diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java index 9fe2a06..496327f 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java @@ -57,4 +57,5 @@ void revokeRole(List hivePrincipals, List roles, boolean List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthorizationPluginException; + boolean isUserAdmin(HivePrincipal principal) throws HiveAuthorizationPluginException; } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 5a16a4a..0f73406 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -151,10 +151,8 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp throws HiveAuthorizationPluginException; + boolean isUserAdmin(HivePrincipal principal) throws HiveAuthorizationPluginException; //other functions to be added - //showUsersInRole(rolename) - //isSuperuser(username) - - } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java index 44dd161..ce4ef87 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java @@ -104,6 +104,11 @@ public VERSION getVersion() { return VERSION.V1; } + @Override + public boolean isUserAdmin(HivePrincipal principal) throws HiveAuthorizationPluginException { + return accessController.isUserAdmin(principal); + } + // other access control functions diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 7425150..2a00dd1 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -35,12 +35,12 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; - /** * Implements functionality of access control statements for sql standard based authorization */ @@ -48,11 +48,12 @@ public class SQLStdHiveAccessController implements HiveAccessController { private HiveMetastoreClientFactory metastoreClientFactory; - + private String currentUserName; SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, String hiveCurrentUser){ this.metastoreClientFactory = metastoreClientFactory; + this.currentUserName = hiveCurrentUser; } @@ -143,6 +144,11 @@ public void revokePrivileges(List hivePrincipals, @Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthorizationPluginException { + // only user belonging to admin role can create new roles. + if(!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))){ + throw new HiveAuthorizationPluginException("Current user : " + currentUserName+ " is not" + + " allowed to add roles. Only users belonging to admin role can add new roles."); + } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient() @@ -154,6 +160,11 @@ public void createRole(String roleName, HivePrincipal adminGrantor) @Override public void dropRole(String roleName) throws HiveAuthorizationPluginException { + // only user belonging to admin role can drop existing role + if(!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))){ + throw new HiveAuthorizationPluginException("Current user : " + currentUserName+ " is not" + + " allowed to drop role. Only users belonging to admin role can drop roles."); + } try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { @@ -163,7 +174,7 @@ public void dropRole(String roleName) throws HiveAuthorizationPluginException { @Override public List getRoles(HivePrincipal hivePrincipal) throws HiveAuthorizationPluginException { - try { + try { List roles = metastoreClientFactory.getHiveMetastoreClient().list_roles( hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType())); List roleNames = new ArrayList(roles.size()); @@ -227,14 +238,18 @@ public void revokeRole(List hivePrincipals, List roleName @Override public List getAllRoles() throws HiveAuthorizationPluginException { - try { - return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); - } catch (Exception e) { + // only user belonging to admin role can list role + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))){ + throw new HiveAuthorizationPluginException("Current user : " + currentUserName+ " is not" + + " allowed to list roles. Only users belonging to admin role can list roles."); + } + try { + return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); + } catch (Exception e) { throw new HiveAuthorizationPluginException("Error listing all roles", e); } } - @Override public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthorizationPluginException { @@ -304,4 +319,20 @@ private HivePrivilegeObjectType getPluginObjType(HiveObjectType objectType) } } + @Override + public boolean isUserAdmin(HivePrincipal principal) throws HiveAuthorizationPluginException { + List roles; + try { + roles = this.metastoreClientFactory.getHiveMetastoreClient().list_roles(principal.getName(), + AuthorizationUtils.getThriftPrincipalType(principal.getType())); + } catch (Exception e) { + throw new HiveAuthorizationPluginException(e); + } + for (Role role : roles){ + if(role.getRoleName().equals("ADMIN")){ + return true; + } + } + return false; + } }