Example #1
0
  public RangerHiveAccessRequest(
      RangerHiveResource resource,
      String user,
      Set<String> userGroups,
      String hiveOpTypeName,
      HiveAccessType accessType,
      HiveAuthzContext context,
      HiveAuthzSessionContext sessionContext) {
    this.setResource(resource);
    this.setUser(user);
    this.setUserGroups(userGroups);
    this.setAccessTime(new Date());
    this.setAction(hiveOpTypeName);
    this.setHiveAccessType(accessType);

    if (context != null) {
      this.setRequestData(context.getCommandString());
      this.setForwardedAddresses(context.getForwardedAddresses());
      this.setRemoteIPAddress(context.getIpAddress());
    }

    if (sessionContext != null) {
      this.setClientType(
          sessionContext.getClientType() == null
              ? null
              : sessionContext.getClientType().toString());
      this.setSessionId(sessionContext.getSessionString());
    }
  }
Example #2
0
  /**
   * Check if current user has privileges to perform given operation type hiveOpType on the given
   * input and output objects
   *
   * @param hiveOpType
   * @param inputHObjs
   * @param outputHObjs
   * @param context
   * @throws SentryAccessControlException
   */
  @Override
  public void checkPrivileges(
      HiveOperationType hiveOpType,
      List<HivePrivilegeObject> inputHObjs,
      List<HivePrivilegeObject> outputHObjs,
      HiveAuthzContext context)
      throws HiveAuthzPluginException, HiveAccessControlException {
    if (LOG.isDebugEnabled()) {
      String msg =
          "Checking privileges for operation "
              + hiveOpType
              + " by user "
              + authenticator.getUserName()
              + " on "
              + " input objects "
              + inputHObjs
              + " and output objects "
              + outputHObjs
              + ". Context Info: "
              + context;
      LOG.debug(msg);
    }

    HiveOperation hiveOp = SentryAuthorizerUtil.convert2HiveOperation(hiveOpType.name());
    HiveAuthzPrivileges stmtAuthPrivileges = null;
    if (HiveOperation.DESCTABLE.equals(hiveOp)
        && !(context.getCommandString().contains("EXTENDED")
            || context.getCommandString().contains("FORMATTED"))) {
      stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(HiveOperation.SHOWCOLUMNS);
    } else {
      stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(hiveOp);
    }

    HiveAuthzBinding hiveAuthzBinding = null;
    try {
      hiveAuthzBinding = getAuthzBinding();
      if (stmtAuthPrivileges == null) {
        // We don't handle authorizing this statement
        return;
      }

      List<List<DBModelAuthorizable>> inputHierarchyList =
          SentryAuthorizerUtil.convert2SentryPrivilegeList(
              hiveAuthzBinding.getAuthServer(), inputHObjs);
      List<List<DBModelAuthorizable>> outputHierarchyList =
          SentryAuthorizerUtil.convert2SentryPrivilegeList(
              hiveAuthzBinding.getAuthServer(), outputHObjs);

      // Workaround for metadata queries
      addExtendHierarchy(
          hiveOp,
          stmtAuthPrivileges,
          inputHierarchyList,
          outputHierarchyList,
          context.getCommandString(),
          hiveAuthzBinding);

      hiveAuthzBinding.authorize(
          hiveOp,
          stmtAuthPrivileges,
          new Subject(authenticator.getUserName()),
          inputHierarchyList,
          outputHierarchyList);
    } catch (AuthorizationException e) {
      Database db = null;
      Table tab = null;
      AccessURI udfURI = null;
      AccessURI partitionURI = null;
      if (outputHObjs != null) {
        for (HivePrivilegeObject obj : outputHObjs) {
          switch (obj.getType()) {
            case DATABASE:
              db = new Database(obj.getObjectName());
              break;
            case TABLE_OR_VIEW:
              db = new Database(obj.getDbname());
              tab = new Table(obj.getObjectName());
              break;
            case PARTITION:
              db = new Database(obj.getDbname());
              tab = new Table(obj.getObjectName());
            case LOCAL_URI:
            case DFS_URI:
          }
        }
      }
      String permsRequired = "";
      SentryOnFailureHookContext hookCtx =
          new SentryOnFailureHookContextImpl(
              context.getCommandString(),
              null,
              null,
              hiveOp,
              db,
              tab,
              udfURI,
              partitionURI,
              authenticator.getUserName(),
              context.getIpAddress(),
              e,
              authzConf);
      SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf);
      for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) {
        permsRequired += perm + ";";
      }
      SessionState.get().getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired);
      String msg =
          HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE
              + "\n Required privileges for this query: "
              + permsRequired;
      throw new HiveAccessControlException(msg, e);
    } catch (Exception e) {
      throw new HiveAuthzPluginException(e.getClass() + ": " + e.getMessage(), e);
    } finally {
      if (hiveAuthzBinding != null) {
        hiveAuthzBinding.close();
      }
    }

    if ("true"
        .equalsIgnoreCase(
            SessionState.get().getConf().get(HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION))) {
      throw new HiveAccessControlException(
          HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR
              + " Mock query compilation aborted. Set "
              + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION
              + " to 'false' for normal query processing");
    }
  }