public static HivePrincipal getHivePrincipal(String name, PrincipalType type) throws HiveException { return new HivePrincipal(name, AuthorizationUtils.getHivePrincipalType(type)); }
public static HivePrincipal getHivePrincipal(String name, PrincipalType type) throws HiveException { return new HivePrincipal(name, AuthorizationUtils.getHivePrincipalType(type)); }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { String userName = authenticator.getUserName(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<>(); checkPrivileges(hiveOpType, inputHObjs, userName, Operation2Privilege.IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, userName, Operation2Privilege.IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages); }
private static void checkRequiredPrivileges( RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject, IMetaStoreClient metastoreClient, String userName, List<String> curRoles, boolean isAdmin, HiveOperationType opType) throws HiveAuthzPluginException, HiveAccessControlException { // keep track of the principals on which privileges have been checked for // this object // get privileges for this user and its roles on this object RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore( metastoreClient, userName, hivePrivObject, curRoles, isAdmin); // check if required privileges is subset of available privileges List<String> deniedMessages = new ArrayList<String>(); Collection<SQLPrivTypeGrant> missingPrivs = reqPrivileges.findMissingPrivs(availPrivs); SQLAuthorizationUtils.addMissingPrivMsg(missingPrivs, hivePrivObject, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), opType, deniedMessages); }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } String userName = authenticator.getUserName(); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<String>(); checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); }
private static void checkRequiredPrivileges( RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject, IMetaStoreClient metastoreClient, String userName, List<String> curRoles, boolean isAdmin, HiveOperationType opType) throws HiveAuthzPluginException, HiveAccessControlException { // keep track of the principals on which privileges have been checked for // this object // get privileges for this user and its roles on this object RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore( metastoreClient, userName, hivePrivObject, curRoles, isAdmin); // check if required privileges is subset of available privileges List<String> deniedMessages = new ArrayList<String>(); Collection<SQLPrivTypeGrant> missingPrivs = reqPrivileges.findMissingPrivs(availPrivs); SQLAuthorizationUtils.addMissingPrivMsg(missingPrivs, hivePrivObject, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), opType, deniedMessages); }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } String userName = authenticator.getUserName(); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<String>(); checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); }
/** * Validate the principal type, and convert role name to lower case * @param hPrincipal * @return validated principal * @throws HiveAuthzPluginException */ public static HivePrincipal getValidatedPrincipal(HivePrincipal hPrincipal) throws HiveAuthzPluginException { if (hPrincipal == null || hPrincipal.getType() == null) { // null principal return hPrincipal; } switch (hPrincipal.getType()) { case USER: return hPrincipal; case ROLE: // lower case role names, for case insensitive behavior return new HivePrincipal(hPrincipal.getName().toLowerCase(), hPrincipal.getType()); default: throw new HiveAuthzPluginException("Invalid principal type in principal " + hPrincipal); } }
/** * Validate the principal type, and convert role name to lower case * @param hPrincipal * @return validated principal * @throws HiveAuthzPluginException */ public static HivePrincipal getValidatedPrincipal(HivePrincipal hPrincipal) throws HiveAuthzPluginException { if (hPrincipal == null || hPrincipal.getType() == null) { // null principal return hPrincipal; } switch (hPrincipal.getType()) { case USER: return hPrincipal; case ROLE: // lower case role names, for case insensitive behavior return new HivePrincipal(hPrincipal.getName().toLowerCase(), hPrincipal.getType()); default: throw new HiveAuthzPluginException("Invalid principal type in principal " + hPrincipal); } }
private int grantOrRevokePrivileges(Hive db, List<PrincipalDesc> principals, List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException { HiveAuthorizer authorizer = getSessionAuthorizer(db); //Convert to object types used by the authorization plugin interface List<HivePrincipal> hivePrincipals = AuthorizationUtils.getHivePrincipals( principals, getAuthorizationTranslator(authorizer)); List<HivePrivilege> hivePrivileges = AuthorizationUtils.getHivePrivileges( privileges, getAuthorizationTranslator(authorizer)); HivePrivilegeObject hivePrivObject = getAuthorizationTranslator(authorizer) .getHivePrivilegeObject(privSubjectDesc); HivePrincipal grantorPrincipal = new HivePrincipal( grantor, AuthorizationUtils.getHivePrincipalType(grantorType)); if(isGrant){ authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); }else { authorizer.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); } //no exception thrown, so looks good return 0; }
private int grantOrRevokePrivileges(Hive db, List<PrincipalDesc> principals, List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException { HiveAuthorizer authorizer = getSessionAuthorizer(db); //Convert to object types used by the authorization plugin interface List<HivePrincipal> hivePrincipals = AuthorizationUtils.getHivePrincipals( principals, getAuthorizationTranslator(authorizer)); List<HivePrivilege> hivePrivileges = AuthorizationUtils.getHivePrivileges( privileges, getAuthorizationTranslator(authorizer)); HivePrivilegeObject hivePrivObject = getAuthorizationTranslator(authorizer) .getHivePrivilegeObject(privSubjectDesc); HivePrincipal grantorPrincipal = new HivePrincipal( grantor, AuthorizationUtils.getHivePrincipalType(grantorType)); if(isGrant){ authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); }else { authorizer.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); } //no exception thrown, so looks good return 0; }
private int grantOrRevokeRole(Hive db, GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws HiveException { HiveAuthorizer authorizer = getSessionAuthorizer(db); //convert to the types needed for plugin api HivePrincipal grantorPrinc = null; if(grantOrRevokeRoleDDL.getGrantor() != null){ grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(), AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); } List<HivePrincipal> principals = AuthorizationUtils.getHivePrincipals( grantOrRevokeRoleDDL.getPrincipalDesc(), getAuthorizationTranslator(authorizer)); List<String> roles = grantOrRevokeRoleDDL.getRoles(); boolean grantOption = grantOrRevokeRoleDDL.isGrantOption(); if (grantOrRevokeRoleDDL.getGrant()) { authorizer.grantRole(principals, roles, grantOption, grantorPrinc); } else { authorizer.revokeRole(principals, roles, grantOption, grantorPrinc); } return 0; }
private int grantOrRevokeRole(Hive db, GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws HiveException { HiveAuthorizer authorizer = getSessionAuthorizer(db); //convert to the types needed for plugin api HivePrincipal grantorPrinc = null; if(grantOrRevokeRoleDDL.getGrantor() != null){ grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(), AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); } List<HivePrincipal> principals = AuthorizationUtils.getHivePrincipals( grantOrRevokeRoleDDL.getPrincipalDesc(), getAuthorizationTranslator(authorizer)); List<String> roles = grantOrRevokeRoleDDL.getRoles(); boolean grantOption = grantOrRevokeRoleDDL.isGrantOption(); if (grantOrRevokeRoleDDL.getGrant()) { authorizer.grantRole(principals, roles, grantOption, grantorPrinc); } else { authorizer.revokeRole(principals, roles, grantOption, grantorPrinc); } return 0; }
HivePrincipal resPrincipal = new HivePrincipal(msObjPriv.getPrincipalName(), AuthorizationUtils.getHivePrincipalType(msObjPriv.getPrincipalType())); HivePrincipal grantorPrincipal = new HivePrincipal(msGrantInfo.getGrantor(), AuthorizationUtils.getHivePrincipalType(msGrantInfo.getGrantorType()));
HivePrincipal resPrincipal = new HivePrincipal(msObjPriv.getPrincipalName(), AuthorizationUtils.getHivePrincipalType(msObjPriv.getPrincipalType())); HivePrincipal grantorPrincipal = new HivePrincipal(msGrantInfo.getGrantor(), AuthorizationUtils.getHivePrincipalType(msGrantInfo.getGrantorType()));
public static HivePrincipal getHivePrincipal(String name, PrincipalType type) throws HiveException { return new HivePrincipal(name, AuthorizationUtils.getHivePrincipalType(type)); }
private static void checkRequiredPrivileges( RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject, IMetaStoreClient metastoreClient, String userName, List<String> curRoles, boolean isAdmin, HiveOperationType opType) throws HiveAuthzPluginException, HiveAccessControlException { // keep track of the principals on which privileges have been checked for // this object // get privileges for this user and its roles on this object RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore( metastoreClient, userName, hivePrivObject, curRoles, isAdmin); // check if required privileges is subset of available privileges List<String> deniedMessages = new ArrayList<String>(); Collection<SQLPrivTypeGrant> missingPrivs = reqPrivileges.findMissingPrivs(availPrivs); SQLAuthorizationUtils.addMissingPrivMsg(missingPrivs, hivePrivObject, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), opType, deniedMessages); }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } String userName = authenticator.getUserName(); IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<String>(); checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); }
private int grantOrRevokePrivileges(List<PrincipalDesc> principals, List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException { HiveAuthorizer authorizer = getSessionAuthorizer(); //Convert to object types used by the authorization plugin interface List<HivePrincipal> hivePrincipals = AuthorizationUtils.getHivePrincipals(principals); List<HivePrivilege> hivePrivileges = AuthorizationUtils.getHivePrivileges(privileges); HivePrivilegeObject hivePrivObject = AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc); HivePrincipal grantorPrincipal = new HivePrincipal( grantor, AuthorizationUtils.getHivePrincipalType(grantorType)); if(isGrant){ authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); }else { authorizer.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); } //no exception thrown, so looks good return 0; }
private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws HiveException { HiveAuthorizer authorizer = getSessionAuthorizer(); //convert to the types needed for plugin api HivePrincipal grantorPrinc = null; if(grantOrRevokeRoleDDL.getGrantor() != null){ grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(), AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); } List<HivePrincipal> principals = AuthorizationUtils.getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc()); List<String> roles = grantOrRevokeRoleDDL.getRoles(); boolean grantOption = grantOrRevokeRoleDDL.isGrantOption(); if (grantOrRevokeRoleDDL.getGrant()) { authorizer.grantRole(principals, roles, grantOption, grantorPrinc); } else { authorizer.revokeRole(principals, roles, grantOption, grantorPrinc); } return 0; }