commit 27e73f2a45aa3e5a158c14fb0693567158cef0d7 Author: Thejas Nair Date: Wed Dec 16 18:36:52 2015 -0800 introduce HiveAuthorizationTranslator interface for isolating authorization impls from hive internal classes diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index 1a9469a..bb0755c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -19,6 +19,7 @@ package org.apache.hadoop.hive.ql.exec; import com.google.common.collect.Iterables; + import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.mapreduce.MRJobConfig; @@ -153,6 +154,8 @@ import org.apache.hadoop.hive.ql.plan.UnlockTableDesc; import org.apache.hadoop.hive.ql.plan.api.StageType; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; +import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationTranslator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; @@ -237,6 +240,7 @@ private static String INTERMEDIATE_EXTRACTED_DIR_SUFFIX; private MetaDataFormatter formatter; + private final HiveAuthorizationTranslator defaultAuthorizationTranslator = new DefaultHiveAuthorizationTranslator(); @Override public boolean requireLock() { @@ -661,8 +665,8 @@ private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL) grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(), AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); } - List principals = - authorizer.getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc()); + List principals = getAuthorizationTranslator(authorizer).getHivePrincipals( + grantOrRevokeRoleDDL.getPrincipalDesc()); List roles = grantOrRevokeRoleDDL.getRoles(); boolean grantOption = grantOrRevokeRoleDDL.isGrantOption(); @@ -674,13 +678,19 @@ private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL) return 0; } + private HiveAuthorizationTranslator getAuthorizationTranslator(HiveAuthorizer authorizer) { + if(authorizer.getHiveAuthorizationTranslator() == null) { + return defaultAuthorizationTranslator ; + } + } + private int showGrants(ShowGrantDesc showGrantDesc) throws HiveException { HiveAuthorizer authorizer = getSessionAuthorizer(); try { List privInfos = authorizer.showPrivileges( AuthorizationUtils.getHivePrincipal(showGrantDesc.getPrincipalDesc()), - authorizer.getHivePrivilegeObject(showGrantDesc.getHiveObj())); + getAuthorizationTranslator(authorizer).getHivePrivilegeObject(showGrantDesc.getHiveObj())); boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); writeToFile(writeGrantInfo(privInfos, testMode), showGrantDesc.getResFile()); } catch (IOException e) { @@ -697,9 +707,12 @@ private int grantOrRevokePrivileges(List principals, HiveAuthorizer authorizer = getSessionAuthorizer(); //Convert to object types used by the authorization plugin interface - List hivePrincipals = authorizer.getHivePrincipals(principals); - List hivePrivileges = authorizer.getHivePrivileges(privileges); - HivePrivilegeObject hivePrivObject = authorizer.getHivePrivilegeObject(privSubjectDesc); + List hivePrincipals = getAuthorizationTranslator(authorizer).getHivePrincipals( + principals); + List hivePrivileges = getAuthorizationTranslator(authorizer).getHivePrivileges( + privileges); + HivePrivilegeObject hivePrivObject = getAuthorizationTranslator(authorizer) + .getHivePrivilegeObject(privSubjectDesc); HivePrincipal grantorPrincipal = new HivePrincipal( grantor, AuthorizationUtils.getHivePrincipalType(grantorType)); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationTranslator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationTranslator.java new file mode 100644 index 0000000..56b157d --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/DefaultHiveAuthorizationTranslator.java @@ -0,0 +1,50 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization; + +import java.util.List; + +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.plan.PrincipalDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; + + +/** + * Default implementation of HiveAuthorizationTranslator + */ +public class DefaultHiveAuthorizationTranslator implements HiveAuthorizationTranslator { + + public List getHivePrincipals(List principals) + throws HiveException { + return AuthorizationUtils.getHivePrincipals(principals); + } + + public List getHivePrivileges(List privileges) { + return AuthorizationUtils.getHivePrivileges(privileges); + } + + public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) + throws HiveException { + return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc); + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java index 325fba7..b482942 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java @@ -69,4 +69,5 @@ void revokeRole(List hivePrincipals, List roles, boolean HiveAccessControlException; void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException; + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationTranslator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationTranslator.java new file mode 100644 index 0000000..34f50dd --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationTranslator.java @@ -0,0 +1,48 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.List; + +import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.plan.PrincipalDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; + +/** + * This interface has functions that provide the ability to customize the translation + * from Hive internal representations of Authorization objects to the public API objects + * This is an interface that is not meant for general use, it is targeted to some + * specific use cases of Apache Sentry (incubating). + * The API uses several classes that are considered internal to Hive, and it is + * subject to change across releases. + */ +@LimitedPrivate(value = { "Apache Sentry (incubating)" }) +@Evolving +public interface HiveAuthorizationTranslator { + + public List getHivePrincipals(List principals) + throws HiveException; + + public List getHivePrivileges(List privileges); + + public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) + throws HiveException; +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 512772b..b1c7da9 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -23,9 +23,6 @@ import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.metadata.HiveException; -import org.apache.hadoop.hive.ql.plan.PrincipalDesc; -import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; -import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; /** @@ -212,14 +209,17 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp * @param hiveConf * @throws HiveAuthzPluginException */ - public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException; + void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException; - public List getHivePrincipals(List principals) - throws HiveException; - - public List getHivePrivileges(List privileges); + /** + * Get a {@link HiveAuthorizationTranslator} implementation. See + * {@link HiveAuthorizationTranslator} for details. Return null if no + * customization is needed. Most implementations are expected to return null. + * + * @return + * @throws HiveException + */ + HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveException; - public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) - throws HiveException; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java index 76a80e0..74f02ef 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java @@ -23,10 +23,6 @@ import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.metadata.HiveException; -import org.apache.hadoop.hive.ql.plan.PrincipalDesc; -import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; -import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; -import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; /** * Convenience implementation of HiveAuthorizer. @@ -141,19 +137,11 @@ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPl } @Override - public List getHivePrincipals( - List principals) throws HiveException { - return AuthorizationUtils.getHivePrincipals(principals); + public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveException { + // no customization of this API is done for most Authorization + // implementations. + // it is meant to be used for special cases in Apache Sentry (incubating) + return null; } - @Override - public List getHivePrivileges(List privileges) { - return AuthorizationUtils.getHivePrivileges(privileges); - } - - @Override - public HivePrivilegeObject getHivePrivilegeObject( - PrivilegeObjectDesc privSubjectDesc) throws HiveException { - return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc); - } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java index c387800..005fb67 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -37,9 +37,6 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.Table; -import org.apache.hadoop.hive.ql.plan.PrincipalDesc; -import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; -import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope; import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController; @@ -383,19 +380,10 @@ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { } @Override - public List getHivePrincipals( - List principals) throws HiveException { - return AuthorizationUtils.getHivePrincipals(principals); + public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveException { + // custom translator is not needed, so return null + return null; } - @Override - public List getHivePrivileges(List privileges) { - return AuthorizationUtils.getHivePrivileges(privileges); - } - @Override - public HivePrivilegeObject getHivePrivilegeObject( - PrivilegeObjectDesc privSubjectDesc) throws HiveException { - return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc); - } }