private List<RolePrincipalGrant> getRoleGrants(String principalName, PrincipalType principalType) throws MetaException, TException, HiveAuthzPluginException { GetRoleGrantsForPrincipalRequest req = new GetRoleGrantsForPrincipalRequest(principalName, principalType); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); GetRoleGrantsForPrincipalResponse resp = metastoreClient.get_role_grants_for_principal(req); return resp.getPrincipalGrants(); }
private List<RolePrincipalGrant> getRoleGrants(String principalName, PrincipalType principalType) throws MetaException, TException, HiveAuthzPluginException { GetRoleGrantsForPrincipalRequest req = new GetRoleGrantsForPrincipalRequest(principalName, principalType); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); GetRoleGrantsForPrincipalResponse resp = metastoreClient.get_role_grants_for_principal(req); return resp.getPrincipalGrants(); }
@Override public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e); } }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } String userName = authenticator.getUserName(); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<String>(); checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); }
@Override public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to list roles. " + ADMIN_ONLY_MSG); } try { return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error listing all roles", e); } }
@Override public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e); } }
@Override public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can drop existing role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to drop role. " + ADMIN_ONLY_MSG); } try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error dropping role", e); } }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can create new roles. if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to add roles. " + ADMIN_ONLY_MSG); } if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) { throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " + RESERVED_ROLE_NAMES); } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( new Role(roleName, 0, grantorName)); } catch (TException e) { throw SQLAuthorizationUtils.getPluginException("Error create role", e); } }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } String userName = authenticator.getUserName(); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<String>(); checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); }
@Override public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can drop existing role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to drop role. " + ADMIN_ONLY_MSG); } try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error dropping role", e); } }
@Override public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to list roles. " + ADMIN_ONLY_MSG); } try { return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error listing all roles", e); } }
@Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can create new roles. if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to add roles. " + ADMIN_ONLY_MSG); } if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) { throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " + RESERVED_ROLE_NAMES); } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( new Role(roleName, 0, grantorName)); } catch (TException e) { throw SQLAuthorizationUtils.getPluginException("Error create role", e); } }
@Override public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the revoke, and get the set of privileges to be revoked List<HiveObjectPrivilege> revokePrivs = RevokePrivAuthUtils .authorizeAndGetRevokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName()); try { // unfortunately, the metastore api revokes all privileges that match on // principal, privilege object type it does not filter on the grator // username. // So this will revoke privileges that are granted by other users.This is // not SQL compliant behavior. Need to change/add a metastore api // that has desired behavior. metastoreClient.revoke_privileges(new PrivilegeBag(revokePrivs), grantOption); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e); } }
@Override public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the revoke, and get the set of privileges to be revoked List<HiveObjectPrivilege> revokePrivs = RevokePrivAuthUtils .authorizeAndGetRevokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName()); try { // unfortunately, the metastore api revokes all privileges that match on // principal, privilege object type it does not filter on the grator // username. // So this will revoke privileges that are granted by other users.This is // not SQL compliant behavior. Need to change/add a metastore api // that has desired behavior. metastoreClient.revoke_privileges(new PrivilegeBag(revokePrivs), grantOption); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e); } }
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
@Override public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); mClient.revoke_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption); } catch (Exception e) { String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role " + roleName; throw SQLAuthorizationUtils.getPluginException(msg, e); } } } }
@Override public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); mClient.revoke_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption); } catch (Exception e) { String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role " + roleName; throw SQLAuthorizationUtils.getPluginException(msg, e); } } } }
@Override public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); mClient.grant_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantorPrinc.getName(), AuthorizationUtils.getThriftPrincipalType(grantorPrinc.getType()), grantOption); } catch (MetaException e) { throw SQLAuthorizationUtils.getPluginException("Error granting role", e); } catch (Exception e) { String msg = "Error granting roles for " + hivePrincipal.getName() + " to role " + roleName; throw SQLAuthorizationUtils.getPluginException(msg, e); } } } }
@Override public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); mClient.grant_role(roleName, hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantorPrinc.getName(), AuthorizationUtils.getThriftPrincipalType(grantorPrinc.getType()), grantOption); } catch (MetaException e) { throw SQLAuthorizationUtils.getPluginException("Error granting role", e); } catch (Exception e) { String msg = "Error granting roles for " + hivePrincipal.getName() + " to role " + roleName; throw SQLAuthorizationUtils.getPluginException(msg, e); } } } }