public static void assertNoDeniedPermissions(HivePrincipal hivePrincipal, HiveOperationType hiveOpType, List<String> deniedMessages) throws HiveAccessControlException { if (deniedMessages.size() != 0) { Collections.sort(deniedMessages); String errorMessage = "Permission denied: " + hivePrincipal + " does not have following privileges for operation " + hiveOpType + " " + deniedMessages; throw new HiveAccessControlException(errorMessage); } }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
public static void assertNoDeniedPermissions(HivePrincipal hivePrincipal, HiveOperationType hiveOpType, List<String> deniedMessages) throws HiveAccessControlException { if (deniedMessages.size() != 0) { Collections.sort(deniedMessages); String errorMessage = "Permission denied: " + hivePrincipal + " does not have following privileges for operation " + hiveOpType + " " + deniedMessages; throw new HiveAccessControlException(errorMessage); } }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error(e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error(e); throw new MetaException(e.getMessage()); } }
throw new HiveAccessControlException(currentUserName +" doesn't belong to role " +roleName);
@Override public void run(HookContext hookContext) throws Exception { QueryProperties qProps = hookContext.getQueryPlan().getQueryProperties(); if (null == qProps) { return; // its a ddl query. } if (qProps.usesScript()) { throw new HiveAccessControlException("Query with transform clause is disallowed in" + " current configuration."); } } }
throw new HiveAccessControlException(currentUserName +" doesn't belong to role " +roleName);
@Override public void run(HookContext hookContext) throws Exception { QueryProperties qProps = hookContext.getQueryPlan().getQueryProperties(); if (null == qProps) { return; // its a ddl query. } if (qProps.usesScript()) { throw new HiveAccessControlException("Query with transform clause is disallowed in" + " current configuration."); } } }
private void ensureShowGrantAllowed(HivePrincipal principal) throws HiveAccessControlException, HiveAuthzPluginException { // if user is not an admin user, allow the request only if the user is // requesting for privileges for themselves or a role they belong to switch (principal.getType()) { case USER: if (!principal.getName().equals(currentUserName)) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of another user : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; case ROLE: if (!userBelongsToRole(principal.getName())) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of a role it does not belong to : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; default: throw new AssertionError("Unexpected principal type " + principal.getType()); } }
@Override public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e); } }
@Override public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to list roles. " + ADMIN_ONLY_MSG); } try { return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error listing all roles", e); } }
@Override public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e); } }
@Override public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can drop existing role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to drop role. " + ADMIN_ONLY_MSG); } try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error dropping role", e); } }
throw new HiveAccessControlException(errMsg.toString());
private void ensureShowGrantAllowed(HivePrincipal principal) throws HiveAccessControlException, HiveAuthzPluginException { // if user is not an admin user, allow the request only if the user is // requesting for privileges for themselves or a role they belong to switch (principal.getType()) { case USER: if (!principal.getName().equals(currentUserName)) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of another user : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; case ROLE: if (!userBelongsToRole(principal.getName())) { throw new HiveAccessControlException("User : " + currentUserName + " is not" + " allowed check privileges of a role it does not belong to : " + principal.getName() + ". " + ADMIN_ONLY_MSG); } break; default: throw new AssertionError("Unexpected principal type " + principal.getType()); } }
@Override public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can drop existing role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to drop role. " + ADMIN_ONLY_MSG); } try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error dropping role", e); } }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can create new roles. if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to add roles. " + ADMIN_ONLY_MSG); } if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) { throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " + RESERVED_ROLE_NAMES); } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( new Role(roleName, 0, grantorName)); } catch (TException e) { throw SQLAuthorizationUtils.getPluginException("Error create role", e); } }
@Override public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to list roles. " + ADMIN_ONLY_MSG); } try { return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error listing all roles", e); } }
throw new HiveAccessControlException(errMsg.toString());