public RangerHiveAccessRequest( RangerHiveResource resource, String user, Set<String> userGroups, HiveOperationType hiveOpType, HiveAccessType accessType, HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { this(resource, user, userGroups, hiveOpType.name(), accessType, context, sessionContext); }
/** * Check if current user has privileges to perform given operation type hiveOpType on the given * input and output objects * * @param hiveOpType * @param inputHObjs * @param outputHObjs * @param context * @throws SentryAccessControlException */ @Override public void checkPrivileges( HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { String msg = "Checking privileges for operation " + hiveOpType + " by user " + authenticator.getUserName() + " on " + " input objects " + inputHObjs + " and output objects " + outputHObjs + ". Context Info: " + context; LOG.debug(msg); } HiveOperation hiveOp = SentryAuthorizerUtil.convert2HiveOperation(hiveOpType.name()); HiveAuthzPrivileges stmtAuthPrivileges = null; if (HiveOperation.DESCTABLE.equals(hiveOp) && !(context.getCommandString().contains("EXTENDED") || context.getCommandString().contains("FORMATTED"))) { stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(HiveOperation.SHOWCOLUMNS); } else { stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(hiveOp); } HiveAuthzBinding hiveAuthzBinding = null; try { hiveAuthzBinding = getAuthzBinding(); if (stmtAuthPrivileges == null) { // We don't handle authorizing this statement return; } List<List<DBModelAuthorizable>> inputHierarchyList = SentryAuthorizerUtil.convert2SentryPrivilegeList( hiveAuthzBinding.getAuthServer(), inputHObjs); List<List<DBModelAuthorizable>> outputHierarchyList = SentryAuthorizerUtil.convert2SentryPrivilegeList( hiveAuthzBinding.getAuthServer(), outputHObjs); // Workaround for metadata queries addExtendHierarchy( hiveOp, stmtAuthPrivileges, inputHierarchyList, outputHierarchyList, context.getCommandString(), hiveAuthzBinding); hiveAuthzBinding.authorize( hiveOp, stmtAuthPrivileges, new Subject(authenticator.getUserName()), inputHierarchyList, outputHierarchyList); } catch (AuthorizationException e) { Database db = null; Table tab = null; AccessURI udfURI = null; AccessURI partitionURI = null; if (outputHObjs != null) { for (HivePrivilegeObject obj : outputHObjs) { switch (obj.getType()) { case DATABASE: db = new Database(obj.getObjectName()); break; case TABLE_OR_VIEW: db = new Database(obj.getDbname()); tab = new Table(obj.getObjectName()); break; case PARTITION: db = new Database(obj.getDbname()); tab = new Table(obj.getObjectName()); case LOCAL_URI: case DFS_URI: } } } String permsRequired = ""; SentryOnFailureHookContext hookCtx = new SentryOnFailureHookContextImpl( context.getCommandString(), null, null, hiveOp, db, tab, udfURI, partitionURI, authenticator.getUserName(), context.getIpAddress(), e, authzConf); SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf); for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) { permsRequired += perm + ";"; } SessionState.get().getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired); String msg = HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE + "\n Required privileges for this query: " + permsRequired; throw new HiveAccessControlException(msg, e); } catch (Exception e) { throw new HiveAuthzPluginException(e.getClass() + ": " + e.getMessage(), e); } finally { if (hiveAuthzBinding != null) { hiveAuthzBinding.close(); } } if ("true" .equalsIgnoreCase( SessionState.get().getConf().get(HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION))) { throw new HiveAccessControlException( HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR + " Mock query compilation aborted. Set " + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION + " to 'false' for normal query processing"); } }