You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/10/12 00:31:09 UTC
[ranger] 01/01: RANGER-3467:Revert RANGER-3368 Ranger
HiveAuthorizer improvements to handle uncharted hive commands
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch range-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 8fbee8b6d081cd603c704cf977fa79504686ee18
Author: Ramesh Mani <rm...@apache.org>
AuthorDate: Wed Oct 6 22:26:25 2021 -0700
RANGER-3467:Revert RANGER-3368 Ranger HiveAuthorizer improvements to handle uncharted hive commands
Signed-off-by: Ramesh Mani <rm...@apache.org>
---
.../hive/authorizer/RangerHiveAuditHandler.java | 25 ---
.../hive/authorizer/RangerHiveAuthorizer.java | 228 +--------------------
2 files changed, 1 insertion(+), 252 deletions(-)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index 730c855..a3d575c 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -237,31 +237,6 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
addAuthzAuditEvent(auditEvent);
}
- public void logAuditEvent(String userName, String resourceName, String resourceType, String command, boolean accessGranted,
- int repositoryType, String repositoryName, String clusterName, String accessType, String ipAddress) {
- AuthzAuditEvent auditEvent = new AuthzAuditEvent();
-
- auditEvent.setAclEnforcer(moduleName);
- auditEvent.setResourcePath(resourceName);
- auditEvent.setResourceType(resourceType);
- auditEvent.setAccessType(accessType);
- auditEvent.setAction(accessType);
- auditEvent.setUser(userName);
- auditEvent.setAccessResult((short)(accessGranted ? 1 : 0));
- auditEvent.setEventTime(new Date());
- auditEvent.setRepositoryType(repositoryType);
- auditEvent.setRepositoryName(repositoryName);
- auditEvent.setRequestData(command);
- auditEvent.setPolicyId(-1L);
- auditEvent.setClusterName(clusterName);
- auditEvent.setClientIP(ipAddress);
-
- if(LOG.isDebugEnabled()){
- LOG.debug("Logging " + accessType + " event " + auditEvent);
- }
- addAuthzAuditEvent(auditEvent);
- }
-
public void flushAudit() {
if(auditEvents == null) {
return;
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 9dfbc9b..dd758e9 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -966,8 +966,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
if(accessType == HiveAccessType.NONE) {
continue;
- } else if(accessType == HiveAccessType.UNKNOWN){
- handleUnKnownAccessTypeCommands(hiveOpType, inputHObjs, outputHObjs, user, auditHandler, context);
}
if(!existsByResourceAndAccessType(requests, resource, accessType)) {
@@ -995,19 +993,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
}
- if (CollectionUtils.isEmpty(inputHObjs) && CollectionUtils.isEmpty(outputHObjs) && !IsCommandInExceptionList(hiveOpType)) {
- if (hiveOpType.equals(HiveOperationType.DROPDATABASE) || hiveOpType.equals(HiveOperationType.DROPTABLE)) {
- //Handle Drop If exists statements where both inputHObjs and outputHObjs will be empty and request has to created out of commandString.
- RangerHiveAccessRequest request = buildRequestForDropIfExistsCommands(hiveOpType, user, groups, roles, hiveOpType.name(), context, sessionContext);
- if (request != null) {
- requests.add(request);
- }
- } else {
- String commandString = context == null ? "" : context.getCommandString();
- throw new HiveAccessControlException(String.format("Unable to authorize command: [%s] , HivePrivilegeObjects are not available to authorize this command!", commandString));
- }
- }
-
buildRequestContextWithAllAccessedResources(requests);
for(RangerHiveAccessRequest request : requests) {
@@ -1914,8 +1899,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
case SHOW_ROLE_PRINCIPALS:
case SHOW_TRANSACTIONS:
break;
- default:
- accessType = HiveAccessType.UNKNOWN;
}
break;
}
@@ -2218,79 +2201,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
user, hiveOpType.name()));
}
- private void handleUnKnownAccessTypeCommands(HiveOperationType hiveOpType,
- List<HivePrivilegeObject> inputHObjs,
- List<HivePrivilegeObject> outputHObjs,
- String user,
- RangerHiveAuditHandler auditHandler,
- HiveAuthzContext context)
- throws HiveAccessControlException {
-
- String commandString = context.getCommandString();
- String resourceName = null;
- String resourceType = null;
-
- if (inputHObjs != null) {
- for(HivePrivilegeObject hiveObj : inputHObjs) {
- resourceName = getResourceName(hiveObj);
- if(StringUtils.isNotEmpty(resourceName)) {
- resourceType = getResourceType(hiveObj);
- break;
- }
- }
- }
-
- if (StringUtils.isEmpty(resourceName) && outputHObjs != null) {
- for(HivePrivilegeObject hiveObj : outputHObjs) {
- resourceName = getResourceName(hiveObj);
- if(StringUtils.isNotEmpty(resourceName)) {
- resourceType = getResourceType(hiveObj);
- break;
- }
- }
-
- }
-
- int serviceType = -1;
- String serviceName = null;
- String clusterName = null;
-
- if(hivePlugin != null) {
- serviceType = hivePlugin.getServiceDefId();
- serviceName = hivePlugin.getServiceName();
- clusterName = hivePlugin.getClusterName();
- }
-
- String commandType = (commandString != null) ? commandString.substring(0, commandString.indexOf(' ')): "";
- String ipAddress = context.getIpAddress();
- auditHandler.logAuditEvent(user, resourceName, resourceType, commandString, false, serviceType, serviceName, clusterName, commandType, ipAddress);
-
- throw new HiveAccessControlException(String.format("Unknown operation! Permission denied: user [%s] does not have privilege for [%s] command",
- user, hiveOpType.name()));
- }
-
- private String getResourceName(HivePrivilegeObject hivePrivilegeObject) {
- RangerHiveResource resource = createHiveResource(hivePrivilegeObject);
- return resource != null ? resource.getAsString() : null;
- }
-
- private String getResourceType(HivePrivilegeObject hivePrivilegeObject) {
- String ret = StringUtils.EMPTY;
- HivePrivilegeObjectType resourceType = hivePrivilegeObject.getType();
- switch (resourceType) {
- case DATABASE:
- ret = "@database";
- break;
- case TABLE_OR_VIEW:
- ret = "@table";
- break;
- case COLUMN:
- ret = "@column";
- break;
- }
- return ret;
- }
-
private boolean existsByResourceAndAccessType(Collection<RangerHiveAccessRequest> requests, RangerHiveResource resource, HiveAccessType accessType) {
boolean ret = false;
@@ -2476,42 +2386,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
}
- private boolean IsCommandInExceptionList(HiveOperationType hiveOpType) {
- boolean ret = false;
- switch (hiveOpType) {
- case CREATEMACRO:
- case CREATEROLE:
- case DESCFUNCTION:
- case DELETE:
- case DFS:
- case DROPMACRO:
- case DROPROLE:
- case EXPLAIN:
- case GRANT_ROLE:
- case REVOKE_ROLE:
- case RESET:
- case SET:
- case SHOWDATABASES:
- case SHOWCONF:
- case SHOWFUNCTIONS:
- case SHOWLOCKS:
- case SHOW_COMPACTIONS:
- case SHOW_GRANT:
- case SHOW_ROLES:
- case SHOW_ROLE_GRANT:
- case SHOW_ROLE_PRINCIPALS:
- case SHOW_TRANSACTIONS:
- case RELOADFUNCTION:
- case REPLDUMP:
- case REPLLOAD:
- case REPLSTATUS:
- case ADD:
- ret = true;
- break;
- }
- return ret;
- }
-
private RangerRequestedResources buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> requests) {
RangerRequestedResources requestedResources = new RangerRequestedResources();
@@ -2557,72 +2431,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return requestedResources;
}
- private RangerHiveAccessRequest buildRequestForDropIfExistsCommands(HiveOperationType hiveOpType,
- String user,
- Set<String> userGroups,
- Set<String> userRoles,
- String hiveOpTypeName,
- HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
- RangerHiveAccessRequest request = null;
-
- switch (hiveOpType) {
- case DROPDATABASE:
- request = buildRequestForDropDatabaseIfExistsCommands(user,userGroups,userRoles,hiveOpTypeName,context,sessionContext);
- break;
-
- case DROPTABLE:
- request = buildRequestForDropTableIfExistsCommands(user,userGroups,userRoles,hiveOpTypeName,context,sessionContext);
- break;
- }
-
- return request;
- }
-
- private RangerHiveAccessRequest buildRequestForDropDatabaseIfExistsCommands(String user,
- Set<String> userGroups,
- Set<String> userRoles,
- String hiveOpTypeName,
- HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
- RangerHiveResource resource = null;
- RangerHiveAccessRequest request = null;
- HiveObj hiveObj = new HiveObj();
- hiveObj.fetchHiveObjForDropDatabase(context);
- String dbName = hiveObj.getDatabaseName();
- if (LOG.isDebugEnabled()) {
- LOG.debug("Database: " + dbName);
- }
- if (dbName != null) {
- resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
- request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.DROP, context, sessionContext);
- }
- return request;
- }
-
-
- private RangerHiveAccessRequest buildRequestForDropTableIfExistsCommands(String user,
- Set<String> userGroups,
- Set<String> userRoles,
- String hiveOpTypeName,
- HiveAuthzContext context,
- HiveAuthzSessionContext sessionContext) {
- RangerHiveResource resource = null;
- RangerHiveAccessRequest request = null;
- HiveObj hiveObj = new HiveObj();
- hiveObj.fetchHiveObjForDropTable(context);
- String dbName = hiveObj.getDatabaseName();
- String tableName = hiveObj.getTableName();
- if (LOG.isDebugEnabled()) {
- LOG.debug("Database: " + dbName + " Table: " + tableName);
- }
- if (dbName != null && tableName != null) {
- resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
- request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.DROP, context, sessionContext);
- }
- return request;
- }
-
private boolean isBlockAccessIfRowfilterColumnMaskSpecified(HiveOperationType hiveOpType, RangerHiveAccessRequest request) {
boolean ret = false;
RangerHiveResource resource = (RangerHiveResource)request.getResource();
@@ -3274,14 +3082,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL };
-enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, READ, WRITE, ALL, REPLADMIN, SERVICEADMIN, TEMPUDFADMIN, UNKNOWN };
+enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, READ, WRITE, ALL, REPLADMIN, SERVICEADMIN, TEMPUDFADMIN };
class HiveObj {
String databaseName;
String tableName;
- HiveObj() {}
-
HiveObj(HiveAuthzContext context) {
fetchHiveObj(context);
}
@@ -3314,38 +3120,6 @@ class HiveObj {
}
}
- public void fetchHiveObjForDropDatabase(HiveAuthzContext context) {
- // cmd passed: drop database if exists <db>
- if (context != null) {
- String cmdString = context.getCommandString();
- if (cmdString != null) {
- String[] cmd = cmdString.trim().split("\\s+");
- if (!ArrayUtils.isEmpty(cmd) && cmd.length > 3) {
- databaseName = cmd[4];
- }
- }
- }
- }
-
- public void fetchHiveObjForDropTable(HiveAuthzContext context) {
- // cmd passed: drop table if exists <db.table> or drop database if exists <table>
- if (context != null) {
- String cmdString = context.getCommandString();
- if (cmdString != null) {
- String[] cmd = cmdString.trim().split("\\s+");
- if (!ArrayUtils.isEmpty(cmd) && cmd.length > 3) {
- tableName = cmd[4];
- if (tableName.contains(".")) {
- String[] result = splitDBName(tableName);
- databaseName = result[0];
- tableName = result[1];
- }
- }
- }
- }
- }
-
-
private String[] splitDBName(String dbName) {
String[] ret = null;
ret = dbName.split("\\.");