private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
/** * Authorize command. Throws exception if the check fails * @param ss * @param type * @param command * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); }
/** * Authorize command. Throws exception if the check fails * @param ss * @param type * @param command * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error(e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error(e); throw new MetaException(e.getMessage()); } }
private static void doAuthorizationV2(SessionState ss, HiveOperation op, Set<ReadEntity> inputs, Set<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException { /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects, since the insert will get passed the columns from the select. */ HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols); List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols); ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build()); }
private void authorize(final HiveOperationType hiveOpType, final List<HivePrivilegeObject> toRead, final List<HivePrivilegeObject> toWrite, final String cmd) throws HiveAccessControlException { try { HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress("Not available"); authzContextBuilder.setCommandString(cmd); authorizerV2.checkPrivileges(hiveOpType, toRead, toWrite, authzContextBuilder.build()); } catch (final HiveAccessControlException e) { throw e; } catch (final Exception e) { Throwables.propagateIfPossible(e); throw new RuntimeException("Failed to use the Hive authorization components: " + e.getMessage(), e); } } }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
public TableMask(SemanticAnalyzer analyzer, HiveConf conf, boolean skipTableMasking) throws SemanticException { try { authorizer = SessionState.get().getAuthorizerV2(); this.conf = conf; String cmdString = analyzer.ctx.getCmd(); SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(cmdString); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); queryContext = ctxBuilder.build(); if (authorizer != null && needTransform() && !skipTableMasking) { enable = true; translator = new UnparseTranslator(conf); translator.enable(); } } catch (Exception e) { LOG.warn("Failed to initialize masking policy"); throw new SemanticException(e); } }
public TableMask(SemanticAnalyzer analyzer, HiveConf conf, boolean skipTableMasking) throws SemanticException { try { authorizer = SessionState.get().getAuthorizerV2(); this.conf = conf; String cmdString = analyzer.ctx.getCmd(); SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(cmdString); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); queryContext = ctxBuilder.build(); if (authorizer != null && needTransform() && !skipTableMasking) { enable = true; translator = new UnparseTranslator(conf); translator.enable(); } } catch (Exception e) { LOG.warn("Failed to initialize masking policy"); throw new SemanticException(e); } }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
private void authorize(final HiveOperationType hiveOpType, final List<HivePrivilegeObject> toRead, final List<HivePrivilegeObject> toWrite, final String cmd) throws HiveAccessControlException { try { HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress("Not available"); authzContextBuilder.setCommandString(cmd); authorizerV2.checkPrivileges(hiveOpType, toRead, toWrite, authzContextBuilder.build()); } catch (final HiveAccessControlException e) { throw e; } catch (final Exception e) { throw new DrillRuntimeException("Failed to use the Hive authorization components: " + e.getMessage(), e); } } }
private static void doAuthorizationV2(SessionState ss, HiveOperation op, Set<ReadEntity> inputs, Set<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException { /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects, since the insert will get passed the columns from the select. */ HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols); List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols); ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build()); }
/** * Authorize command. Throws exception if the check fails * @param ss * @param type * @param command * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); }
private static void doAuthorizationV2(SessionState ss, HiveOperation op, List<ReadEntity> inputs, List<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException { /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects, since the insert will get passed the columns from the select. */ HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols); List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols); ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build()); }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
private static boolean isAdmin() { boolean isAdmin = false; if (SessionState.get().getAuthorizerV2() != null) { try { SessionState.get().getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, new ArrayList<HivePrivilegeObject>(), new ArrayList<HivePrivilegeObject>(), new HiveAuthzContext.Builder().build()); isAdmin = true; } catch (Exception e) { } } return isAdmin; }