You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2019/03/27 07:09:13 UTC
[ranger] branch master updated: RANGER-2367:Hive show grants when
Ranger is authorizer should show permission details from Ranger
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new acbaa5c RANGER-2367:Hive show grants when Ranger is authorizer should show permission details from Ranger
acbaa5c is described below
commit acbaa5c8800917a682ae756b16939c57cfbae948
Author: rmani <rm...@hortonworks.com>
AuthorDate: Wed Mar 20 17:54:39 2019 -0700
RANGER-2367:Hive show grants when Ranger is authorizer should show permission details from Ranger
Signed-off-by: rmani <rm...@hortonworks.com>
---
.../policyengine/RangerPolicyEngineImpl.java | 6 +-
.../plugin/policyengine/RangerResourceACLs.java | 34 +-
.../hive/authorizer/RangerHiveAuthorizer.java | 353 ++++++++++++++++-----
.../services/hive/HIVERangerAuthorizerTest.java | 2 +-
.../RangerSampleProjectProvider.java | 2 +-
5 files changed, 312 insertions(+), 85 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5e68363..9fe0531 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -628,7 +628,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
- ret.setUserAccessInfo(userName, accessInfo.getKey(), accessResult);
+ RangerPolicy policy = evaluator.getPolicy();
+ ret.setUserAccessInfo(userName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -644,7 +645,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
- ret.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult);
+ RangerPolicy policy = evaluator.getPolicy();
+ ret.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult, policy);
}
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
index adee37e..eafbde2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
@@ -20,6 +20,8 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+
import org.codehaus.jackson.annotate.JsonAutoDetect;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.map.annotate.JsonSerialize;
@@ -38,7 +40,6 @@ import static org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.ACC
public class RangerResourceACLs {
final private Map<String, Map<String, AccessResult>> userACLs = new HashMap<>();
final private Map<String, Map<String, AccessResult>> groupACLs = new HashMap<>();
-
public RangerResourceACLs() {
}
@@ -84,7 +85,7 @@ public class RangerResourceACLs {
finalizeAcls(groupACLs);
}
- public void setUserAccessInfo(String userName, String accessType, Integer access) {
+ public void setUserAccessInfo(String userName, String accessType, Integer access, RangerPolicy policy) {
Map<String, AccessResult> userAccessInfo = userACLs.get(userName);
if (userAccessInfo == null) {
@@ -96,15 +97,16 @@ public class RangerResourceACLs {
AccessResult accessResult = userAccessInfo.get(accessType);
if (accessResult == null) {
- accessResult = new AccessResult(access);
+ accessResult = new AccessResult(access, policy);
userAccessInfo.put(accessType, accessResult);
} else {
accessResult.setResult(access);
+ accessResult.setPolicy(policy);
}
}
- public void setGroupAccessInfo(String groupName, String accessType, Integer access) {
+ public void setGroupAccessInfo(String groupName, String accessType, Integer access, RangerPolicy policy) {
Map<String, AccessResult> groupAccessInfo = groupACLs.get(groupName);
if (groupAccessInfo == null) {
@@ -116,11 +118,12 @@ public class RangerResourceACLs {
AccessResult accessResult = groupAccessInfo.get(accessType);
if (accessResult == null) {
- accessResult = new AccessResult(access);
+ accessResult = new AccessResult(access, policy);
groupAccessInfo.put(accessType, accessResult);
} else {
accessResult.setResult(access);
+ accessResult.setPolicy(policy);
}
}
@@ -135,6 +138,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry<String, AccessResult> permission : entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("},");
+ sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -145,6 +149,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry<String, AccessResult> permission : entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("}, ");
+ sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -179,19 +184,20 @@ public class RangerResourceACLs {
public static class AccessResult {
private int result;
private boolean isFinal;
-
+ private RangerPolicy policy;
public AccessResult() {
- this(-1);
+ this(-1, null);
}
- public AccessResult(int result) {
- this(result, false);
+ public AccessResult(int result, RangerPolicy policy) {
+ this(result, false, policy);
}
- public AccessResult(int result, boolean isFinal) {
+ public AccessResult(int result, boolean isFinal, RangerPolicy policy) {
setIsFinal(isFinal);
setResult(result);
+ setPolicy(policy);
}
public int getResult() { return result; }
@@ -210,6 +216,14 @@ public class RangerResourceACLs {
public void setIsFinal(boolean isFinal) { this.isFinal = isFinal; }
+ public RangerPolicy getPolicy() {
+ return policy;
+ }
+
+ public void setPolicy(RangerPolicy policy){
+ this.policy = policy;
+ }
+
@Override
public boolean equals(Object other) {
if (other == null)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 0f3bee5..be82639 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -29,6 +29,7 @@ import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -38,11 +39,7 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.metastore.IMetaStoreClient;
-import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
-import org.apache.hadoop.hive.metastore.api.PrincipalType;
-import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
@@ -59,6 +56,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
@@ -67,7 +65,12 @@ import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.service.RangerAuthContext;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
@@ -86,8 +89,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private static final String HIVE_CONF_VAR_QUERY_STRING = "hive.query.string";
+ private static final String DEFAULT_RANGER_POLICY_GRANTOR = "ranger";
+
private static volatile RangerHivePlugin hivePlugin = null;
+ private static RangerAuthContext authContext;
+
public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf hiveConf,
HiveAuthenticationProvider hiveAuthenticator,
@@ -771,7 +778,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
- RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
+ private RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
RangerHiveResource resource = null;
HivePrivilegeObjectType objectType = privilegeObject.getType();
@@ -1475,82 +1482,37 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
- HivePrivilegeObject privObj) throws HiveAuthzPluginException {
- try {
+ HivePrivilegeObject privObj) throws HiveAuthzPluginException {
+ List<HivePrivilegeInfo> ret;
- LOG.debug("RangerHiveAuthorizer.showPrivileges()");
- IMetaStoreClient mClient = getMetastoreClientFactory()
- .getHiveMetastoreClient();
- List<HivePrivilegeInfo> resPrivInfos = new ArrayList<HivePrivilegeInfo>();
- String principalName = null;
- PrincipalType principalType = null;
- if (principal != null) {
- principalName = principal.getName();
- principalType = AuthorizationUtils
- .getThriftPrincipalType(principal.getType());
- }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHiveAuthorizer.showPrivileges ==> principal: " + principal+ "HivePrivilegeObject : " + privObj.getObjectName());
+ }
- List<HiveObjectPrivilege> msObjPrivs = mClient.list_privileges(
- principalName, principalType,
- this.getThriftHiveObjectRef(privObj));
- if (msObjPrivs != null) {
- for (HiveObjectPrivilege msObjPriv : msObjPrivs) {
- HiveObjectRef msObjRef = msObjPriv.getHiveObject();
- org.apache.hadoop.hive.metastore.api.HiveObjectType objectType = msObjRef
- .getObjectType();
- if (!isSupportedObjectType(objectType)) {
- continue;
- }
- HivePrincipal resPrincipal = new HivePrincipal(
- msObjPriv.getPrincipalName(),
- AuthorizationUtils.getHivePrincipalType(msObjPriv
- .getPrincipalType()));
-
- PrivilegeGrantInfo msGrantInfo = msObjPriv.getGrantInfo();
- HivePrivilege resPrivilege = new HivePrivilege(
- msGrantInfo.getPrivilege(), null);
-
- HivePrivilegeObject resPrivObj = new HivePrivilegeObject(
- getPluginPrivilegeObjType(objectType),
- msObjRef.getDbName(), msObjRef.getObjectName(),
- msObjRef.getPartValues(), msObjRef.getColumnName());
-
- HivePrincipal grantorPrincipal = new HivePrincipal(
- msGrantInfo.getGrantor(),
- AuthorizationUtils.getHivePrincipalType(msGrantInfo
- .getGrantorType()));
-
- HivePrivilegeInfo resPrivInfo = new HivePrivilegeInfo(
- resPrincipal, resPrivilege, resPrivObj,
- grantorPrincipal, msGrantInfo.isGrantOption(),
- msGrantInfo.getCreateTime());
- resPrivInfos.add(resPrivInfo);
- }
+ if ( hivePlugin == null) {
+ new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges error: hivePlugin is null");
+ }
- } else {
- throw new HiveAccessControlException(
- "RangerHiveAuthorizer.showPrivileges():User has to specify"
- + " a user name or role in the show grant. ");
+ try {
+ authContext = hivePlugin.createRangerAuthContext();
+ HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);
+
+ if (msObjRef.getObjectName() == null) {
+ throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for Hive resources and not user level");
}
- return resPrivInfos;
+
+ ret = getHivePrivilegeInfos(principal, privObj);
} catch (Exception e) {
- LOG.error("RangerHiveAuthorizer.showPrivileges: showPrivileges returned by showPrivileges is null");
- throw new HiveAuthzPluginException("hive showPrivileges" + ": "
- + e.getMessage(), e);
+ LOG.error("RangerHiveAuthorizer.showPrivileges() error", e);
+ throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() error: " + e.getMessage(), e);
}
- }
- private boolean isSupportedObjectType(
- org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
- switch (objectType) {
- case DATABASE:
- case TABLE:
- return true;
- default:
- return false;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHiveAuthorizer.showPrivileges() Result: " + ret);
}
+ return ret;
}
private HivePrivilegeObjectType getPluginPrivilegeObjType(
@@ -1640,6 +1602,255 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
+ private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
+ List<HivePrivilegeInfo> ret = new ArrayList<>();
+ HivePrivilegeObject.HivePrivilegeObjectType objectType = null;
+ Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions = null;
+ Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = null;
+
+ String dbName = null;
+ String objectName = null;
+ String columnName = null;
+ List<String> partValues = null;
+
+ try {
+ HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);
+
+ if (msObjRef != null) {
+ HivePrivilegeObject hivePrivilegeObject = null;
+
+ if (msObjRef.getObjectName() != null) {
+ // when resource is specified in the show grants, acl will be for that resource / user / groups
+ objectType = getPluginPrivilegeObjType(msObjRef.getObjectType());
+ dbName = msObjRef.getDbName();
+ objectName = msObjRef.getObjectName();
+ columnName = (msObjRef.getColumnName() == null) ? new String() : msObjRef.getColumnName();
+ partValues = (msObjRef.getPartValues() == null) ? new ArrayList<>() : msObjRef.getPartValues();
+ hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);
+
+ RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject);
+
+ if (rangerResourceACLs != null) {
+ Map<String, Map<String, RangerResourceACLs.AccessResult>> userRangerACLs = rangerResourceACLs.getUserACLs();
+ Map<String, Map<String, RangerResourceACLs.AccessResult>> groupRangerACLs = rangerResourceACLs.getGroupACLs();
+ userPermissions = convertRangerACLsToHiveACLs(userRangerACLs);
+ groupPermissions = convertRangerACLsToHiveACLs(groupRangerACLs);
+
+ if (principal != null) {
+ String user = principal.getName();
+ Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
+ if (userACLs != null) {
+ Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
+ for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
+ RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
+ if (policy != null) {
+ String aclname = getPermission(userACL, userAccessResult, policy);
+ HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
+ ret.add(privilegeInfo);
+ }
+ }
+ }
+
+ Set<String> groups = getPrincipalGroup(user);
+ for(String group : groups) {
+ Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
+ if (groupACLs != null) {
+ Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
+ for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
+ RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
+ if (policy != null) {
+ String aclname = getPermission(groupACL, groupAccessResult, policy);
+ HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
+ ret.add(privilegeInfo);
+ }
+ }
+ }
+ }
+ } else {
+ // Request is for all the ACLs on a resource
+ for (String user : userRangerACLs.keySet()) {
+ HivePrincipal hivePrincipal = new HivePrincipal(user, HivePrincipal.HivePrincipalType.USER);
+ Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
+
+ if (userACLs != null) {
+ Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
+ for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
+ RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
+ if (policy != null) {
+ String aclname = getPermission(userACL, userAccessResult, policy);
+ HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
+ ret.add(privilegeInfo);
+ }
+ }
+ }
+ }
+
+ for (String group : groupRangerACLs.keySet()) {
+ HivePrincipal hivePrincipal = new HivePrincipal(group, HivePrincipal.HivePrincipalType.GROUP);
+ Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
+ if (groupACLs != null) {
+ Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
+ for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
+ RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
+ if (policy != null) {
+ String aclname = getPermission(groupACL, groupAccessResult, policy);
+ HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
+ ret.add(privilegeInfo);
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException("hive showPrivileges" + ": " + e.getMessage(), e);
+ }
+ return ret;
+ }
+
+ private RangerPolicy getRangerPolicy(Map<String, RangerResourceACLs.AccessResult> accessResults, String rangerACL){
+ RangerPolicy ret = null;
+ if (MapUtils.isNotEmpty(accessResults)) {
+ RangerResourceACLs.AccessResult accessResult = accessResults.get(rangerACL.toLowerCase());
+ if (accessResult != null) {
+ ret = accessResult.getPolicy();
+ }
+ }
+ return ret;
+ }
+
+ private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal,
+ HivePrivilegeObject.HivePrivilegeObjectType objectType,
+ String dbName,
+ String objectName,
+ String columnName,
+ List<String> partValues,
+ String aclName,
+ RangerPolicy policy) {
+ HivePrivilegeInfo ret = null;
+ int creationDate = 0;
+ boolean delegateAdmin = false;
+
+ for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
+ List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
+ List<String> users = policyItem.getUsers();
+ List<String> groups = policyItem.getGroups();
+ List<String> accessTypes = new ArrayList<>();
+
+ for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
+ accessTypes.add(policyItemAccess.getType());
+ }
+
+ if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName())
+ || groups.contains(hivePrincipal.getName()))) {
+ creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000);
+ delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
+ }
+ }
+
+ HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
+ HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
+ HivePrivilege privilege = new HivePrivilege(aclName, null);
+ ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);
+
+ return ret;
+ }
+
+ private Set<String> getPrincipalGroup(String user) {
+ Set<String> groups = null;
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user);
+ groups = Sets.newHashSet(ugi.getGroupNames());
+ return groups;
+ }
+
+ private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject hiveObject) {
+
+ RangerResourceACLs ret = null;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]");
+ }
+
+ RangerHiveResource hiveResource = createHiveResource(hiveObject);
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null);
+
+ ret = authContext.getResourceACLs(request);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "], Computed ACLS:[" + ret + "]");
+ }
+
+ return ret;
+ }
+
+ private Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> convertRangerACLsToHiveACLs(Map<String, Map<String, RangerResourceACLs.AccessResult>> rangerACLs) {
+
+ Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> ret = new HashMap<>();
+
+ if (MapUtils.isNotEmpty(rangerACLs)) {
+ Set<String> hivePrivileges = new HashSet<>();
+ for (HiveResourceACLs.Privilege privilege : HiveResourceACLs.Privilege.values()) {
+ hivePrivileges.add(privilege.name().toLowerCase());
+ }
+
+ for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : rangerACLs.entrySet()) {
+
+ Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> permissions = new HashMap<>();
+ ret.put(entry.getKey(), permissions);
+
+ for (Map.Entry<String, RangerResourceACLs.AccessResult> permission : entry.getValue().entrySet()) {
+
+ if (hivePrivileges.contains(permission.getKey())) {
+ HiveResourceACLs.Privilege privilege = HiveResourceACLs.Privilege.valueOf(StringUtils.upperCase(permission.getKey()));
+ HiveResourceACLs.AccessResult accessResult;
+ int rangerResultValue = permission.getValue().getResult();
+
+ if (rangerResultValue == RangerPolicyEvaluator.ACCESS_ALLOWED) {
+ accessResult = HiveResourceACLs.AccessResult.ALLOWED;
+ } else if (rangerResultValue == RangerPolicyEvaluator.ACCESS_DENIED) {
+ accessResult = HiveResourceACLs.AccessResult.NOT_ALLOWED;
+ } else if (rangerResultValue == RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
+ accessResult = HiveResourceACLs.AccessResult.CONDITIONAL_ALLOWED;
+ } else {
+ // Should not get here
+ accessResult = HiveResourceACLs.AccessResult.NOT_ALLOWED;
+ }
+ permissions.put(privilege, accessResult);
+ }
+ }
+ }
+ }
+ return ret;
+ }
+
+ private String getPermission(HiveResourceACLs.Privilege acl, Map<String, RangerResourceACLs.AccessResult> accessResultMap, RangerPolicy policy ) {
+ String aclname = acl.name();
+ int aclResult = checkACLIsAllowed(acl, accessResultMap);
+ if (aclResult > RangerPolicyEvaluator.ACCESS_DENIED) {
+ // Other than denied ACLs are considered
+ if (policy != null) {
+ if (aclResult == RangerPolicyEvaluator.ACCESS_UNDETERMINED) {
+ aclname = aclname + " " + "(ACCESS_UNDETERMINED)";
+ } else if (aclResult == RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
+ aclname = aclname + " " + "(ACCESS_CONDITIONAL)";
+ }
+ }
+ }
+ return aclname;
+ }
+
+ private int checkACLIsAllowed(HiveResourceACLs.Privilege acl, Map<String, RangerResourceACLs.AccessResult> accessResultMap ) {
+ int result = -1;
+ String aclName = acl.name().toLowerCase();
+ RangerResourceACLs.AccessResult accessResult = accessResultMap.get(aclName);
+ if (accessResult != null) {
+ result = accessResult.getResult();
+ }
+ return result;
+ }
+
private String toString(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
diff --git a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
index af60479..b04e8bc 100644
--- a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
+++ b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
@@ -940,7 +940,7 @@ public class HIVERangerAuthorizerTest {
String initialUrl = "jdbc:hive2://localhost:" + port;
Connection connection = DriverManager.getConnection(initialUrl, "admin", "admin");
Statement statement = connection.createStatement();
- Assert.assertTrue(statement.execute("show grant user admin"));
+ Assert.assertTrue(statement.execute("show grant user admin on table words"));
statement.close();
connection.close();
}
diff --git a/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java b/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
index df6da7c..be17e83 100644
--- a/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
+++ b/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
@@ -83,7 +83,7 @@ public class RangerSampleProjectProvider extends RangerAbstractContextEnricher {
LOG.debug("==> RangerSampleProjectProvider.enrich(" + request + ")");
}
- if(request != null && userProjectMap != null) {
+ if(request != null && userProjectMap != null && request.getUser() != null) {
Map<String, Object> context = request.getContext();
String project = userProjectMap.getProperty(request.getUser());