public HiveAuthzSessionContext build(){ return new HiveAuthzSessionContext(this); } }
/** * Builder that copies values from given instance of HiveAuthzSessionContext * @param other */ public Builder(HiveAuthzSessionContext other){ this.sessionString = other.getSessionString(); this.clientType = other.getClientType(); }
@Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { // First apply configuration applicable to both Hive Cli and HiveServer2 // Not adding any authorization related restrictions to hive cli // grant all privileges for table to its owner - set this in cli as well so that owner // has permissions via HiveServer2 as well. hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); // Apply rest of the configuration only to HiveServer2 if (sessionCtx.getClientType() == CLIENT_TYPE.HIVESERVER2 && hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); if (hooks.isEmpty()) { hooks = DisallowTransformHook.class.getName(); } else { hooks = hooks + "," + DisallowTransformHook.class.getName(); } LOG.debug("Configuring hooks : " + hooks); hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); SettableConfigUpdater.setHiveConfWhiteList(hiveConf); } }
@Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { // from SQLStdHiveAccessController.applyAuthorizationConfigPolicy() if (sessionCtx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2 && hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries String hooks = hiveConf.getVar(HiveConf.ConfVars.PREEXECHOOKS).trim(); if (hooks.isEmpty()) { hooks = DisallowTransformHook.class.getName(); } else { hooks = hooks + "," + DisallowTransformHook.class.getName(); } LOG.debug("Configuring hooks : " + hooks); hiveConf.setVar(HiveConf.ConfVars.PREEXECHOOKS, hooks); SettableConfigUpdater.setHiveConfWhiteList(hiveConf); String curBlackList = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST); if (curBlackList != null && curBlackList.trim().equals("reflect,reflect2,java_method")) { hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method,in_file"); } } }
/** * Builder that copies values from given instance of HiveAuthzSessionContext * @param other */ public Builder(HiveAuthzSessionContext other){ this.sessionString = other.getSessionString(); this.clientType = other.getClientType(); }
@Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { // First apply configuration applicable to both Hive Cli and HiveServer2 // Not adding any authorization related restrictions to hive cli // grant all privileges for table to its owner - set this in cli as well so that owner // has permissions via HiveServer2 as well. hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); // Apply rest of the configuration only to HiveServer2 if (sessionCtx.getClientType() == CLIENT_TYPE.HIVESERVER2 && hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); if (hooks.isEmpty()) { hooks = DisallowTransformHook.class.getName(); } else { hooks = hooks + "," + DisallowTransformHook.class.getName(); } LOG.debug("Configuring hooks : " + hooks); hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); SettableConfigUpdater.setHiveConfWhiteList(hiveConf); } }
public HiveAuthzSessionContext build(){ return new HiveAuthzSessionContext(this); } }
/** * Builder that copies values from given instance of HiveAuthzSessionContext * @param other */ public Builder(HiveAuthzSessionContext other){ this.sessionString = other.getSessionString(); this.clientType = other.getClientType(); }
/** * Change the session context based on configuration to aid in testing of sql * std auth * * @param ctx * @param conf * @return */ static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { if (conf.getBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) && ctx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI) { // create new session ctx object with HS2 as client type HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); ctxBuilder.setClientType(HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2); return ctxBuilder.build(); } return ctx; }
public HiveAuthzSessionContext build(){ return new HiveAuthzSessionContext(this); } }
/** * Change the session context based on configuration to aid in testing of sql * std auth * * @param ctx * @param conf * @return */ static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) && ctx.getClientType() == CLIENT_TYPE.HIVECLI) { // create new session ctx object with HS2 as client type HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); return ctxBuilder.build(); } return ctx; }
/** * Change the session context based on configuration to aid in testing of sql * std auth * * @param ctx * @param conf * @return */ static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) && ctx.getClientType() == CLIENT_TYPE.HIVECLI) { // create new session ctx object with HS2 as client type HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); return ctxBuilder.build(); } return ctx; }
private void assertHiveCliAuthDisabled(HiveConf conf) throws HiveAuthzPluginException { if (ctx.getClientType() == CLIENT_TYPE.HIVECLI && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { throw new HiveAuthzPluginException( "SQL standards based authorization should not be enabled from hive cli" + "Instead the use of storage based authorization in hive metastore is reccomended. Set " + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli"); } }
@Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { // First apply configuration applicable to both Hive Cli and HiveServer2 // Not adding any authorization related restrictions to hive cli // grant all privileges for table to its owner - set this in cli as well so that owner // has permissions via HiveServer2 as well. hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); // Apply rest of the configuration only to HiveServer2 if (sessionCtx.getClientType() == CLIENT_TYPE.HIVESERVER2 && hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); if (hooks.isEmpty()) { hooks = DisallowTransformHook.class.getName(); } else { hooks = hooks + "," + DisallowTransformHook.class.getName(); } LOG.debug("Configuring hooks : " + hooks); hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); SettableConfigUpdater.setHiveConfWhiteList(hiveConf); } }
/** * Change the session context based on configuration to aid in testing of sql * std auth * * @param ctx * @param conf * @return */ static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) && ctx.getClientType() == CLIENT_TYPE.HIVECLI) { // create new session ctx object with HS2 as client type HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); return ctxBuilder.build(); } return ctx; }