@Override
public void checkCanRenameColumn(
TransactionId transactionId, Identity identity, QualifiedObjectName tableName) {
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), RENAME_COLUMN)) {
denyRenameColumn(tableName.toString());
}
super.checkCanRenameColumn(transactionId, identity, tableName);
}
@Override
public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
if (shouldDenyPrivilege(identity.getUser(), propertyName, SET_SESSION)) {
denySetSystemSessionProperty(propertyName);
}
if (denyPrivileges.isEmpty()) {
super.checkCanSetSystemSessionProperty(identity, propertyName);
}
}
@Override
public void checkCanSetCatalogSessionProperty(
TransactionId transactionId, Identity identity, String catalogName, String propertyName) {
if (shouldDenyPrivilege(identity.getUser(), catalogName + "." + propertyName, SET_SESSION)) {
denySetCatalogSessionProperty(catalogName, propertyName);
}
if (denyPrivileges.isEmpty()) {
super.checkCanSetCatalogSessionProperty(transactionId, identity, catalogName, propertyName);
}
}
@Override
public void checkCanSelectFromView(
TransactionId transactionId, Identity identity, QualifiedObjectName viewName) {
if (shouldDenyPrivilege(identity.getUser(), viewName.getObjectName(), SELECT_VIEW)) {
denySelectView(viewName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanSelectFromView(transactionId, identity, viewName);
}
}
@Override
public void checkCanDeleteFromTable(
TransactionId transactionId, Identity identity, QualifiedObjectName tableName) {
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), DELETE_TABLE)) {
denyDeleteTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanDeleteFromTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanInsertIntoTable(
TransactionId transactionId, Identity identity, QualifiedObjectName tableName) {
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), INSERT_TABLE)) {
denyInsertTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanInsertIntoTable(transactionId, identity, tableName);
}
}
@Override
public void checkCanDropSchema(
TransactionId transactionId, Identity identity, CatalogSchemaName schemaName) {
if (shouldDenyPrivilege(identity.getUser(), schemaName.getSchemaName(), DROP_SCHEMA)) {
denyDropSchema(schemaName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanDropSchema(transactionId, identity, schemaName);
}
}
@Override
public void checkCanCreateViewWithSelectFromTable(
TransactionId transactionId, Identity identity, QualifiedObjectName tableName) {
if (shouldDenyPrivilege(
identity.getUser(), tableName.getObjectName(), CREATE_VIEW_WITH_SELECT_TABLE)) {
denySelectTable(tableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanCreateViewWithSelectFromTable(transactionId, identity, tableName);
}
}
private boolean checkTablePermission(
Identity identity, SchemaTableName tableName, HivePrivilege... requiredPrivileges) {
if (INFORMATION_SCHEMA_NAME.equals(tableName.getSchemaName())) {
return true;
}
Set<HivePrivilege> privilegeSet =
metastore.getTablePrivileges(
identity.getUser(), tableName.getSchemaName(), tableName.getTableName());
return privilegeSet.containsAll(ImmutableSet.copyOf(requiredPrivileges));
}
@Override
public void checkCanRenameTable(
TransactionId transactionId,
Identity identity,
QualifiedObjectName tableName,
QualifiedObjectName newTableName) {
if (shouldDenyPrivilege(identity.getUser(), tableName.getObjectName(), RENAME_TABLE)) {
denyRenameTable(tableName.toString(), newTableName.toString());
}
if (denyPrivileges.isEmpty()) {
super.checkCanRenameTable(transactionId, identity, tableName, newTableName);
}
}
@Override
public void checkCanDropTable(
ConnectorTransactionHandle transaction, Identity identity, SchemaTableName tableName) {
if (!allowDropTable) {
denyDropTable(tableName.toString());
}
Optional<Table> target =
metastoreProvider
.apply(((HiveTransactionHandle) transaction))
.getTable(tableName.getSchemaName(), tableName.getTableName());
if (!target.isPresent()) {
denyDropTable(tableName.toString(), "Table not found");
}
if (!identity.getUser().equals(target.get().getOwner())) {
denyDropTable(tableName.toString(), "Owner of the table is different from session user");
}
}
private boolean checkDatabasePermission(
Identity identity, String schemaName, HivePrivilege... requiredPrivileges) {
Set<HivePrivilege> privilegeSet =
metastore.getDatabasePrivileges(identity.getUser(), schemaName);
return privilegeSet.containsAll(ImmutableSet.copyOf(requiredPrivileges));
}
@Override
public void checkCanSetCatalogSessionProperty(Identity identity, String propertyName) {
if (!metastore.getRoles(identity.getUser()).contains(ADMIN_ROLE_NAME)) {
denySetCatalogSessionProperty(connectorId, propertyName);
}
}