private boolean isAdmin(ConnectorTransactionHandle transaction, Identity identity) { SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction)); return metastore.getRoles(identity.getUser()).contains(ADMIN_ROLE_NAME); } }
private boolean canAccessCatalog(Identity identity, String catalogName) { for (CatalogAccessControlRule rule : catalogRules) { Optional<Boolean> allowed = rule.match(identity.getUser(), catalogName); if (allowed.isPresent()) { return allowed.get(); } } return false; }
private boolean checkDatabasePermission(ConnectorTransactionHandle transaction, Identity identity, String schemaName, HivePrivilege... requiredPrivileges) { SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction)); Set<HivePrivilege> privilegeSet = metastore.getDatabasePrivileges(identity.getUser(), schemaName).stream() .map(HivePrivilegeInfo::getHivePrivilege) .collect(Collectors.toSet()); return privilegeSet.containsAll(ImmutableSet.copyOf(requiredPrivileges)); }
private boolean isDatabaseOwner(Identity identity, String schemaName) { for (SchemaAccessControlRule rule : schemaRules) { Optional<Boolean> owner = rule.match(identity.getUser(), schemaName); if (owner.isPresent()) { return owner.get(); } } return false; }
private boolean checkTablePermission(ConnectorTransactionHandle transaction, Identity identity, SchemaTableName tableName, HivePrivilege... requiredPrivileges) { if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) { return true; } SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction)); Set<HivePrivilege> privilegeSet = metastore.getTablePrivileges(identity.getUser(), tableName.getSchemaName(), tableName.getTableName()).stream() .map(HivePrivilegeInfo::getHivePrivilege) .collect(Collectors.toSet()); return privilegeSet.containsAll(ImmutableSet.copyOf(requiredPrivileges)); }
@Override public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { if (shouldDenyPrivilege(identity.getUser(), propertyName, SET_SESSION)) { denySetSystemSessionProperty(propertyName); } if (denyPrivileges.isEmpty()) { super.checkCanSetSystemSessionProperty(identity, propertyName); } }
private boolean getGrantOptionForPrivilege(ConnectorTransactionHandle transaction, Identity identity, Privilege privilege, SchemaTableName tableName) { SemiTransactionalHiveMetastore metastore = metastoreProvider.apply(((HiveTransactionHandle) transaction)); return metastore.getTablePrivileges(identity.getUser(), tableName.getSchemaName(), tableName.getTableName()) .contains(new HivePrivilegeInfo(toHivePrivilege(privilege), true)); }
public FileSystem getFileSystem(HdfsContext context, Path path) throws IOException { return getFileSystem(context.getIdentity().getUser(), path, getConfiguration(context, path)); }
@Override public void checkCanCreateSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName) { if (shouldDenyPrivilege(identity.getUser(), schemaName.getSchemaName(), CREATE_SCHEMA)) { denyCreateSchema(schemaName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanCreateSchema(transactionId, identity, schemaName); } }
@Override public void checkCanDropTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DROP_TABLE)) { denyDropTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDropTable(transactionId, identity, tableName); } }
@Override public void checkCanDeleteFromTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DELETE_TABLE)) { denyDeleteTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDeleteFromTable(transactionId, identity, tableName); } }
@Override public void checkCanDropView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), DROP_VIEW)) { denyDropView(viewName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDropView(transactionId, identity, viewName); } }
@Override public void checkCanDropSchema(TransactionId transactionId, Identity identity, CatalogSchemaName schemaName) { if (shouldDenyPrivilege(identity.getUser(), schemaName.getSchemaName(), DROP_SCHEMA)) { denyDropSchema(schemaName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanDropSchema(transactionId, identity, schemaName); } }
@Override public void checkCanCreateTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), CREATE_TABLE)) { denyCreateTable(tableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanCreateTable(transactionId, identity, tableName); } }
@Override public void checkCanCreateViewWithSelectFromColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, Set<String> columnNames) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), CREATE_VIEW_WITH_SELECT_COLUMNS)) { denyCreateViewWithSelect(tableName.toString(), identity); } if (denyPrivileges.isEmpty()) { super.checkCanCreateViewWithSelectFromColumns(transactionId, identity, tableName, columnNames); } }
@Override public void checkCanCreateView(TransactionId transactionId, Identity identity, QualifiedObjectName viewName) { if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), CREATE_VIEW)) { denyCreateView(viewName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanCreateView(transactionId, identity, viewName); } }
@Override public void checkCanRenameTable(TransactionId transactionId, Identity identity, QualifiedObjectName tableName, QualifiedObjectName newTableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), RENAME_TABLE)) { denyRenameTable(tableName.toString(), newTableName.toString()); } if (denyPrivileges.isEmpty()) { super.checkCanRenameTable(transactionId, identity, tableName, newTableName); } }
@Override public void checkCanAddColumns(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), ADD_COLUMN)) { denyAddColumn(tableName.toString()); } super.checkCanAddColumns(transactionId, identity, tableName); }
@Override public void checkCanDropColumn(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DROP_COLUMN)) { denyDropColumn(tableName.toString()); } super.checkCanDropColumn(transactionId, identity, tableName); }
@Override public void checkCanRenameColumn(TransactionId transactionId, Identity identity, QualifiedObjectName tableName) { if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), RENAME_COLUMN)) { denyRenameColumn(tableName.toString()); } super.checkCanRenameColumn(transactionId, identity, tableName); }