/** * If authorization mode is v2, then pass it through authorizer so that it can apply any security * configuration changes. */ public void applyAuthorizationPolicy() throws HiveException { if (!isAuthorizationModeV2()) { // auth v1 interface does not have this functionality return; } // avoid processing the same config multiple times, check marker if (conf.get(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, "").equals(Boolean.TRUE.toString())) { return; } authorizerV2.applyAuthorizationConfigPolicy(conf); // set a marker that this conf has been processed. conf.set(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, Boolean.TRUE.toString()); }
/** Setup authentication and authorization plugins for this session. */ private void setupAuth() { if (authenticator != null) { // auth has been initialized return; } try { authenticator = HiveUtils.getAuthenticator(conf, HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER); authenticator.setSessionState(this); String clsStr = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER); authorizer = HiveUtils.getAuthorizeProviderManager(conf, clsStr, authenticator, true); if (authorizer == null) { // if it was null, the new authorization plugin must be specified in // config HiveAuthorizerFactory authorizerFactory = HiveUtils.getAuthorizerFactory(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER); HiveAuthzSessionContext.Builder authzContextBuilder = new HiveAuthzSessionContext.Builder(); authzContextBuilder.setClientType( isHiveServerQuery() ? CLIENT_TYPE.HIVESERVER2 : CLIENT_TYPE.HIVECLI); authzContextBuilder.setSessionString(getSessionId()); authorizerV2 = authorizerFactory.createHiveAuthorizer( new HiveMetastoreClientFactoryImpl(), conf, authenticator, authzContextBuilder.build()); authorizerV2.applyAuthorizationConfigPolicy(conf); } // create the create table grants with new config createTableGrants = CreateTableAutomaticGrant.create(conf); } catch (HiveException e) { throw new RuntimeException(e); } if (LOG.isDebugEnabled()) { Object authorizationClass = getActiveAuthorizer(); LOG.debug("Session is using authorization class " + authorizationClass.getClass()); } return; }