private static boolean isAdmin() { boolean isAdmin = false; if (SessionState.get().getAuthorizerV2() != null) { try { SessionState.get().getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, new ArrayList<HivePrivilegeObject>(), new ArrayList<HivePrivilegeObject>(), new HiveAuthzContext.Builder().build()); isAdmin = true; } catch (Exception e) { } } return isAdmin; }
private void setAuthorizerV2Config() throws HiveException { // avoid processing the same config multiple times, check marker if (sessionConf.get(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, "").equals(Boolean.TRUE.toString())) { return; } String metastoreHook = sessionConf.getVar(ConfVars.METASTORE_FILTER_HOOK); if (!ConfVars.METASTORE_FILTER_HOOK.getDefaultValue().equals(metastoreHook) && !AuthorizationMetaStoreFilterHook.class.getName().equals(metastoreHook)) { LOG.warn(ConfVars.METASTORE_FILTER_HOOK.varname + " will be ignored, since hive.security.authorization.manager" + " is set to instance of HiveAuthorizerFactory."); } sessionConf.setVar(ConfVars.METASTORE_FILTER_HOOK, AuthorizationMetaStoreFilterHook.class.getName()); authorizerV2.applyAuthorizationConfigPolicy(sessionConf); // update config in Hive thread local as well and init the metastore client try { Hive.get(sessionConf).getMSC(); } catch (Exception e) { // catch-all due to some exec time dependencies on session state // that would cause ClassNoFoundException otherwise throw new HiveException(e.getMessage(), e); } // set a marker that this conf has been processed. sessionConf.set(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, Boolean.TRUE.toString()); }
authorizer.createRole(roleDDLDesc.getName(), null); break; case DROP_ROLE: authorizer.dropRole(roleDDLDesc.getName()); break; case SHOW_ROLE_GRANT: boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List<HiveRoleGrant> roles = authorizer.getRoleGrantInfoForPrincipal( AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType())); writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile()); break; case SHOW_ROLES: List<String> allRoles = authorizer.getAllRoles(); writeListToFileAfterSort(allRoles, roleDDLDesc.getResFile()); break; case SHOW_CURRENT_ROLE: List<String> roleNames = authorizer.getCurrentRoleNames(); writeListToFileAfterSort(roleNames, roleDDLDesc.getResFile()); break; case SET_ROLE: authorizer.setCurrentRole(roleDDLDesc.getName()); break; case SHOW_ROLE_PRINCIPALS: testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List<HiveRoleGrant> roleGrants = authorizer.getPrincipalGrantInfoForRole(roleDDLDesc.getName()); writeToFile(writeHiveRoleGrantInfo(roleGrants, testMode), roleDDLDesc.getResFile()); break;
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
private static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command, String serviceObject) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HivePrivilegeObject serviceObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, serviceObject, null, null, null); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Collections.singletonList(commandObj), Collections.singletonList(serviceObj), ctxBuilder.build()); } }
authorizer.createRole(roleDDLDesc.getName(), null); break; case DROP_ROLE: authorizer.dropRole(roleDDLDesc.getName()); break; case SHOW_ROLE_GRANT: boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List<HiveRoleGrant> roles = authorizer.getRoleGrantInfoForPrincipal( AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType())); writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile()); break; case SHOW_ROLES: List<String> allRoles = authorizer.getAllRoles(); writeListToFileAfterSort(allRoles, roleDDLDesc.getResFile()); break; case SHOW_CURRENT_ROLE: List<String> roleNames = authorizer.getCurrentRoleNames(); writeListToFileAfterSort(roleNames, roleDDLDesc.getResFile()); break; case SET_ROLE: authorizer.setCurrentRole(roleDDLDesc.getName()); break; case SHOW_ROLE_PRINCIPALS: testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List<HiveRoleGrant> roleGrants = authorizer.getPrincipalGrantInfoForRole(roleDDLDesc.getName()); writeToFile(writeHiveRoleGrantInfo(roleGrants, testMode), roleDDLDesc.getResFile()); break;
private void setAuthorizerV2Config() throws HiveException { // avoid processing the same config multiple times, check marker if (sessionConf.get(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, "").equals(Boolean.TRUE.toString())) { return; } String metastoreHook = sessionConf.get(ConfVars.METASTORE_FILTER_HOOK.name()); if (!ConfVars.METASTORE_FILTER_HOOK.getDefaultValue().equals(metastoreHook) && !AuthorizationMetaStoreFilterHook.class.getName().equals(metastoreHook)) { LOG.warn(ConfVars.METASTORE_FILTER_HOOK.name() + " will be ignored, since hive.security.authorization.manager" + " is set to instance of HiveAuthorizerFactory."); } sessionConf.setVar(ConfVars.METASTORE_FILTER_HOOK, AuthorizationMetaStoreFilterHook.class.getName()); authorizerV2.applyAuthorizationConfigPolicy(sessionConf); // update config in Hive thread local as well and init the metastore client try { Hive.get(sessionConf).getMSC(); } catch (Exception e) { // catch-all due to some exec time dependencies on session state // that would cause ClassNoFoundException otherwise throw new HiveException(e.getMessage(), e); } // set a marker that this conf has been processed. sessionConf.set(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, Boolean.TRUE.toString()); }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error(e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error(e); throw new MetaException(e.getMessage()); } }
private void authorize(final HiveOperationType hiveOpType, final List<HivePrivilegeObject> toRead, final List<HivePrivilegeObject> toWrite, final String cmd) throws HiveAccessControlException { try { HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress("Not available"); authzContextBuilder.setCommandString(cmd); authorizerV2.checkPrivileges(hiveOpType, toRead, toWrite, authzContextBuilder.build()); } catch (final HiveAccessControlException e) { throw e; } catch (final Exception e) { throw new DrillRuntimeException("Failed to use the Hive authorization components: " + e.getMessage(), e); } } }
authorizer.createRole(roleDDLDesc.getName(), null); break; case DROP_ROLE: authorizer.dropRole(roleDDLDesc.getName()); break; case SHOW_ROLE_GRANT: boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List<HiveRoleGrant> roles = authorizer.getRoleGrantInfoForPrincipal( AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType())); writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile()); break; case SHOW_ROLES: List<String> allRoles = authorizer.getAllRoles(); writeListToFileAfterSort(allRoles, roleDDLDesc.getResFile()); break; case SHOW_CURRENT_ROLE: List<String> roleNames = authorizer.getCurrentRoleNames(); writeListToFileAfterSort(roleNames, roleDDLDesc.getResFile()); break; case SET_ROLE: authorizer.setCurrentRole(roleDDLDesc.getName()); break; case SHOW_ROLE_PRINCIPALS: testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List<HiveRoleGrant> roleGrants = authorizer.getPrincipalGrantInfoForRole(roleDDLDesc.getName()); writeToFile(writeHiveRoleGrantInfo(roleGrants, testMode), roleDDLDesc.getResFile()); break;
hiveConf, authenticator, authzContextBuilder.build()); authorizerV2.applyAuthorizationConfigPolicy(hiveConfCopy); } catch (final HiveException e) { throw new DrillRuntimeException("Failed to initialize Hive authorization components: " + e.getMessage(), e);
/** * Authorize command. Throws exception if the check fails * @param ss * @param type * @param command * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); }
private void setAuthorizerV2Config() throws HiveException { // avoid processing the same config multiple times, check marker if (conf.get(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, "").equals(Boolean.TRUE.toString())) { return; } conf.setVar(ConfVars.METASTORE_FILTER_HOOK, "org.apache.hadoop.hive.ql.security.authorization.plugin.AuthorizationMetaStoreFilterHook"); authorizerV2.applyAuthorizationConfigPolicy(conf); // update config in Hive thread local as well and init the metastore client try { Hive.get(conf).getMSC(); } catch (Exception e) { // catch-all due to some exec time dependencies on session state // that would cause ClassNoFoundException otherwise throw new HiveException(e.getMessage(), e); } // set a marker that this conf has been processed. conf.set(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, Boolean.TRUE.toString()); }
/** * Authorize command. Throws exception if the check fails * @param ss * @param type * @param command * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); }
hiveConf, authenticator, authzContextBuilder.build()); authorizerV2.applyAuthorizationConfigPolicy(hiveConfCopy); } catch (final HiveException e) { throw new RuntimeException("Failed to initialize Hive authorization components: " + e.getMessage(), e);
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
private static void doAuthorizationV2(SessionState ss, HiveOperation op, List<ReadEntity> inputs, List<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException { /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects, since the insert will get passed the columns from the select. */ HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols); List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols); ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build()); }
private static void doAuthorizationV2(SessionState ss, HiveOperation op, Set<ReadEntity> inputs, Set<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException { /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects, since the insert will get passed the columns from the select. */ HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols); List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols); ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build()); }
private void authorize(final HiveOperationType hiveOpType, final List<HivePrivilegeObject> toRead, final List<HivePrivilegeObject> toWrite, final String cmd) throws HiveAccessControlException { try { HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress("Not available"); authzContextBuilder.setCommandString(cmd); authorizerV2.checkPrivileges(hiveOpType, toRead, toWrite, authzContextBuilder.build()); } catch (final HiveAccessControlException e) { throw e; } catch (final Exception e) { Throwables.propagateIfPossible(e); throw new RuntimeException("Failed to use the Hive authorization components: " + e.getMessage(), e); } } }