You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/09/02 03:45:23 UTC
incubator-sentry git commit: SENTRY-504: Sentry Hive authorizer
interfaces for authorization V2 (Dapeng Sun, Reviewed by Colin Ma)
Repository: incubator-sentry
Updated Branches:
refs/heads/hive_plugin_v2 03ad8bd1e -> 9c3cc49b4
SENTRY-504: Sentry Hive authorizer interfaces for authorization V2 (Dapeng Sun, Reviewed by Colin Ma)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/9c3cc49b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/9c3cc49b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/9c3cc49b
Branch: refs/heads/hive_plugin_v2
Commit: 9c3cc49b45e940f9f7525ed957a925e2712f58ae
Parents: 03ad8bd
Author: Sun Dapeng <sd...@apache.org>
Authored: Mon Aug 31 16:26:23 2015 +0800
Committer: Sun Dapeng <sd...@apache.org>
Committed: Mon Aug 31 16:27:22 2015 +0800
----------------------------------------------------------------------
.../authorizer/SentryHiveAccessController.java | 201 +++++++++++++++++++
.../SentryHiveAuthorizationValidator.java | 58 ++++++
.../v2/authorizer/SentryHiveAuthorizer.java | 168 ++++++++++++++++
3 files changed, 427 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9c3cc49b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java
new file mode 100644
index 0000000..80b21be
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java
@@ -0,0 +1,201 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sentry.binding.hive.v2.authorizer;
+
+import java.util.List;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+
+/**
+ * Abstract class to do access control commands, e.g. grant/revoke privileges, grant/revoke role,
+ * create/drop role.
+ */
+public abstract class SentryHiveAccessController implements HiveAccessController {
+
+ /**
+ * Hive statement: Grant privilege GRANT priv_type [, priv_type ] ... ON table_or_view_name TO
+ * principal_specification [, principal_specification] ... [WITH GRANT OPTION];
+ *
+ * principal_specification : USER user | ROLE role
+ *
+ * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL
+ *
+ * @param hivePrincipals
+ * @param hivePrivileges
+ * @param hivePrivObject
+ * @param grantorPrincipal
+ * @param grantOption
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void grantPrivileges(List<HivePrincipal> hivePrincipals,
+ List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+ HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+ HiveAccessControlException;
+
+ /**
+ * Hive statement: Revoke privilege REVOKE priv_type [, priv_type ] ... ON table_or_view_name FROM
+ * principal_specification [, principal_specification] ... ;
+ *
+ * principal_specification : USER user | ROLE role
+ *
+ * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL
+ *
+ * @param hivePrincipals
+ * @param hivePrivileges
+ * @param hivePrivObject
+ * @param grantorPrincipal
+ * @param grantOption
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void revokePrivileges(List<HivePrincipal> hivePrincipals,
+ List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+ HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+ HiveAccessControlException;
+
+ /**
+ * Hive statement: Create role CREATE ROLE role_name;
+ *
+ * @param roleName
+ * @param adminGrantor
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void createRole(String roleName, HivePrincipal adminGrantor)
+ throws HiveAuthzPluginException, HiveAccessControlException;
+
+ /**
+ * Hive statement: Drop role DROP ROLE role_name;
+ *
+ * @param roleName
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void dropRole(String roleName) throws HiveAuthzPluginException,
+ HiveAccessControlException;
+
+ /**
+ * Hive statement: Grant role GRANT role_name [, role_name] ... TO principal_specification [,
+ * principal_specification] ... [ WITH ADMIN OPTION ];
+ *
+ * principal_specification : USER user | ROLE role
+ *
+ * @param hivePrincipals
+ * @param roles
+ * @param grantOption
+ * @param grantorPrinc
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+ HiveAccessControlException;
+
+
+ /**
+ * Hive statement: Revoke role REVOKE [ADMIN OPTION FOR] role_name [, role_name] ... FROM
+ * principal_specification [, principal_specification] ... ;
+ *
+ * principal_specification : USER user | ROLE role
+ *
+ * @param hivePrincipals
+ * @param roles
+ * @param grantOption
+ * @param grantorPrinc
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+ HiveAccessControlException;
+
+ /**
+ * Hive statement: Show roles SHOW ROLES;
+ *
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract List<String> getAllRoles() throws HiveAuthzPluginException,
+ HiveAccessControlException;
+
+ /**
+ * Hive statement: Show grant SHOW GRANT [principal_name] ON (ALL| ([TABLE] table_or_view_name);
+ *
+ * @param principal
+ * @param privObj
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
+ HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException;
+
+ /**
+ * Hive statement: Set role SET ROLE (role_name|ALL);
+ *
+ * @param roleName
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void setCurrentRole(String roleName) throws HiveAuthzPluginException,
+ HiveAccessControlException;
+
+ /**
+ * Hive statement: Show current roles SHOW CURRENT ROLES;
+ *
+ * @throws HiveAuthzPluginException
+ */
+ @Override
+ public abstract List<String> getCurrentRoleNames() throws HiveAuthzPluginException;
+
+ /**
+ * Hive statement: Set role privileges SHOW PRINCIPALS role_name;
+ *
+ * @param roleName
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
+ throws HiveAuthzPluginException, HiveAccessControlException;
+
+ /**
+ * Hive statement: Set role grant SHOW ROLE GRANT (USER|ROLE) principal_name;
+ *
+ * @param principal
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
+ throws HiveAuthzPluginException, HiveAccessControlException;
+
+ /**
+ * Apply configuration files for authorization V2
+ *
+ * @param hiveConf
+ * @throws HiveAuthzPluginException
+ */
+ @Override
+ public abstract void applyAuthorizationConfigPolicy(HiveConf hiveConf)
+ throws HiveAuthzPluginException;
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9c3cc49b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java
new file mode 100644
index 0000000..3242f09
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sentry.binding.hive.v2.authorizer;
+
+import java.util.List;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+
+/**
+ * This class used to do authorization validate. Check if current user has privileges to do the
+ * operation and filter the select results.
+ */
+public abstract class SentryHiveAuthorizationValidator implements HiveAuthorizationValidator {
+
+ /**
+ * Check if current user has privileges to perform given operation type hiveOpType on the given
+ * input and output objects.
+ *
+ * @param hiveOpType
+ * @param inputHObjs
+ * @param outputHObjs
+ * @param context
+ * @throws HiveAuthzPluginException, HiveAccessControlException
+ */
+ @Override
+ public abstract void checkPrivileges(HiveOperationType hiveOpType,
+ List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs,
+ HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException;
+
+
+ /**
+ * Filter the select results according current user's permission. remove the object which current
+ * user do not have any privilege on it.
+ *
+ * @param listObjs
+ * @param context
+ */
+ @Override
+ public abstract List<HivePrivilegeObject> filterListCmdObjects(
+ List<HivePrivilegeObject> listObjs, HiveAuthzContext context);
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9c3cc49b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
new file mode 100644
index 0000000..1388121
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java
@@ -0,0 +1,168 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sentry.binding.hive.v2.authorizer;
+
+import java.util.List;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
+import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
+import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
+import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+
+/**
+ * Convenience implementation of HiveAuthorizer. You can customize the behavior by passing different
+ * implementations of {@link SentryHiveAccessController} and
+ * {@link SentryHiveAuthorizationValidator} to constructor.
+ */
+public abstract class SentryHiveAuthorizer implements HiveAuthorizer {
+
+ private SentryHiveAccessController accessController;
+ private SentryHiveAuthorizationValidator authValidator;
+
+ public SentryHiveAuthorizer(SentryHiveAccessController accessController,
+ SentryHiveAuthorizationValidator authValidator) {
+ this.accessController = accessController;
+ this.authValidator = authValidator;
+ }
+
+ @Override
+ public void grantPrivileges(List<HivePrincipal> hivePrincipals,
+ List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+ HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+ HiveAccessControlException {
+ accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
+ grantorPrincipal, grantOption);
+ }
+
+ @Override
+ public void revokePrivileges(List<HivePrincipal> hivePrincipals,
+ List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+ HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+ HiveAccessControlException {
+ accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
+ grantorPrincipal, grantOption);
+ }
+
+ @Override
+ public void createRole(String roleName, HivePrincipal adminGrantor)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ accessController.createRole(roleName, adminGrantor);
+ }
+
+ @Override
+ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
+ accessController.dropRole(roleName);
+ }
+
+ @Override
+ public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+ HiveAccessControlException {
+ accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
+ }
+
+ @Override
+ public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+ HiveAccessControlException {
+ accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
+ }
+
+ @Override
+ public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
+ List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context);
+ }
+
+ @Override
+ public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
+ return accessController.getAllRoles();
+ }
+
+ @Override
+ public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ return accessController.showPrivileges(principal, privObj);
+ }
+
+ @Override
+ public VERSION getVersion() {
+ return VERSION.V1;
+ }
+
+ @Override
+ public void setCurrentRole(String roleName) throws HiveAccessControlException,
+ HiveAuthzPluginException {
+ accessController.setCurrentRole(roleName);
+ }
+
+ @Override
+ public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
+ return accessController.getCurrentRoleNames();
+ }
+
+ @Override
+ public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ return accessController.getPrincipalGrantInfoForRole(roleName);
+ }
+
+ @Override
+ public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ return accessController.getRoleGrantInfoForPrincipal(principal);
+ }
+
+ @Override
+ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
+ accessController.applyAuthorizationConfigPolicy(hiveConf);
+ }
+
+ @Override
+ public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
+ HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
+ return authValidator.filterListCmdObjects(listObjs, context);
+ }
+
+ @Override
+ public List<HivePrincipal> getHivePrincipals(List<PrincipalDesc> principals) throws HiveException {
+ return AuthorizationUtils.getHivePrincipals(principals);
+ }
+
+ @Override
+ public List<HivePrivilege> getHivePrivileges(List<PrivilegeDesc> privileges) {
+ return AuthorizationUtils.getHivePrivileges(privileges);
+ }
+
+ @Override
+ public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
+ throws HiveException {
+ return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc);
+ }
+
+}