@VisibleForTesting protected static boolean impliesURI(String privilege, String request) { return PathUtils.impliesURI(privilege, request); }
public static String parseDFSURI(String warehouseDir, String uri) throws URISyntaxException { return parseURI(warehouseDir, uri, false); }
/** * URI is a a special case. For URI's, /a implies /a/b. * Therefore the test is "/a/b".startsWith("/a"); */ public static boolean impliesURI(URI privilegeURI, URI requestURI) throws URISyntaxException { if (privilegeURI.getPath() == null || requestURI.getPath() == null) { return false; } // ensure that either both schemes are null or equal if (privilegeURI.getScheme() == null && requestURI.getScheme() != null) { return false; } if (privilegeURI.getScheme() != null && !privilegeURI.getScheme().equals(requestURI.getScheme())) { return false; } // request path does not contain relative parts /a/../b && // request path starts with privilege path && // authorities (nullable) are equal String requestPath = ensureEndsWithSeparator(requestURI.getPath()).replace("//", "/"); String privilegePath = ensureEndsWithSeparator(privilegeURI.getPath()).replace("//", "/"); if (requestURI.getPath().equals(requestURI.normalize().getPath()) && requestPath.startsWith(privilegePath) && Strings.nullToEmpty(privilegeURI.getAuthority()).equals( Strings.nullToEmpty(requestURI.getAuthority()))) { return true; } return false; }
HiveConf conf = SessionState.get().getConf(); String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE); URI scratchURI = new URI(PathUtils.parseDFSURI(warehouseDir, conf.getVar(HiveConf.ConfVars.SCRATCHDIR))); URI requestURI = new URI(PathUtils.parseDFSURI(warehouseDir, writeEntity.getLocation().getPath())); LOG.debug("scratchURI = " + scratchURI + ", requestURI = " + requestURI); if (PathUtils.impliesURI(scratchURI, requestURI)) { return true; URI localScratchURI = new URI(PathUtils.parseLocalURI(conf.getVar(HiveConf.ConfVars.LOCALSCRATCHDIR))); URI localRequestURI = new URI(PathUtils.parseLocalURI(writeEntity.getLocation().getPath())); LOG.debug("localScratchURI = " + localScratchURI + ", localRequestURI = " + localRequestURI); if (PathUtils.impliesURI(localScratchURI, localRequestURI)) { return true;
public HierarcyBuilder addUriToOutput(Server server, String uriPath, String warehouseDirPath) throws MetaException { List<DBModelAuthorizable> uriHierarchy = new ArrayList<DBModelAuthorizable>(); addServerToOutput(server); uriHierarchy.add(server); try { uriHierarchy.add(new AccessURI(PathUtils.parseDFSURI(warehouseDirPath, uriPath))); } catch (URISyntaxException e) { throw new MetaException("Error paring the URI " + e.getMessage()); } authHierarchy.add(uriHierarchy); return this; }
/** * Split path into components on the "/" character. * The path should not start with "/". * This is consumed by Thrift interface, so the return result should be * {@code List<String>} * * @param path input oath e.g. {@code foo/bar} * @return list of components, e.g. [foo, bar] */ private static List<String> splitPath(String path) { return Lists.newArrayList(PathUtils.splitPath(path)); }
private List<Authorizable> toAuthorizable(SentryHivePrivilegeObjectDesc privSubjectDesc) throws HiveException{ List<Authorizable> authorizableHeirarchy = new ArrayList<Authorizable>(); authorizableHeirarchy.add(new Server(server)); String dbName = null; if (privSubjectDesc.getTable()) { DatabaseTable dbTable = parseDBTable(privSubjectDesc.getObject()); dbName = dbTable.getDatabase(); String tableName = dbTable.getTable(); authorizableHeirarchy.add(new Table(tableName)); authorizableHeirarchy.add(new Database(dbName)); } else if (privSubjectDesc.getUri()) { String uriPath = privSubjectDesc.getObject(); String warehouseDir = conf.getVar(HiveConf.ConfVars.METASTOREWAREHOUSE); try { authorizableHeirarchy.add(new AccessURI(PathUtils.parseDFSURI(warehouseDir, uriPath))); } catch(URISyntaxException e) { throw new HiveException(e.getMessage()); } } else { dbName = privSubjectDesc.getObject(); authorizableHeirarchy.add(new Database(dbName)); } return authorizableHeirarchy; }
String[] pathComponents = PathUtils.splitPath(path); List<String> paths = new ArrayList<>(pathComponents.length); Collections.addAll(paths, pathComponents);
private boolean impliesResource(ImplyMethodType implyMethodType, String policyValue, String requestValue) { // wildcard support, "*", "+", "all"("+" and "all" are for backward compatibility) are represented as wildcard // if requestValue is wildcard, means privilege request is to match with any value of given resource if (SentryConstants.RESOURCE_WILDCARD_VALUE.equals(policyValue) || SentryConstants.RESOURCE_WILDCARD_VALUE.equals(requestValue) || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equalsIgnoreCase(policyValue) || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equalsIgnoreCase(requestValue) || SentryConstants.RESOURCE_WILDCARD_VALUE_SOME.equals(requestValue)) { return true; } // compare as the url if (ImplyMethodType.URL == implyMethodType) { return PathUtils.impliesURI(policyValue, requestValue); } else if (ImplyMethodType.STRING_CASE_SENSITIVE == implyMethodType) { // compare as the string case sensitive return policyValue.equals(requestValue); } // default: compare as the string case insensitive return policyValue.equalsIgnoreCase(requestValue); }
@VisibleForTesting protected static AccessURI parseURI(String uri, boolean isLocal) throws SemanticException { try { HiveConf conf = SessionState.get().getConf(); String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE); Path warehousePath = new Path(warehouseDir); if (warehousePath.isAbsoluteAndSchemeAuthorityNull()) { FileSystem fs = FileSystem.get(conf); warehouseDir = fs.makeQualified(warehousePath).toUri().toString(); } return new AccessURI(PathUtils.parseURI(warehouseDir, uri, isLocal)); } catch (Exception e) { throw new SemanticException("Error parsing URI " + uri + ": " + e.getMessage(), e); } }
String newLocationUri; try { oldLocationUri = PathUtils.parseDFSURI(warehouseDir, getSdLocation(context.getOldTable().getSd())); newLocationUri = PathUtils.parseDFSURI(warehouseDir, getSdLocation(context.getNewTable().getSd())); } catch (URISyntaxException e) {
public static boolean impliesURI(String privilege, String request) { try { URI privilegeURI = new URI(new StrSubstitutor(System.getProperties()).replace(privilege)); URI requestURI = new URI(request); if (privilegeURI.getScheme() == null || privilegeURI.getPath() == null) { LOGGER.warn("Privilege URI " + request + " is not valid. Either no scheme or no path."); return false; } if (requestURI.getScheme() == null || requestURI.getPath() == null) { LOGGER.warn("Request URI " + request + " is not valid. Either no scheme or no path."); return false; } return PathUtils.impliesURI(privilegeURI, requestURI); } catch (URISyntaxException e) { LOGGER.warn("Request URI " + request + " is not a URI", e); return false; } }
private void authorizeCreateTable(PreCreateTableEvent context) throws InvalidOperationException, MetaException { HierarcyBuilder inputBuilder = new HierarcyBuilder(); inputBuilder.addDbToOutput(getAuthServer(), context.getTable().getDbName()); HierarcyBuilder outputBuilder = new HierarcyBuilder(); outputBuilder.addDbToOutput(getAuthServer(), context.getTable().getDbName()); if (!StringUtils.isEmpty(context.getTable().getSd().getLocation())) { String uriPath; try { uriPath = PathUtils.parseDFSURI(warehouseDir, getSdLocation(context.getTable().getSd())); } catch(URISyntaxException e) { throw new MetaException(e.getMessage()); } inputBuilder.addUriToOutput(getAuthServer(), uriPath, warehouseDir); } authorizeMetastoreAccess(HiveOperation.CREATETABLE, inputBuilder.build(), outputBuilder.build()); }
if (!PathUtils.impliesURI(URI, other.URI)) { return false;
String uriPath; try { uriPath = PathUtils.parseDFSURI(warehouseDir, mapiPart .getSd().getLocation()); } catch (URISyntaxException e) {
if (!PathUtils.impliesURI(URI, other.URI)) { return false;
uriPath = PathUtils.parseDFSURI(warehouseDir, partitionLocation); } catch (URISyntaxException e) { throw new MetaException(e.getMessage());
if (!PathUtils.impliesURI(privilege.getURI(), other.getURI())) { return false;