@Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) { if (LOG.isDebugEnabled()) { String msg = "Obtained following objects in filterListCmdObjects " + listObjs + " for user " + authenticator.getUserName() + ". Context Info: " + context; LOG.debug(msg); } return listObjs; }
@Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) { if (LOG.isDebugEnabled()) { String msg = "Obtained following objects in filterListCmdObjects " + listObjs + " for user " + authenticator.getUserName() + ". Context Info: " + context; LOG.debug(msg); } return listObjs; }
/** * (Re-)initialize currentRoleNames if necessary. * @throws HiveAuthzPluginException */ private void initUserRoles() throws HiveAuthzPluginException { //to aid in testing through .q files, authenticator is passed as argument to // the interface. this helps in being able to switch the user within a session. // so we need to check if the user has changed String newUserName = authenticator.getUserName(); if (Objects.equals(currentUserName, newUserName)) { //no need to (re-)initialize the currentUserName, currentRoles fields return; } this.currentUserName = newUserName; this.currentRoles = getRolesFromMS(); LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles); }
/** * (Re-)initialize currentRoleNames if necessary. * @throws HiveAuthzPluginException */ private void initUserRoles() throws HiveAuthzPluginException { //to aid in testing through .q files, authenticator is passed as argument to // the interface. this helps in being able to switch the user within a session. // so we need to check if the user has changed String newUserName = authenticator.getUserName(); if(currentUserName == newUserName){ //no need to (re-)initialize the currentUserName, currentRoles fields return; } this.currentUserName = newUserName; this.currentRoles = getRolesFromMS(); LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles); }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } String userName = authenticator.getUserName(); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<String>(); checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { String userName = authenticator.getUserName(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<>(); checkPrivileges(hiveOpType, inputHObjs, userName, Operation2Privilege.IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, userName, Operation2Privilege.IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages); }
private String getUserNameForGroups(SessionState ss) { // This should be removed when authenticator and the 2-username mess is cleaned up. if (ss.getAuthenticator() != null) { String userName = ss.getAuthenticator().getUserName(); if (userName != null) return userName; } return ss.getUserName(); }
@Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { username = authenticator.getUserName(); HiveAccessController acontroller = Mockito.mock(HiveAccessController.class); return new HiveAuthorizerImpl(acontroller, null); }
private boolean cancelOperation(Operation operation, boolean isAdmin, String errMsg) throws HiveSQLException { if (isAdmin || operation.getParentSession().getUserName().equals(SessionState.get() .getAuthenticator().getUserName())) { OperationHandle handle = operation.getHandle(); operationManager.cancelOperation(handle, errMsg); return true; } else { return false; } }
/** * * @return username from current SessionState authenticator. username will be * null if there is no current SessionState object or authenticator is * null. */ public static String getUserFromAuthenticator() { if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) { return SessionState.get().getAuthenticator().getUserName(); } return null; }
protected boolean authorizeUserPriv(Privilege[] inputRequiredPriv, boolean[] inputCheck, Privilege[] outputRequiredPriv, boolean[] outputCheck) throws HiveException { PrincipalPrivilegeSet privileges = hive_db.get_privilege_set( HiveObjectType.GLOBAL, null, null, null, null, this.getAuthenticator() .getUserName(), this.getAuthenticator().getGroupNames()); return authorizePrivileges(privileges, inputRequiredPriv, inputCheck, outputRequiredPriv, outputCheck); }
/** * * @return username from current SessionState authenticator. username will be * null if there is no current SessionState object or authenticator is * null. */ public static String getUserFromAuthenticator() { if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) { return SessionState.get().getAuthenticator().getUserName(); } return null; }
protected boolean authorizeUserPriv(Privilege[] inputRequiredPriv, boolean[] inputCheck, Privilege[] outputRequiredPriv, boolean[] outputCheck) throws HiveException { PrincipalPrivilegeSet privileges = hive_db.get_privilege_set( HiveObjectType.GLOBAL, null, null, null, null, this.getAuthenticator() .getUserName(), this.getAuthenticator().getGroupNames()); return authorizePrivileges(privileges, inputRequiredPriv, inputCheck, outputRequiredPriv, outputCheck); }
@Test public void testCollectAuthRelatedEntitiesJsonShouldMatch() throws Exception { QueryState qs = mock(QueryState.class); when(qs.getHiveOperation()).thenReturn(HiveOperation.EXPLAIN); uut.queryState = qs; SessionState.start(new HiveConf(ExplainTask.class)); // SessionState.get().setCommandType(HiveOperation.EXPLAIN); HiveAuthenticationProvider authenticationProviderMock = mock(HiveAuthenticationProvider.class); when(authenticationProviderMock.getUserName()).thenReturn("test-user"); SessionState.get().setAuthenticator(authenticationProviderMock); SessionState.get().setAuthorizer(mock(HiveAuthorizationProvider.class)); ExplainWork work = mockExplainWork(); JsonNode result = objectMapper.readTree(uut.collectAuthRelatedEntities(null, work).toString()); JsonNode expected = objectMapper.readTree("{\"CURRENT_USER\":\"test-user\"," + "\"OPERATION\":\"EXPLAIN\",\"INPUTS\":[],\"OUTPUTS\":[]}"); assertEquals(expected, result); }
@Override public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the revoke, and get the set of privileges to be revoked List<HiveObjectPrivilege> revokePrivs = RevokePrivAuthUtils .authorizeAndGetRevokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName()); try { // unfortunately, the metastore api revokes all privileges that match on // principal, privilege object type it does not filter on the grator // username. // So this will revoke privileges that are granted by other users.This is // not SQL compliant behavior. Need to change/add a metastore api // that has desired behavior. metastoreClient.revoke_privileges(new PrivilegeBag(revokePrivs), grantOption); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e); } }
@Override public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { Path path = getDbLocation(db); // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(path, getConf(), authenticator.getUserName()); } authorize(path, readRequiredPriv, writeRequiredPriv); }
@Override public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { Path path = getDbLocation(db); // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(path, getConf(), authenticator.getUserName()); } authorize(path, readRequiredPriv, writeRequiredPriv); }
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
@Override public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } }
/** * Test if the authorization factory gets the username provided by * the authenticator, if SesstionState is created without username * @throws Exception */ @Test public void testSessionDefaultUser() throws Exception { SessionState ss = new SessionState(getAuthV2HiveConf()); setupDataNucleusFreeHive(ss.getConf()); SessionState.start(ss); Assert.assertEquals("check username", ss.getAuthenticator().getUserName(), HiveAuthorizerStoringUserNameFactory.username); }