6d91f11
HIVE-18777 : Add Authorization interface to support information_schema integration with external authorization (Thejas Nair, reviewed by Daniel Dai)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/bd6d91f1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/bd6d91f1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/bd6d91f1
Branch: refs/heads/master
Commit: bd6d91f11d7d3323dce37344eea9d722f8945e6a
Parents: f99c893
Author: Thejas M Nair <th...@hortonworks.com>
Authored: Wed Feb 28 17:08:16 2018 -0800
Committer: Thejas M Nair <th...@hortonworks.com>
Committed: Wed Feb 28 17:08:16 2018 -0800
----------------------------------------------------------------------
.../plugin/AbstractHiveAuthorizer.java | 13 ++++-
.../authorization/plugin/HiveAuthorizer.java | 10 ++--
.../plugin/HivePolicyChangeListener.java | 35 ++++++++++++++
.../plugin/HivePolicyProvider.java | 36 ++++++++++++++
.../authorization/plugin/HiveResourceACLs.java | 50 ++++++++++++++++++++
5 files changed, 140 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
index 4441934..a925c5a 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
@@ -17,7 +17,6 @@
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin;
-
/**
* Abstract class that extends HiveAuthorizer. This will help to shield
* Hive authorization implementations from some of the changes to HiveAuthorizer
@@ -38,4 +37,16 @@ public abstract class AbstractHiveAuthorizer implements HiveAuthorizer {
return null;
}
+ /*
+ * (non-Javadoc)
+ *
+ * @see
+ * org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer#
+ * getHivePolicyProvider()
+ */
+ @Override
+ public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {
+ return null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
index 9783c56..a4079b8 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
@@ -263,7 +263,7 @@ public interface HiveAuthorizer {
*
* @throws SemanticException
*/
- public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context,
+ List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context,
List<HivePrivilegeObject> privObjs) throws SemanticException;
/**
@@ -273,7 +273,11 @@ public interface HiveAuthorizer {
* @return
* @throws SemanticException
*/
- public boolean needTransform();
+ boolean needTransform();
+ /**
+ * @return HivePolicyProvider instance (expected to be a singleton)
+ * @throws HiveAuthzPluginException
+ */
+ HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException;
}
-
http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
new file mode 100644
index 0000000..577f609
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import java.util.List;
+
+/**
+ * This would be implemented by a class that needs to be notified when there is
+ * a policy change.
+ */
+public interface HivePolicyChangeListener {
+ /**
+ * @param hpo
+ * List of Objects whose privileges have changed. If undetermined,
+ * null can be returned (implies that it should be treated as if all object
+ * policies might have changed).
+ */
+ void notifyPolicyChange(List<HivePrivilegeObject> hpo);
+
+}
http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
new file mode 100644
index 0000000..a9d1bd5
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+/**
+ * Interface that can be used to retrieve authorization policy information from
+ * authorization plugins.
+ */
+public interface HivePolicyProvider {
+ /**
+ * @param hiveObject
+ * @return representation of user/group to permissions mapping.
+ */
+ HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject);
+
+ /**
+ * @param listener
+ */
+ void registerHivePolicyChangeListener(HivePolicyChangeListener listener);
+
+}
http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
new file mode 100644
index 0000000..53e221f
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import java.util.Map;
+
+/**
+ * Captures authorization policy information on a {@link HivePrivilegeObject}.
+ */
+public interface HiveResourceACLs {
+ /**
+ * Privilege types.
+ */
+ enum Privilege {
+ SELECT, UPDATE, CREATE, DROP, ALTER, INDEX, LOCK, READ, WRITE
+ };
+
+ /**
+ * Privilege access result.
+ */
+ enum AccessResult {
+ ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED
+ };
+
+ /**
+ * @return Returns mapping of user name to privilege-access result pairs
+ */
+ Map<String, Map<Privilege, AccessResult>> getUserPermissions();
+
+ /**
+ * @return Returns mapping of group name to privilege-access result pairs
+ */
+ Map<String, Map<Privilege, AccessResult>> getGroupPermissions();
+
+}