protected boolean authorizeUserPriv(Privilege[] inputRequiredPriv, boolean[] inputCheck, Privilege[] outputRequiredPriv, boolean[] outputCheck) throws HiveException { PrincipalPrivilegeSet privileges = hive_db.get_privilege_set( HiveObjectType.GLOBAL, null, null, null, null, this.getAuthenticator() .getUserName(), this.getAuthenticator().getGroupNames()); return authorizePrivileges(privileges, inputRequiredPriv, inputCheck, outputRequiredPriv, outputCheck); }
@Override public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { Path path = getDbLocation(db); // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(path, getConf(), authenticator.getUserName()); } authorize(path, readRequiredPriv, writeRequiredPriv); }
@Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) { if (LOG.isDebugEnabled()) { String msg = "Obtained following objects in filterListCmdObjects " + listObjs + " for user " + authenticator.getUserName() + ". Context Info: " + context; LOG.debug(msg); } return listObjs; }
@Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { String userName = authenticator.getUserName(); // check privileges on input and output objects List<String> deniedMessages = new ArrayList<>(); checkPrivileges(hiveOpType, inputHObjs, userName, Operation2Privilege.IOType.INPUT, deniedMessages); checkPrivileges(hiveOpType, outputHObjs, userName, Operation2Privilege.IOType.OUTPUT, deniedMessages); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages); }
private void verifySettability(List<String> paramRegexes, List<String> settableParams, ConfVars whiteListParam) throws HiveAuthzPluginException { HiveConf processedConf = newAuthEnabledConf(); processedConf.setVar(whiteListParam, Joiner.on("|").join(paramRegexes)); SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx()); accessController.applyAuthorizationConfigPolicy(processedConf); verifyParamSettability(settableParams, processedConf); }
@Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { username = authenticator.getUserName(); HiveAccessController acontroller = Mockito.mock(HiveAccessController.class); return new HiveAuthorizerImpl(acontroller, null); }
/** * (Re-)initialize currentRoleNames if necessary. * @throws HiveAuthzPluginException */ private void initUserRoles() throws HiveAuthzPluginException { //to aid in testing through .q files, authenticator is passed as argument to // the interface. this helps in being able to switch the user within a session. // so we need to check if the user has changed String newUserName = authenticator.getUserName(); if(currentUserName == newUserName){ //no need to (re-)initialize the currentUserName, currentRoles fields return; } this.currentUserName = newUserName; this.currentRoles = getRolesFromMS(); LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles); }
private List<String> getGroupNames() { SessionState ss = SessionState.get(); if (ss != null && ss.getAuthenticator() != null) { return ss.getAuthenticator().getGroupNames(); } return null; }
@Override public void setMetaStoreHandler(IHMSHandler handler) { setConf(handler.getConf()); }
@Override public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { Path path = getDbLocation(db); // extract drop privileges DropPrivilegeExtractor privExtractor = new DropPrivilegeExtractor(readRequiredPriv, writeRequiredPriv); readRequiredPriv = privExtractor.getReadReqPriv(); writeRequiredPriv = privExtractor.getWriteReqPriv(); // authorize drops if there was a drop privilege requirement if(privExtractor.hasDropPrivilege()) { checkDeletePermission(path, getConf(), authenticator.getUserName()); } authorize(path, readRequiredPriv, writeRequiredPriv); }
protected boolean authorizeUserPriv(Privilege[] inputRequiredPriv, boolean[] inputCheck, Privilege[] outputRequiredPriv, boolean[] outputCheck) throws HiveException { PrincipalPrivilegeSet privileges = hive_db.get_privilege_set( HiveObjectType.GLOBAL, null, null, null, null, this.getAuthenticator() .getUserName(), this.getAuthenticator().getGroupNames()); return authorizePrivileges(privileges, inputRequiredPriv, inputCheck, outputRequiredPriv, outputCheck); }
@Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) { if (LOG.isDebugEnabled()) { String msg = "Obtained following objects in filterListCmdObjects " + listObjs + " for user " + authenticator.getUserName() + ". Context Info: " + context; LOG.debug(msg); } return listObjs; }
private List<String> getGroupNames() { SessionState ss = SessionState.get(); if (ss != null && ss.getAuthenticator() != null) { return ss.getAuthenticator().getGroupNames(); } return null; }
@Override public void setMetaStoreHandler(HMSHandler handler) { setConf(handler.getConf()); }
private String getUserNameForGroups(SessionState ss) { // This should be removed when authenticator and the 2-username mess is cleaned up. if (ss.getAuthenticator() != null) { String userName = ss.getAuthenticator().getUserName(); if (userName != null) return userName; } return ss.getUserName(); }
public static List<String> getGroupsFromAuthenticator() { if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) { return SessionState.get().getAuthenticator().getGroupNames(); } return null; }
/** * * @return username from current SessionState authenticator. username will be * null if there is no current SessionState object or authenticator is * null. */ public static String getUserFromAuthenticator() { if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) { return SessionState.get().getAuthenticator().getUserName(); } return null; }
/** * Test that the groupNames returned is null, when the user name is null. The user name is null * in the case of embedded HS2 and we assert that we don't throw an NPE in that case. * @throws Exception */ @Test public void testSessionNullUser() throws Exception { SessionState ss = new SessionState(getAuthV2HiveConf(), null); setupDataNucleusFreeHive(ss.getConf()); SessionState.start(ss); assertNull("getGroupNames when userName == null", ss.getAuthenticator().getGroupNames()); }
/** * * @return username from current SessionState authenticator. username will be * null if there is no current SessionState object or authenticator is * null. */ public static String getUserFromAuthenticator() { if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) { return SessionState.get().getAuthenticator().getUserName(); } return null; }
/** * Test if the authorization factory gets the username provided by * the authenticator, if SesstionState is created without username * @throws Exception */ @Test public void testSessionDefaultUser() throws Exception { SessionState ss = new SessionState(getAuthV2HiveConf()); setupDataNucleusFreeHive(ss.getConf()); SessionState.start(ss); Assert.assertEquals("check username", ss.getAuthenticator().getUserName(), HiveAuthorizerStoringUserNameFactory.username); }