private static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command, String serviceObject) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HivePrivilegeObject serviceObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, serviceObject, null, null, null); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Collections.singletonList(commandObj), Collections.singletonList(serviceObj), ctxBuilder.build()); } }
/** * Authorize command. Throws exception if the check fails * @param ss * @param type * @param command * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
public TableMask(SemanticAnalyzer analyzer, HiveConf conf, boolean skipTableMasking) throws SemanticException { try { authorizer = SessionState.get().getAuthorizerV2(); this.conf = conf; String cmdString = analyzer.ctx.getCmd(); SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(cmdString); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); queryContext = ctxBuilder.build(); if (authorizer != null && needTransform() && !skipTableMasking) { enable = true; translator = new UnparseTranslator(conf); translator.enable(); } } catch (Exception e) { LOG.warn("Failed to initialize masking policy"); throw new SemanticException(e); } }
private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); } catch (HiveAuthzPluginException e) { LOG.error("Authorization error", e); throw new MetaException(e.getMessage()); } catch (HiveAccessControlException e) { // authorization error is not really expected in a filter call // the impl should have just filtered out everything. A checkPrivileges call // would have already been made to authorize this action LOG.error("AccessControlException", e); throw new MetaException(e.getMessage()); } }
public TableMask(SemanticAnalyzer analyzer, HiveConf conf, boolean skipTableMasking) throws SemanticException { try { authorizer = SessionState.get().getAuthorizerV2(); this.conf = conf; String cmdString = analyzer.ctx.getCmd(); SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(cmdString); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); queryContext = ctxBuilder.build(); if (authorizer != null && needTransform() && !skipTableMasking) { enable = true; translator = new UnparseTranslator(conf); translator.enable(); } } catch (Exception e) { LOG.warn("Failed to initialize masking policy"); throw new SemanticException(e); } }
/** * Authorize command. Throws exception if the check fails * @param ss * @param type * @param command * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); }
private static void doAuthorizationV2(SessionState ss, HiveOperation op, Set<ReadEntity> inputs, Set<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException { /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects, since the insert will get passed the columns from the select. */ HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols); List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols); ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build()); }
protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ctxBuilder.setCommandString(cmdString); try { ss.getAuthorizerV2().checkPrivileges(opType, inpObjs, null, ctxBuilder.build()); } catch (HiveAuthzPluginException | HiveAccessControlException e) { throw new HiveSQLException(e.getMessage(), e); } }
private static void doAuthorizationV2(SessionState ss, HiveOperation op, List<ReadEntity> inputs, List<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols, Map<String, List<String>> updateTab2Cols) throws HiveException { /* comment for reviewers -> updateTab2Cols needed to be separate from tab2cols because if I pass tab2cols to getHivePrivObjects for the output case it will trip up insert/selects, since the insert will get passed the columns from the select. */ HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); List<HivePrivilegeObject> inputsHObjs = getHivePrivObjects(inputs, tab2cols); List<HivePrivilegeObject> outputHObjs = getHivePrivObjects(outputs, updateTab2Cols); ss.getAuthorizerV2().checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, authzContextBuilder.build()); }