private List<HivePrivilegeObject> filterShowTables(
List<HivePrivilegeObject> listObjs, String userName, HiveAuthzBinding hiveAuthzBinding) {
List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
Subject subject = new Subject(userName);
HiveAuthzPrivileges tableMetaDataPrivilege =
new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
.addInputObjectPriviledge(
AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT))
.setOperationScope(HiveOperationScope.TABLE)
.setOperationType(
org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.INFO)
.build();
for (HivePrivilegeObject obj : listObjs) {
// if user has privileges on table, add to filtered list, else discard
Table table = new Table(obj.getObjectName());
Database database;
database = new Database(obj.getDbname());
List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<DBModelAuthorizable> externalAuthorizableHierarchy =
new ArrayList<DBModelAuthorizable>();
externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
externalAuthorizableHierarchy.add(database);
externalAuthorizableHierarchy.add(table);
externalAuthorizableHierarchy.add(Column.ALL);
inputHierarchy.add(externalAuthorizableHierarchy);
try {
hiveAuthzBinding.authorize(
HiveOperation.SHOWTABLES,
tableMetaDataPrivilege,
subject,
inputHierarchy,
outputHierarchy);
filteredResult.add(obj);
} catch (AuthorizationException e) {
// squash the exception, user doesn't have privileges, so the table is
// not added to
// filtered list.
}
}
return filteredResult;
}
private List<HivePrivilegeObject> filterShowDatabases(
List<HivePrivilegeObject> listObjs, String userName, HiveAuthzBinding hiveAuthzBinding) {
List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>();
Subject subject = new Subject(userName);
HiveAuthzPrivileges anyPrivilege =
new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
.addInputObjectPriviledge(
AuthorizableType.Column,
EnumSet.of(
DBModelAction.SELECT,
DBModelAction.INSERT,
DBModelAction.ALTER,
DBModelAction.CREATE,
DBModelAction.DROP,
DBModelAction.INDEX,
DBModelAction.LOCK))
.setOperationScope(HiveOperationScope.CONNECT)
.setOperationType(
org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.QUERY)
.build();
for (HivePrivilegeObject obj : listObjs) {
// if user has privileges on database, add to filtered list, else discard
Database database = null;
// if default is not restricted, continue
if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(obj.getObjectName())
&& "false"
.equalsIgnoreCase(
hiveAuthzBinding
.getAuthzConf()
.get(
HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(),
"false"))) {
filteredResult.add(obj);
continue;
}
database = new Database(obj.getObjectName());
List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
List<DBModelAuthorizable> externalAuthorizableHierarchy =
new ArrayList<DBModelAuthorizable>();
externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
externalAuthorizableHierarchy.add(database);
externalAuthorizableHierarchy.add(Table.ALL);
externalAuthorizableHierarchy.add(Column.ALL);
inputHierarchy.add(externalAuthorizableHierarchy);
try {
hiveAuthzBinding.authorize(
HiveOperation.SHOWDATABASES, anyPrivilege, subject, inputHierarchy, outputHierarchy);
filteredResult.add(obj);
} catch (AuthorizationException e) {
// squash the exception, user doesn't have privileges, so the table is
// not added to
// filtered list.
}
}
return filteredResult;
}
/**
* Check if current user has privileges to perform given operation type hiveOpType on the given
* input and output objects
*
* @param hiveOpType
* @param inputHObjs
* @param outputHObjs
* @param context
* @throws SentryAccessControlException
*/
@Override
public void checkPrivileges(
HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
HiveAuthzContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
String msg =
"Checking privileges for operation "
+ hiveOpType
+ " by user "
+ authenticator.getUserName()
+ " on "
+ " input objects "
+ inputHObjs
+ " and output objects "
+ outputHObjs
+ ". Context Info: "
+ context;
LOG.debug(msg);
}
HiveOperation hiveOp = SentryAuthorizerUtil.convert2HiveOperation(hiveOpType.name());
HiveAuthzPrivileges stmtAuthPrivileges = null;
if (HiveOperation.DESCTABLE.equals(hiveOp)
&& !(context.getCommandString().contains("EXTENDED")
|| context.getCommandString().contains("FORMATTED"))) {
stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(HiveOperation.SHOWCOLUMNS);
} else {
stmtAuthPrivileges = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(hiveOp);
}
HiveAuthzBinding hiveAuthzBinding = null;
try {
hiveAuthzBinding = getAuthzBinding();
if (stmtAuthPrivileges == null) {
// We don't handle authorizing this statement
return;
}
List<List<DBModelAuthorizable>> inputHierarchyList =
SentryAuthorizerUtil.convert2SentryPrivilegeList(
hiveAuthzBinding.getAuthServer(), inputHObjs);
List<List<DBModelAuthorizable>> outputHierarchyList =
SentryAuthorizerUtil.convert2SentryPrivilegeList(
hiveAuthzBinding.getAuthServer(), outputHObjs);
// Workaround for metadata queries
addExtendHierarchy(
hiveOp,
stmtAuthPrivileges,
inputHierarchyList,
outputHierarchyList,
context.getCommandString(),
hiveAuthzBinding);
hiveAuthzBinding.authorize(
hiveOp,
stmtAuthPrivileges,
new Subject(authenticator.getUserName()),
inputHierarchyList,
outputHierarchyList);
} catch (AuthorizationException e) {
Database db = null;
Table tab = null;
AccessURI udfURI = null;
AccessURI partitionURI = null;
if (outputHObjs != null) {
for (HivePrivilegeObject obj : outputHObjs) {
switch (obj.getType()) {
case DATABASE:
db = new Database(obj.getObjectName());
break;
case TABLE_OR_VIEW:
db = new Database(obj.getDbname());
tab = new Table(obj.getObjectName());
break;
case PARTITION:
db = new Database(obj.getDbname());
tab = new Table(obj.getObjectName());
case LOCAL_URI:
case DFS_URI:
}
}
}
String permsRequired = "";
SentryOnFailureHookContext hookCtx =
new SentryOnFailureHookContextImpl(
context.getCommandString(),
null,
null,
hiveOp,
db,
tab,
udfURI,
partitionURI,
authenticator.getUserName(),
context.getIpAddress(),
e,
authzConf);
SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf);
for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) {
permsRequired += perm + ";";
}
SessionState.get().getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired);
String msg =
HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE
+ "\n Required privileges for this query: "
+ permsRequired;
throw new HiveAccessControlException(msg, e);
} catch (Exception e) {
throw new HiveAuthzPluginException(e.getClass() + ": " + e.getMessage(), e);
} finally {
if (hiveAuthzBinding != null) {
hiveAuthzBinding.close();
}
}
if ("true"
.equalsIgnoreCase(
SessionState.get().getConf().get(HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION))) {
throw new HiveAccessControlException(
HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR
+ " Mock query compilation aborted. Set "
+ HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION
+ " to 'false' for normal query processing");
}
}
