Index: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
===================================================================
--- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (revision 1050266)
+++ common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (working copy)
@@ -325,6 +325,13 @@
SEMANTIC_ANALYZER_HOOK("hive.semantic.analyzer.hook",null),
+ HIVE_AUTHORIZATION_ENABLED("hive.security.authorization.enabled", false),
+ HIVE_AUTHORIZATION_MANAGER("hive.security.authorization.manager", null),
+ HIVE_AUTHENTICATOR_MANAGER("hive.security.authenticator.manager", null),
+
+ HIVE_AUTHORIZATION_TABLE_USER_GRANTS("hive.security.authorization.createtable.user.grants", null),
+ HIVE_AUTHORIZATION_TABLE_GROUP_GRANTS("hive.security.authorization.createtable.group.grants", null),
+ HIVE_AUTHORIZATION_TABLE_ROLE_GRANTS("hive.security.authorization.createtable.role.grants", null),
// Print column names in output
HIVE_CLI_PRINT_HEADER("hive.cli.print.header", false),
Index: conf/hive-default.xml
===================================================================
--- conf/hive-default.xml (revision 1050266)
+++ conf/hive-default.xml (working copy)
@@ -834,6 +834,57 @@
+ hive.security.authorization.enabled
+ false
+ enable or disable the hive client authorization
+
+
+
+ hive.security.authorization.manager
+ org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider
+ the hive client authorization manager class name.
+ The user defined authorization class should implement interface org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider.
+
+
+
+
+ hive.security.authenticator.manager
+ org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator
+ hive client authenticator manager class name.
+ The user defined authenticator should implement interface org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
+
+
+
+ hive.security.authorization.createtable.user.grants
+
+ the privileges automatically granted to some users whenever a table gets created.
+ An example like "userX,userY:select;userZ:create" will grant select privilege to userX and userY,
+ and grant create privilege to userZ whenever a new table created.
+
+
+
+ hive.security.authorization.createtable.group.grants
+
+ the privileges automatically granted to some groups whenever a table gets created.
+ An example like "groupX,groupY:select;groupZ:create" will grant select privilege to groupX and groupY,
+ and grant create privilege to groupZ whenever a new table created.
+
+
+
+ hive.security.authorization.createtable.role.grants
+
+ the privileges automatically granted to some roles whenever a table gets created.
+ An example like "roleX,roleY:select;roleZ:create" will grant select privilege to roleX and roleY,
+ and grant create privilege to roleZ whenever a new table created.
+
+
+
+ hive.variable.substitute
+ true
+ This enables substitution using syntax like ${var} ${system:var} and ${env:var}.
+
+
+
hive.error.on.empty.partition
false
Whether to throw an excpetion if dynamic partition insert generates empty results.
Index: metastore/if/hive_metastore.thrift
===================================================================
--- metastore/if/hive_metastore.thrift (revision 1050266)
+++ metastore/if/hive_metastore.thrift (working copy)
@@ -29,12 +29,66 @@
4: optional list fields // if the name is one of the user defined types
}
+enum HiveObjectType {
+ GLOBAL = 1,
+ DATABASE = 2,
+ TABLE = 3,
+ PARTITION = 4,
+ COLUMN = 5,
+}
+
+enum PrincipalType {
+ USER = 1,
+ ROLE = 2,
+ GROUP = 3,
+}
+
+struct HiveObjectRef{
+ 1: HiveObjectType objectType,
+ 2: string dbName,
+ 3: string objectName,
+ 4: list partValues,
+ 5: string columnName,
+}
+
+struct PrivilegeGrantInfo {
+ 1: string privilege,
+ 2: i32 createTime,
+ 3: string grantor,
+ 4: PrincipalType grantorType,
+ 5: bool grantOption,
+}
+
+struct HiveObjectPrivilege {
+ 1: HiveObjectRef hiveObject,
+ 2: string principalName,
+ 3: PrincipalType principalType,
+ 4: PrivilegeGrantInfo grantInfo,
+}
+
+struct PrivilegeBag {
+ 1: list privileges,
+}
+
+struct PrincipalPrivilegeSet {
+ 1: map> userPrivileges, // user name -> privilege grant info
+ 2: map> groupPrivileges, // group name -> privilege grant info
+ 3: map> rolePrivileges, //role name -> privilege grant info
+}
+
+struct Role {
+ 1: string roleName,
+ 2: i32 createTime,
+ 3: string ownerName,
+}
+
// namespace for tables
struct Database {
1: string name,
2: string description,
3: string locationUri,
- 4: map parameters // properties associated with the database
+ 4: map parameters, // properties associated with the database
+ 5: optional PrincipalPrivilegeSet privileges
}
// This object holds the information needed by SerDes
@@ -77,7 +131,8 @@
9: map parameters, // to store comments or any other user level parameters
10: string viewOriginalText, // original view text, null for non-view
11: string viewExpandedText, // expanded view text, null for non-view
- 12: string tableType // table type enum, e.g. EXTERNAL_TABLE
+ 12: string tableType, // table type enum, e.g. EXTERNAL_TABLE
+ 13: optional PrincipalPrivilegeSet privileges,
}
struct Partition {
@@ -87,7 +142,8 @@
4: i32 createTime,
5: i32 lastAccessTime,
6: StorageDescriptor sd,
- 7: map parameters
+ 7: map parameters,
+ 8: optional PrincipalPrivilegeSet privileges
}
struct Index {
@@ -110,7 +166,6 @@
2: map properties
}
-
exception MetaException {
1: string message
}
@@ -209,6 +264,10 @@
throws(1:NoSuchObjectException o1, 2:MetaException o2)
Partition get_partition(1:string db_name, 2:string tbl_name, 3:list part_vals)
throws(1:MetaException o1, 2:NoSuchObjectException o2)
+
+ Partition get_partition_with_auth(1:string db_name, 2:string tbl_name, 3:list part_vals,
+ 4: string user_name, 5: list group_names) throws(1:MetaException o1, 2:NoSuchObjectException o2)
+
Partition get_partition_by_name(1:string db_name 2:string tbl_name, 3:string part_name)
throws(1:MetaException o1, 2:NoSuchObjectException o2)
@@ -216,6 +275,9 @@
// If max parts is given then it will return only that many.
list get_partitions(1:string db_name, 2:string tbl_name, 3:i16 max_parts=-1)
throws(1:NoSuchObjectException o1, 2:MetaException o2)
+ list get_partitions_with_auth(1:string db_name, 2:string tbl_name, 3:i16 max_parts=-1,
+ 4: string user_name, 5: list group_names) throws(1:NoSuchObjectException o1, 2:MetaException o2)
+
list get_partition_names(1:string db_name, 2:string tbl_name, 3:i16 max_parts=-1)
throws(1:MetaException o2)
@@ -228,6 +290,9 @@
list get_partitions_ps(1:string db_name 2:string tbl_name
3:list part_vals, 4:i16 max_parts=-1)
throws(1:MetaException o1)
+ list get_partitions_ps_with_auth(1:string db_name, 2:string tbl_name, 3:list part_vals, 4:i16 max_parts=-1,
+ 5: string user_name, 6: list group_names) throws(1:NoSuchObjectException o1, 2:MetaException o2)
+
list get_partition_names_ps(1:string db_name,
2:string tbl_name, 3:list part_vals, 4:i16 max_parts=-1)
throws(1:MetaException o1)
@@ -272,6 +337,24 @@
throws(1:NoSuchObjectException o1, 2:MetaException o2)
list get_index_names(1:string db_name, 2:string tbl_name, 3:i16 max_indexes=-1)
throws(1:MetaException o2)
+
+ //authorization privileges
+
+ bool create_role(1:Role role) throws(1:MetaException o1)
+ bool drop_role(1:string role_name) throws(1:MetaException o1)
+ bool grant_role(1:string role_name, 2:string principal_name, 3:PrincipalType principal_type,
+ 4:string grantor, 5:PrincipalType grantorType, 6:bool grant_option) throws(1:MetaException o1)
+ bool revoke_role(1:string role_name, 2:string principal_name, 3:PrincipalType principal_type)
+ throws(1:MetaException o1)
+ list list_roles(1:string principal_name, 2:PrincipalType principal_type) throws(1:MetaException o1)
+
+ PrincipalPrivilegeSet get_privilege_set(1:HiveObjectRef hiveObject, 2:string user_name,
+ 3: list group_names) throws(1:MetaException o1)
+ list list_privileges(1:string principal_name, 2:PrincipalType principal_type,
+ 3: HiveObjectRef hiveObject) throws(1:MetaException o1)
+
+ bool grant_privileges(1:PrivilegeBag privileges) throws(1:MetaException o1)
+ bool revoke_privileges(1:PrivilegeBag privileges) throws(1:MetaException o1)
}
// * Note about the DDL_TIME: When creating or altering a table or a partition,
Index: metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (revision 1050266)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (working copy)
@@ -41,6 +41,9 @@
import org.apache.hadoop.hive.metastore.api.Constants;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
+import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
+import org.apache.hadoop.hive.metastore.api.HiveObjectType;
import org.apache.hadoop.hive.metastore.api.Index;
import org.apache.hadoop.hive.metastore.api.IndexAlreadyExistsException;
import org.apache.hadoop.hive.metastore.api.InvalidObjectException;
@@ -48,12 +51,23 @@
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
+import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore;
import org.apache.hadoop.hive.metastore.api.Type;
import org.apache.hadoop.hive.metastore.api.UnknownDBException;
import org.apache.hadoop.hive.metastore.api.UnknownTableException;
import org.apache.hadoop.hive.metastore.hooks.JDOConnectionURLHook;
+import org.apache.hadoop.hive.metastore.model.MColumnPrivilege;
+import org.apache.hadoop.hive.metastore.model.MDBPrivilege;
+import org.apache.hadoop.hive.metastore.model.MRole;
+import org.apache.hadoop.hive.metastore.model.MTablePartitionPrivilege;
+import org.apache.hadoop.hive.metastore.model.MGlobalPrivilege;
+import org.apache.hadoop.hive.metastore.model.MRoleMap;
import org.apache.hadoop.hive.serde2.Deserializer;
import org.apache.hadoop.hive.serde2.SerDeException;
import org.apache.hadoop.hive.serde2.SerDeUtils;
@@ -1315,6 +1329,35 @@
}
return ret;
}
+
+ @Override
+ public Partition get_partition_with_auth(final String db_name,
+ final String tbl_name, final List part_vals,
+ final String user_name, final List group_names)
+ throws MetaException, NoSuchObjectException, TException {
+ incrementCounter("get_partition_with_auth");
+ logStartPartitionFunction("get_partition_with_auth", db_name, tbl_name,
+ part_vals);
+
+ Partition ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Partition run(RawStore ms) throws Exception {
+ return ms.getPartitionWithAuth(db_name, tbl_name, part_vals,
+ user_name, group_names);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (NoSuchObjectException e) {
+ throw e;
+ } catch (Exception e) {
+ assert (e instanceof RuntimeException);
+ throw (RuntimeException) e;
+ }
+ return ret;
+ }
public List get_partitions(final String db_name, final String tbl_name,
final short max_parts) throws NoSuchObjectException, MetaException {
@@ -1340,6 +1383,35 @@
return ret;
}
+
+ @Override
+ public List get_partitions_with_auth(final String dbName,
+ final String tblName, final short maxParts, final String userName,
+ final List groupNames) throws NoSuchObjectException,
+ MetaException, TException {
+ incrementCounter("get_partitions_with_auth");
+ logStartTableFunction("get_partitions_with_auth", dbName, tblName);
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ return ms.getPartitionsWithAuth(dbName, tblName, maxParts,
+ userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (NoSuchObjectException e) {
+ throw e;
+ } catch (Exception e) {
+ assert (e instanceof RuntimeException);
+ throw (RuntimeException) e;
+ }
+ return ret;
+
+ }
public List get_partition_names(final String db_name, final String tbl_name,
final short max_parts) throws MetaException {
@@ -1777,10 +1849,24 @@
@Override
public List get_partitions_ps(final String db_name,
- final String tbl_name, final List part_vals, final short max_parts)
- throws MetaException, TException {
+ final String tbl_name, final List part_vals,
+ final short max_parts) throws MetaException, TException {
incrementCounter("get_partitions_ps");
- logStartPartitionFunction("get_partitions_ps", db_name, tbl_name, part_vals);
+ logStartPartitionFunction("get_partitions_ps", db_name, tbl_name,
+ part_vals);
+
+ return this.get_partitions_ps_with_auth(db_name, tbl_name, part_vals,
+ max_parts, null, null);
+ }
+
+ @Override
+ public List get_partitions_ps_with_auth(final String db_name,
+ final String tbl_name, final List part_vals,
+ final short max_parts, final String userName,
+ final List groupNames) throws MetaException, TException {
+ incrementCounter("get_partitions_ps");
+ logStartPartitionFunction("get_partitions_ps", db_name, tbl_name,
+ part_vals);
List parts = null;
List matchingParts = new ArrayList();
@@ -2134,8 +2220,553 @@
return ret;
}
- }
+ @Override
+ public PrincipalPrivilegeSet get_privilege_set(HiveObjectRef hiveObject,
+ String userName, List groupNames) throws MetaException,
+ TException {
+ if (hiveObject.getObjectType() == HiveObjectType.COLUMN) {
+ String partName = getPartName(hiveObject);
+ return this.get_column_privilege_set(hiveObject.getDbName(), hiveObject
+ .getObjectName(), partName, hiveObject.getColumnName(), userName,
+ groupNames);
+ } else if (hiveObject.getObjectType() == HiveObjectType.PARTITION) {
+ String partName = getPartName(hiveObject);
+ return this.get_partition_privilege_set(hiveObject.getDbName(),
+ hiveObject.getObjectName(), partName, userName, groupNames);
+ } else if (hiveObject.getObjectType() == HiveObjectType.DATABASE) {
+ return this.get_db_privilege_set(hiveObject.getDbName(), userName,
+ groupNames);
+ } else if (hiveObject.getObjectType() == HiveObjectType.TABLE) {
+ return this.get_table_privilege_set(hiveObject.getDbName(), hiveObject
+ .getObjectName(), userName, groupNames);
+ }
+ return null;
+ }
+
+ private String getPartName(HiveObjectRef hiveObject) throws MetaException {
+ String partName = null;
+ List partValue = hiveObject.getPartValues();
+ if (partValue != null && partValue.size() > 0) {
+ try {
+ Table table = get_table(hiveObject.getDbName(), hiveObject
+ .getObjectName());
+ partName = Warehouse
+ .makePartName(table.getPartitionKeys(), partValue);
+ } catch (NoSuchObjectException e) {
+ throw new RuntimeException(e);
+ }
+ }
+ return partName;
+ }
+
+ public PrincipalPrivilegeSet get_column_privilege_set(final String dbName,
+ final String tableName, final String partName, final String columnName,
+ final String userName, final List groupNames) throws MetaException,
+ TException {
+ incrementCounter("get_column_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getColumnPrivilegeSet(dbName, tableName, partName, columnName, userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public PrincipalPrivilegeSet get_db_privilege_set(final String dbName,
+ final String userName, final List groupNames) throws MetaException,
+ TException {
+ incrementCounter("get_db_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getDBPrivilegeSet(dbName, userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public PrincipalPrivilegeSet get_partition_privilege_set(
+ final String dbName, final String tableName, final String partName,
+ final String userName, final List groupNames)
+ throws MetaException, TException {
+ incrementCounter("get_partition_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getPartitionPrivilegeSet(dbName, tableName, partName,
+ userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public PrincipalPrivilegeSet get_table_privilege_set(final String dbName,
+ final String tableName, final String userName,
+ final List groupNames) throws MetaException, TException {
+ incrementCounter("get_table_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getTablePrivilegeSet(dbName, tableName, userName,
+ groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean grant_role(final String roleName,
+ final String userName, final PrincipalType principalType,
+ final String grantor, final PrincipalType grantorType, final boolean grantOption)
+ throws MetaException, TException {
+ incrementCounter("add_role_member");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ Role role = ms.getRole(roleName);
+ return ms.grantRole(role, userName, principalType, grantor, grantorType, grantOption);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public List list_roles(final String principalName,
+ final PrincipalType principalType) throws MetaException, TException {
+ incrementCounter("list_roles");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List result = new ArrayList();
+ List roleMap = ms.listRoles(principalName,principalType);
+ if (roleMap!=null) {
+ for (MRoleMap role : roleMap) {
+ MRole r = role.getRole();
+ result.add(new Role(r.getRoleName(), r
+ .getCreateTime(), r.getOwnerName()));
+ }
+ }
+ return result;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean create_role(final Role role)
+ throws MetaException, TException {
+ incrementCounter("create_role");
+
+ Boolean ret = null;
+ try {
+
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.addRole(role.getRoleName(), role.getOwnerName());
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean drop_role(final String roleName)
+ throws MetaException, TException {
+ incrementCounter("drop_role");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.removeRole(roleName);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean grant_privileges(final PrivilegeBag privileges) throws MetaException,
+ TException {
+ incrementCounter("grant_privileges");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.grantPrivileges(privileges);
+ }
+ });
+ } catch (MetaException e) {
+ e.printStackTrace();
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean revoke_role(final String roleName, final String userName,
+ final PrincipalType principalType) throws MetaException, TException {
+ incrementCounter("remove_role_member");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ Role mRole = ms.getRole(roleName);
+ return ms.revokeRole(mRole, userName, principalType);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean revoke_privileges(final PrivilegeBag privileges)
+ throws MetaException, TException {
+ incrementCounter("revoke_privileges");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.revokePrivileges(privileges);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public PrincipalPrivilegeSet get_user_privilege_set(final String userName,
+ final List groupNames) throws MetaException, TException {
+ incrementCounter("get_user_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getUserPrivilegeSet(userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public PrincipalType getPrincipalType (String principalType) {
+ return PrincipalType.valueOf(principalType);
+ }
+
+ @Override
+ public List list_privileges(String principalName,
+ PrincipalType principalType, HiveObjectRef hiveObject)
+ throws MetaException, TException {
+ if (hiveObject.getObjectType() == HiveObjectType.GLOBAL) {
+ return this.list_global_privileges(principalName, principalType);
+ } else if (hiveObject.getObjectType() == HiveObjectType.DATABASE) {
+ return this.list_db_privileges(principalName, principalType, hiveObject
+ .getDbName());
+ } else if (hiveObject.getObjectType() == HiveObjectType.TABLE) {
+ return this.list_table_privileges(principalName, principalType,
+ hiveObject.getDbName(), hiveObject.getObjectName());
+ } else if (hiveObject.getObjectType() == HiveObjectType.PARTITION) {
+ return this.list_partition_privileges(principalName, principalType,
+ hiveObject.getDbName(), hiveObject.getObjectName(), hiveObject
+ .getPartValues());
+ } else if (hiveObject.getObjectType() == HiveObjectType.COLUMN) {
+ return this.list_column_privileges(principalName, principalType,
+ hiveObject.getDbName(), hiveObject.getObjectName(), hiveObject
+ .getPartValues(), hiveObject.getColumnName());
+ }
+ return null;
+ }
+
+ public List list_column_privileges(
+ final String principalName, final PrincipalType principalType,
+ final String dbName, final String tableName, final List partValues,
+ final String columnName) throws MetaException, TException {
+ incrementCounter("list_security_column_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ String partName = null;
+ if (partValues != null && partValues.size()>0) {
+ Table tbl = get_table(dbName, tableName);
+ partName = Warehouse.makePartName(tbl.getPartitionKeys(), partValues);
+ }
+ List mCols = ms.listMSecurityTabOrPartColumnGrant(principalName,
+ principalType, dbName, tableName, partName, columnName);
+ Partition part = null;
+ if (partName != null) {
+ part = get_partition_by_name(dbName, tableName, partName);
+ }
+
+ if (mCols.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mCols.size(); i++) {
+ MColumnPrivilege sCol = mCols.get(i);
+ HiveObjectRef objectRef = new HiveObjectRef(
+ HiveObjectType.COLUMN, dbName, tableName,
+ part == null ? null : part.getValues(), sCol
+ .getColumnName());
+ HiveObjectPrivilege secObj = new HiveObjectPrivilege(objectRef,
+ sCol.getPrincipalName(), principalType,
+ new PrivilegeGrantInfo(sCol.getPrivilege(), sCol
+ .getCreateTime(), sCol.getGrantor(), PrincipalType
+ .valueOf(sCol.getGrantorType()), sCol.getGrantOption()));
+ result.add(secObj);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public List list_db_privileges(final String principalName,
+ final PrincipalType principalType, final String dbName)
+ throws MetaException, TException {
+ incrementCounter("list_security_db_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mDbs = ms.listMSecurityPrincipalDBGrant(
+ principalName, principalType, dbName);
+ if (mDbs.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mDbs.size(); i++) {
+ MDBPrivilege sDB = mDbs.get(i);
+ HiveObjectRef objectRef = new HiveObjectRef(
+ HiveObjectType.DATABASE, dbName, null, null, null);
+ HiveObjectPrivilege secObj = new HiveObjectPrivilege(objectRef,
+ sDB.getPrincipalName(), principalType,
+ new PrivilegeGrantInfo(sDB.getPrivilege(), sDB
+ .getCreateTime(), sDB.getGrantor(), PrincipalType
+ .valueOf(sDB.getGrantorType()), sDB.getGrantOption()));
+ result.add(secObj);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public List list_partition_privileges(
+ final String principalName, final PrincipalType principalType,
+ final String dbName, final String tableName, final List partValues)
+ throws MetaException, TException {
+ incrementCounter("list_security_partition_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ Table tbl = get_table(dbName, tableName);
+ String partName = Warehouse.makePartName(tbl.getPartitionKeys(), partValues);
+ List mParts = ms
+ .listMSecurityPrincipalPartitionGrant(principalName, principalType, dbName, tableName, partName);
+ if (mParts.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mParts.size(); i++) {
+ MTablePartitionPrivilege sPart = mParts.get(i);
+ HiveObjectRef objectRef = new HiveObjectRef(
+ HiveObjectType.PARTITION, dbName, tableName, partValues,
+ null);
+ HiveObjectPrivilege secObj = new HiveObjectPrivilege(objectRef,
+ sPart.getPrincipalName(), principalType,
+ new PrivilegeGrantInfo(sPart.getPrivilege(), sPart
+ .getCreateTime(), sPart.getGrantor(), PrincipalType
+ .valueOf(sPart.getGrantorType()), sPart
+ .getGrantOption()));
+
+ result.add(secObj);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public List list_table_privileges(
+ final String principalName, final PrincipalType principalType,
+ final String dbName, final String tableName) throws MetaException,
+ TException {
+ incrementCounter("list_security_table_grant");
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mTbls = ms
+ .listMSecurityPrincipalTableGrant(principalName, principalType, dbName, tableName);
+ if (mTbls.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mTbls.size(); i++) {
+ MTablePartitionPrivilege sTbl = mTbls.get(i);
+ HiveObjectRef objectRef = new HiveObjectRef(
+ HiveObjectType.TABLE, dbName, tableName, null,null);
+ HiveObjectPrivilege secObj = new HiveObjectPrivilege(objectRef,
+ sTbl.getPrincipalName(), principalType,
+ new PrivilegeGrantInfo(sTbl.getPrivilege(), sTbl.getCreateTime(), sTbl
+ .getGrantor(), PrincipalType.valueOf(sTbl
+ .getGrantorType()), sTbl.getGrantOption()));
+ result.add(secObj);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public List list_global_privileges(
+ final String principalName, final PrincipalType principalType)
+ throws MetaException, TException {
+ incrementCounter("list_security_user_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mUsers = ms.listMSecurityPrincipalUserGrant(
+ principalName, principalType);
+ if (mUsers.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mUsers.size(); i++) {
+ MGlobalPrivilege sUsr = mUsers.get(i);
+ HiveObjectRef objectRef = new HiveObjectRef(
+ HiveObjectType.GLOBAL, null, null, null, null);
+ HiveObjectPrivilege secUser = new HiveObjectPrivilege(
+ objectRef, sUsr.getPrincipalName(), principalType,
+ new PrivilegeGrantInfo(sUsr.getPrivilege(), sUsr
+ .getCreateTime(), sUsr.getGrantor(), PrincipalType
+ .valueOf(sUsr.getGrantorType()), sUsr.getGrantOption()));
+ result.add(secUser);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+ }
+
/**
* @param args
*/
Index: metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java (revision 1050266)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java (working copy)
@@ -35,12 +35,19 @@
import org.apache.hadoop.hive.metastore.api.ConfigValSecurityException;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
+import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.metastore.api.Index;
import org.apache.hadoop.hive.metastore.api.InvalidObjectException;
import org.apache.hadoop.hive.metastore.api.InvalidOperationException;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
+import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore;
import org.apache.hadoop.hive.metastore.api.Type;
@@ -542,6 +549,23 @@
return deepCopyPartitions(
client.get_partitions_ps(db_name, tbl_name, part_vals, max_parts));
}
+
+ @Override
+ public List listPartitionsWithAuthInfo(String db_name,
+ String tbl_name, short max_parts, String user_name, List group_names)
+ throws NoSuchObjectException, MetaException, TException {
+ return deepCopyPartitions(
+ client.get_partitions_with_auth(db_name, tbl_name, max_parts, user_name, group_names));
+ }
+
+ @Override
+ public List listPartitionsWithAuthInfo(String db_name,
+ String tbl_name, List part_vals, short max_parts,
+ String user_name, List group_names) throws NoSuchObjectException,
+ MetaException, TException {
+ return deepCopyPartitions(client.get_partitions_ps_with_auth(db_name,
+ tbl_name, part_vals, max_parts, user_name, group_names));
+ }
/**
* Get list of partitions matching specified filter
@@ -591,6 +615,14 @@
List part_vals) throws NoSuchObjectException, MetaException, TException {
return deepCopy(client.get_partition(db_name, tbl_name, part_vals));
}
+
+ @Override
+ public Partition getPartitionWithAuthInfo(String db_name, String tbl_name,
+ List part_vals, String user_name, List group_names)
+ throws MetaException, UnknownTableException, NoSuchObjectException,
+ TException {
+ return deepCopy(client.get_partition_with_auth(db_name, tbl_name, part_vals, user_name, group_names));
+ }
/**
* @param name
@@ -832,12 +864,30 @@
*/
private Partition deepCopy(Partition partition) {
Partition copy = null;
+ if (partition.getPrivileges()!= null) {
+ setEmptyGrantList(partition
+ .getPrivileges().getUserPrivileges());
+ setEmptyGrantList(partition
+ .getPrivileges().getGroupPrivileges());
+ setEmptyGrantList(partition
+ .getPrivileges().getRolePrivileges());
+ }
if (partition != null) {
copy = new Partition(partition);
}
return copy;
}
+ private void setEmptyGrantList(Map> map) {
+ if (map != null) {
+ for (Map.Entry> element : map.entrySet()) {
+ if (element.getValue() == null) {
+ element.setValue(new ArrayList(0));
+ }
+ }
+ }
+ }
+
private Database deepCopy(Database database) {
Database copy = null;
if (database != null) {
@@ -918,4 +968,61 @@
return client.drop_index_by_name(dbName, tblName, name, deleteData);
}
+ @Override
+ public boolean grant_role(String roleName, String userName,
+ PrincipalType principalType, String grantor, PrincipalType grantorType,
+ boolean grantOption) throws MetaException, TException {
+ return client.grant_role(roleName, userName, principalType, grantor,
+ grantorType, grantOption);
+ }
+
+ @Override
+ public boolean create_role(Role role)
+ throws MetaException, TException {
+ return client.create_role(role);
+ }
+
+ @Override
+ public boolean drop_role(String roleName) throws MetaException, TException {
+ return client.drop_role(roleName);
+ }
+
+ @Override
+ public List list_roles(String principalName,
+ PrincipalType principalType) throws MetaException, TException {
+ return client.list_roles(principalName, principalType);
+ }
+
+ @Override
+ public boolean grant_privileges(PrivilegeBag privileges)
+ throws MetaException, TException {
+ return client.grant_privileges(privileges);
+ }
+
+ @Override
+ public boolean revoke_role(String roleName, String userName,
+ PrincipalType principalType) throws MetaException, TException {
+ return client.revoke_role(roleName, userName, principalType);
+ }
+
+ @Override
+ public boolean revoke_privileges(PrivilegeBag privileges) throws MetaException,
+ TException {
+ return client.revoke_privileges(privileges);
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_privilege_set(HiveObjectRef hiveObject,
+ String userName, List groupNames) throws MetaException,
+ TException {
+ return client.get_privilege_set(hiveObject, userName, groupNames);
+ }
+
+ @Override
+ public List list_privileges(String principalName,
+ PrincipalType principalType, HiveObjectRef hiveObject)
+ throws MetaException, TException {
+ return client.list_privileges(principalName, principalType, hiveObject);
+ }
+
}
Index: metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (revision 1050266)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (working copy)
@@ -25,12 +25,18 @@
import org.apache.hadoop.hive.metastore.api.ConfigValSecurityException;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
+import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.metastore.api.Index;
import org.apache.hadoop.hive.metastore.api.InvalidObjectException;
import org.apache.hadoop.hive.metastore.api.InvalidOperationException;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.api.UnknownDBException;
import org.apache.hadoop.hive.metastore.api.UnknownTableException;
@@ -263,6 +269,23 @@
public Partition getPartition(String dbName, String tblName,
String name) throws MetaException, UnknownTableException, NoSuchObjectException, TException;
+
+ /**
+ * @param dbName
+ * @param tableName
+ * @param pvals
+ * @param userName
+ * @param groupNames
+ * @return
+ * @throws MetaException
+ * @throws UnknownTableException
+ * @throws NoSuchObjectException
+ * @throws TException
+ */
+ public Partition getPartitionWithAuthInfo(String dbName, String tableName,
+ List pvals, String userName, List groupNames)
+ throws MetaException, UnknownTableException, NoSuchObjectException, TException;
+
/**
* @param tbl_name
* @param db_name
@@ -285,6 +308,33 @@
List part_vals, short max_parts) throws MetaException, TException;
/**
+ * @param dbName
+ * @param tableName
+ * @param s
+ * @param userName
+ * @param groupNames
+ * @return
+ * @throws NoSuchObjectException
+ */
+ public List listPartitionsWithAuthInfo(String dbName,
+ String tableName, short s, String userName, List groupNames)
+ throws MetaException, TException, NoSuchObjectException;
+
+ /**
+ * @param dbName
+ * @param tableName
+ * @param partialPvals
+ * @param s
+ * @param userName
+ * @param groupNames
+ * @return
+ * @throws NoSuchObjectException
+ */
+ public List listPartitionsWithAuthInfo(String dbName,
+ String tableName, List partialPvals, short s, String userName,
+ List groupNames) throws MetaException, TException, NoSuchObjectException;
+
+ /**
* @param tbl
* @throws AlreadyExistsException
* @throws InvalidObjectException
@@ -478,4 +528,110 @@
public boolean dropIndex(String db_name, String tbl_name,
String name, boolean deleteData) throws NoSuchObjectException,
MetaException, TException;
+
+ /**
+ * @param Role
+ * role object
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean create_role(Role role)
+ throws MetaException, TException;
+
+ /**
+ * @param role_name
+ * role name
+ * @param db_name
+ *
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean drop_role(String role_name) throws MetaException, TException;
+
+ /**
+ *
+ * @param role_name
+ * @param user_name
+ * @param principalType
+ * @param grantor
+ * @param grantorType
+ * @param grantOption
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean grant_role(String role_name, String user_name,
+ PrincipalType principalType, String grantor, PrincipalType grantorType,
+ boolean grantOption) throws MetaException, TException;
+
+ /**
+ * @param role_name
+ * role name
+ * @param user_name
+ * user name
+ * @param principalType
+ * @param db_name
+ *
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean revoke_role(String role_name, String user_name,
+ PrincipalType principalType) throws MetaException, TException;
+
+ /**
+ *
+ * @param principalName
+ * @param principalType
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_roles(String principalName, PrincipalType principalType)
+ throws MetaException, TException;
+
+ /**
+ * @param hiveObject
+ * @param user_name
+ * @param group_names
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public PrincipalPrivilegeSet get_privilege_set(HiveObjectRef hiveObject,
+ String user_name, List group_names) throws MetaException,
+ TException;
+
+ /**
+ * @param principal_name
+ * @param principal_type
+ * @param hiveObject
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_privileges(String principal_name,
+ PrincipalType principal_type, HiveObjectRef hiveObject)
+ throws MetaException, TException;
+
+ /**
+ * @param privileges
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean grant_privileges(PrivilegeBag privileges)
+ throws MetaException, TException;
+
+ /**
+ * @param privileges
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean revoke_privileges(PrivilegeBag privileges)
+ throws MetaException, TException;
+
}
Index: metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java (revision 1050266)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java (working copy)
@@ -21,11 +21,13 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
-import java.util.Properties;
+import java.util.Set;
import java.util.Map.Entry;
+import java.util.Properties;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
@@ -44,15 +46,24 @@
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
+import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
+import org.apache.hadoop.hive.metastore.api.HiveObjectType;
import org.apache.hadoop.hive.metastore.api.Index;
import org.apache.hadoop.hive.metastore.api.InvalidObjectException;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Order;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
+import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.metastore.api.SerDeInfo;
import org.apache.hadoop.hive.metastore.api.StorageDescriptor;
import org.apache.hadoop.hive.metastore.api.Table;
@@ -62,6 +73,12 @@
import org.apache.hadoop.hive.metastore.model.MIndex;
import org.apache.hadoop.hive.metastore.model.MOrder;
import org.apache.hadoop.hive.metastore.model.MPartition;
+import org.apache.hadoop.hive.metastore.model.MColumnPrivilege;
+import org.apache.hadoop.hive.metastore.model.MDBPrivilege;
+import org.apache.hadoop.hive.metastore.model.MRole;
+import org.apache.hadoop.hive.metastore.model.MTablePartitionPrivilege;
+import org.apache.hadoop.hive.metastore.model.MGlobalPrivilege;
+import org.apache.hadoop.hive.metastore.model.MRoleMap;
import org.apache.hadoop.hive.metastore.model.MSerDeInfo;
import org.apache.hadoop.hive.metastore.model.MStorageDescriptor;
import org.apache.hadoop.hive.metastore.model.MTable;
@@ -527,6 +544,21 @@
openTransaction();
MTable mtbl = convertToMTable(tbl);
pm.makePersistent(mtbl);
+ PrincipalPrivilegeSet principalPrivs = tbl.getPrivileges();
+ List