You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/04/08 20:18:50 UTC
incubator-ranger git commit: RANGER-917: fix to resolve build break
due to Hive authorizer interface updates
Repository: incubator-ranger
Updated Branches:
refs/heads/master 6a8e3ae92 -> 3a363c530
RANGER-917: fix to resolve build break due to Hive authorizer interface updates
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3a363c53
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3a363c53
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3a363c53
Branch: refs/heads/master
Commit: 3a363c53037453efcd2e4c51324f92daf9a291b7
Parents: 6a8e3ae
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Fri Apr 8 10:48:54 2016 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Apr 8 10:48:54 2016 -0700
----------------------------------------------------------------------
.../authorizer/RangerHiveAccessRequest.java | 26 ++++---
.../hive/authorizer/RangerHiveAuthorizer.java | 71 ++++++++++++--------
2 files changed, 58 insertions(+), 39 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3a363c53/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index c43af8e..5d5d462 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -22,9 +22,10 @@ package org.apache.ranger.authorization.hive.authorizer;
import java.util.Date;
import java.util.Set;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
@@ -42,8 +43,9 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
Set<String> userGroups,
String hiveOpTypeName,
HiveAccessType accessType,
- HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
+ QueryContext context,
+ HiveAuthzSessionContext sessionContext,
+ HiveAuthenticationProvider hiveAuthenticator) {
this.setResource(resource);
this.setUser(user);
this.setUserGroups(userGroups);
@@ -51,10 +53,13 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
this.setAction(hiveOpTypeName);
if(context != null) {
- this.setClientIPAddress(context.getIpAddress());
this.setRequestData(context.getCommandString());
}
-
+
+ if(hiveAuthenticator != null) {
+ this.setClientIPAddress(hiveAuthenticator.getUserIpAddress());
+ }
+
if(sessionContext != null) {
this.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
this.setSessionId(sessionContext.getSessionString());
@@ -76,13 +81,14 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
Set<String> userGroups,
HiveOperationType hiveOpType,
HiveAccessType accessType,
- HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
- this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext);
+ QueryContext context,
+ HiveAuthzSessionContext sessionContext,
+ HiveAuthenticationProvider hiveAuthenticator) {
+ this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext, hiveAuthenticator);
}
- public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) {
- this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext);
+ public RangerHiveAccessRequest(RangerHiveResource resource, String user, Set<String> groups, QueryContext context, HiveAuthzSessionContext sessionContext, HiveAuthenticationProvider hiveAuthenticator) {
+ this(resource, user, groups, "METADATA OPERATION", HiveAccessType.USE, context, sessionContext, hiveAuthenticator);
}
public HiveAccessType getHiveAccessType() {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3a363c53/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 8988650..abd1081 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -40,7 +40,6 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
@@ -50,6 +49,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
@@ -211,7 +211,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
public void checkPrivileges(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
- HiveAuthzContext context)
+ QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
@@ -223,11 +223,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
try {
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
+ HiveAuthenticationProvider authenticator = getHiveAuthenticator();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
if(LOG.isDebugEnabled()) {
- LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext));
+ LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext, authenticator));
}
if(hiveOpType == HiveOperationType.DFS) {
@@ -264,7 +265,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, authenticator);
requests.add(request);
}
@@ -273,7 +274,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
// this should happen only for SHOWDATABASES
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext, authenticator);
requests.add(request);
} else {
if (LOG.isDebugEnabled()) {
@@ -308,7 +309,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType, accessType, context, sessionContext, authenticator);
requests.add(request);
}
@@ -385,7 +386,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
// Commented out to avoid build errors until this interface is stable in Hive Branch
// @Override
public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> objs,
- HiveAuthzContext context)
+ QueryContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
@@ -413,6 +414,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
// get user/group info
UserGroupInformation ugi = getCurrentUserGroupInfo(); // we know this can't be null since we checked it above!
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
+ HiveAuthenticationProvider authenticator = getHiveAuthenticator();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
if (LOG.isDebugEnabled()) {
@@ -430,8 +432,8 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
String dbName = privilegeObject.getDbname();
List<String> columns = privilegeObject.getColumns();
List<String> partitionKeys = privilegeObject.getPartKeys();
- String commandString = context.getCommandString();
- String ipAddress = context.getIpAddress();
+ String commandString = context == null ? null : context.getCommandString();
+ String ipAddress = authenticator == null ? null : authenticator.getUserIpAddress();
final String format = "filterListCmdObjects: actionType[%s], objectType[%s], objectName[%s], dbName[%s], columns[%s], partitionKeys[%s]; context: commandString[%s], ipAddress[%s]";
LOG.debug(String.format(format, actionType, objectType, objectName, dbName, columns, partitionKeys, commandString, ipAddress));
@@ -441,7 +443,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if (resource == null) {
LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null");
} else {
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, context, sessionContext, authenticator);
RangerAccessResult result = hivePlugin.isAccessAllowed(request);
if (result == null) {
LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!");
@@ -469,6 +471,25 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
@Override
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext queryContext, List<HivePrivilegeObject> list) throws SemanticException {
+ List<HivePrivilegeObject> ret = list;
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", " + list + ")");
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", " + list + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public boolean needTransform() {
+ return true; // TODO: derive from the policies
+ }
+
public String getRowFilterExpression(String databaseName, String tableOrViewName) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
@@ -485,13 +506,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
- HiveAuthzContext context = null; // TODO: this should be provided as an argument to this method
+ QueryContext context = null; // TODO: this should be provided as an argument to this method
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
+ HiveAuthenticationProvider authenticator = getHiveAuthenticator();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.TABLE;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, authenticator);
RangerRowFilterResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);
@@ -509,7 +531,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
- @Override
public String getCellValueTransformer(String databaseName, String tableOrViewName, String columnName) throws SemanticException {
UserGroupInformation ugi = getCurrentUserGroupInfo();
@@ -526,13 +547,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
try {
- HiveAuthzContext context = null; // TODO: this should be provided as an argument to this method
+ QueryContext context = null; // TODO: this should be provided as an argument to this method
HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
+ HiveAuthenticationProvider authenticator = getHiveAuthenticator();
String user = ugi.getShortUserName();
Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
HiveObjectType objectType = HiveObjectType.COLUMN;
RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
- RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext);
+ RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext, authenticator);
RangerDataMaskResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);
@@ -581,16 +603,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
- @Override
- public boolean needTransform() {
- return true; // TODO: derive from the policies
- }
-
- @Override
- public boolean needTransform(String databaseName, String tableOrViewName) {
- return true; // TODO: derive from the policies
- }
-
RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
RangerHiveResource resource = null;
@@ -908,7 +920,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private void handleDfsCommand(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
- HiveAuthzContext context,
+ QueryContext context,
HiveAuthzSessionContext sessionContext,
String user,
Set<String> groups,
@@ -1100,8 +1112,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private String toString(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
- HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
+ QueryContext context,
+ HiveAuthzSessionContext sessionContext,
+ HiveAuthenticationProvider authenticator) {
StringBuilder sb = new StringBuilder();
sb.append("'checkPrivileges':{");
@@ -1118,7 +1131,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
sb.append(", 'context':{");
sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
sb.append(", 'commandString':").append(context == null ? null : context.getCommandString());
- sb.append(", 'ipAddress':").append(context == null ? null : context.getIpAddress());
+ sb.append(", 'ipAddress':").append(authenticator == null ? null : authenticator.getUserIpAddress());
sb.append(", 'sessionString':").append(sessionContext == null ? null : sessionContext.getSessionString());
sb.append("}");