@Override
 public List<HivePrivilegeObject> filterListCmdObjects(
     List<HivePrivilegeObject> listObjs, HiveAuthzContext context) {
   if (listObjs != null && listObjs.size() >= 1) {
     HivePrivilegeObjectType pType = listObjs.get(0).getType();
     HiveAuthzBinding hiveAuthzBinding = null;
     try {
       switch (pType) {
         case DATABASE:
           hiveAuthzBinding = getAuthzBinding();
           listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding);
           break;
         case TABLE_OR_VIEW:
           hiveAuthzBinding = getAuthzBinding();
           listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding);
           break;
       }
     } catch (Exception e) {
       LOG.debug(e.getMessage(), e);
     } finally {
       if (hiveAuthzBinding != null) {
         hiveAuthzBinding.close();
       }
     }
   }
   return listObjs;
 }
Exemplo n.º 2
0
  /** Setup authentication and authorization plugins for this session. */
  private void setupAuth() {

    if (authenticator != null) {
      // auth has been initialized
      return;
    }

    try {
      authenticator =
          HiveUtils.getAuthenticator(conf, HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER);
      authenticator.setSessionState(this);

      String clsStr = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);
      authorizer = HiveUtils.getAuthorizeProviderManager(conf, clsStr, authenticator, true);

      if (authorizer == null) {
        // if it was null, the new authorization plugin must be specified in
        // config
        HiveAuthorizerFactory authorizerFactory =
            HiveUtils.getAuthorizerFactory(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);

        HiveAuthzSessionContext.Builder authzContextBuilder = new HiveAuthzSessionContext.Builder();
        authzContextBuilder.setClientType(
            isHiveServerQuery() ? CLIENT_TYPE.HIVESERVER2 : CLIENT_TYPE.HIVECLI);
        authzContextBuilder.setSessionString(getSessionId());

        authorizerV2 =
            authorizerFactory.createHiveAuthorizer(
                new HiveMetastoreClientFactoryImpl(),
                conf,
                authenticator,
                authzContextBuilder.build());

        authorizerV2.applyAuthorizationConfigPolicy(conf);
      }
      // create the create table grants with new config
      createTableGrants = CreateTableAutomaticGrant.create(conf);

    } catch (HiveException e) {
      throw new RuntimeException(e);
    }

    if (LOG.isDebugEnabled()) {
      Object authorizationClass = getActiveAuthorizer();
      LOG.debug("Session is using authorization class " + authorizationClass.getClass());
    }
    return;
  }
  /**
   * Check if current user has privileges to perform given operation type hiveOpType on the given
   * input and output objects
   *
   * @param hiveOpType
   * @param inputHObjs
   * @param outputHObjs
   * @param context
   * @throws SentryAccessControlException
   */
  @Override
  public void checkPrivileges(
      HiveOperationType hiveOpType,
      List<HivePrivilegeObject> inputHObjs,
      List<HivePrivilegeObject> outputHObjs,
      HiveAuthzContext context)
      throws HiveAuthzPluginException, HiveAccessControlException {
    if (LOG.isDebugEnabled()) {
      String msg =
          "Checking privileges for operation "
              + hiveOpType
              + " by user "
              + authenticator.getUserName()
              + " on "
              + " input objects "
              + inputHObjs
              + " and output objects "
              + outputHObjs
              + ". Context Info: "
              + context;
      LOG.debug(msg);
    }

    HiveOperation hiveOp = SentryAuthorizerUtil.convert2HiveOperation(hiveOpType.name());
    HiveAuthzPrivileges stmtAuthPrivileges = null;
    if (HiveOperation.DESCTABLE.equals(hiveOp)
        && !(context.getCommandString().contains("EXTENDED")
            || context.getCommandString().contains("FORMATTED"))) {
      stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(HiveOperation.SHOWCOLUMNS);
    } else {
      stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(hiveOp);
    }

    HiveAuthzBinding hiveAuthzBinding = null;
    try {
      hiveAuthzBinding = getAuthzBinding();
      if (stmtAuthPrivileges == null) {
        // We don't handle authorizing this statement
        return;
      }

      List<List<DBModelAuthorizable>> inputHierarchyList =
          SentryAuthorizerUtil.convert2SentryPrivilegeList(
              hiveAuthzBinding.getAuthServer(), inputHObjs);
      List<List<DBModelAuthorizable>> outputHierarchyList =
          SentryAuthorizerUtil.convert2SentryPrivilegeList(
              hiveAuthzBinding.getAuthServer(), outputHObjs);

      // Workaround for metadata queries
      addExtendHierarchy(
          hiveOp,
          stmtAuthPrivileges,
          inputHierarchyList,
          outputHierarchyList,
          context.getCommandString(),
          hiveAuthzBinding);

      hiveAuthzBinding.authorize(
          hiveOp,
          stmtAuthPrivileges,
          new Subject(authenticator.getUserName()),
          inputHierarchyList,
          outputHierarchyList);
    } catch (AuthorizationException e) {
      Database db = null;
      Table tab = null;
      AccessURI udfURI = null;
      AccessURI partitionURI = null;
      if (outputHObjs != null) {
        for (HivePrivilegeObject obj : outputHObjs) {
          switch (obj.getType()) {
            case DATABASE:
              db = new Database(obj.getObjectName());
              break;
            case TABLE_OR_VIEW:
              db = new Database(obj.getDbname());
              tab = new Table(obj.getObjectName());
              break;
            case PARTITION:
              db = new Database(obj.getDbname());
              tab = new Table(obj.getObjectName());
            case LOCAL_URI:
            case DFS_URI:
          }
        }
      }
      String permsRequired = "";
      SentryOnFailureHookContext hookCtx =
          new SentryOnFailureHookContextImpl(
              context.getCommandString(),
              null,
              null,
              hiveOp,
              db,
              tab,
              udfURI,
              partitionURI,
              authenticator.getUserName(),
              context.getIpAddress(),
              e,
              authzConf);
      SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf);
      for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) {
        permsRequired += perm + ";";
      }
      SessionState.get().getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired);
      String msg =
          HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE
              + "\n Required privileges for this query: "
              + permsRequired;
      throw new HiveAccessControlException(msg, e);
    } catch (Exception e) {
      throw new HiveAuthzPluginException(e.getClass() + ": " + e.getMessage(), e);
    } finally {
      if (hiveAuthzBinding != null) {
        hiveAuthzBinding.close();
      }
    }

    if ("true"
        .equalsIgnoreCase(
            SessionState.get().getConf().get(HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION))) {
      throw new HiveAccessControlException(
          HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR
              + " Mock query compilation aborted. Set "
              + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION
              + " to 'false' for normal query processing");
    }
  }