commit 415dcc3a808bef4a5dc8344880f7087a6b3c30d7 Author: Thejas Nair Date: Tue Jul 19 23:28:20 2016 -0700 HIVE-14284 diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java index 273ec36..f30b595 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java @@ -56,6 +56,7 @@ private static MiniHS2 miniHS2 = null; static HiveAuthorizer mockedAuthorizer; static HiveAuthenticationProvider authenticator; + static final String TABLE1_NAME = "TestHS2AuthzContextTab"; /** * This factory creates a mocked HiveAuthorizer class. @@ -83,6 +84,11 @@ public static void beforeTest() throws Exception { miniHS2 = new MiniHS2(conf); miniHS2.start(new HashMap()); + // create tables as user1 + Connection hs2Conn = getConnection("user1"); + Statement stmt = hs2Conn.createStatement(); + stmt.execute("create table " + TABLE1_NAME + "(i int) "); + stmt.close(); } @AfterClass @@ -103,6 +109,34 @@ public void testAuthzContextContentsCmdProcessorCmd() throws Exception { verifyContextContents("dfs -ls /", "-ls /"); } + @Test + public void testGrantContextContents() throws Exception { + String cmd = "grant all on table " + TABLE1_NAME + " to user user2"; + verifyContextContents(cmd, cmd); + } + + + @Test + public void testRevokeContextContents() throws Exception { + String cmd = "revoke all on table " + TABLE1_NAME + " from user user2"; + verifyContextContents(cmd, cmd); + } + + @Test + public void testRolesMgmtContextContents() throws Exception { + verifyContextContents("create role newrole"); + verifyContextContents("grant role newrole to user user2 with admin option"); + verifyContextContents("show role grant user user2"); + verifyContextContents("show principals newrole"); + verifyContextContents("revoke role newrole from user user2"); + verifyContextContents("show roles"); + verifyContextContents("drop role newrole"); + } + + private void verifyContextContents(String cmd) throws HiveAuthzPluginException, HiveAccessControlException, Exception { + verifyContextContents(cmd, cmd); + } + private void verifyContextContents(final String cmd, String ctxCmd) throws Exception, HiveAuthzPluginException, HiveAccessControlException { Connection hs2Conn = getConnection("user1"); @@ -128,7 +162,7 @@ private void verifyContextContents(final String cmd, String ctxCmd) throws Excep } - private Connection getConnection(String userName) throws Exception { + private static Connection getConnection(String userName) throws Exception { return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar"); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index 2b8d6a7..ceb12f7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -199,6 +199,7 @@ import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationTranslator; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; @@ -713,9 +714,9 @@ private int grantOrRevokeRole(Hive db, GrantRevokeRoleDDL grantOrRevokeRoleDDL) boolean grantOption = grantOrRevokeRoleDDL.isGrantOption(); if (grantOrRevokeRoleDDL.getGrant()) { - authorizer.grantRole(principals, roles, grantOption, grantorPrinc); + authorizer.grantRole(principals, roles, grantOption, grantorPrinc, getAuthzContext()); } else { - authorizer.revokeRole(principals, roles, grantOption, grantorPrinc); + authorizer.revokeRole(principals, roles, grantOption, grantorPrinc, getAuthzContext()); } return 0; } @@ -735,7 +736,8 @@ private int showGrants(Hive db, ShowGrantDesc showGrantDesc) throws HiveExceptio try { List privInfos = authorizer.showPrivileges( getAuthorizationTranslator(authorizer).getHivePrincipal(showGrantDesc.getPrincipalDesc()), - getAuthorizationTranslator(authorizer).getHivePrivilegeObject(showGrantDesc.getHiveObj())); + getAuthorizationTranslator(authorizer).getHivePrivilegeObject(showGrantDesc.getHiveObj()), + getAuthzContext()); boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); writeToFile(writeGrantInfo(privInfos, testMode), showGrantDesc.getResFile()); } catch (IOException e) { @@ -761,49 +763,58 @@ private int grantOrRevokePrivileges(Hive db, List principals, HivePrincipal grantorPrincipal = new HivePrincipal( grantor, AuthorizationUtils.getHivePrincipalType(grantorType)); - if(isGrant){ authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, - grantorPrincipal, grantOption); + grantorPrincipal, grantOption, getAuthzContext()); }else { authorizer.revokePrivileges(hivePrincipals, hivePrivileges, - hivePrivObject, grantorPrincipal, grantOption); + hivePrivObject, grantorPrincipal, grantOption, getAuthzContext()); } //no exception thrown, so looks good return 0; } + private HiveAuthzContext getAuthzContext() { + SessionState ss = SessionState.get(); + HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); + authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); + authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); + authzContextBuilder.setCommandString(ss.getConf().getQueryString()); + return authzContextBuilder.build(); + } + private int roleDDL(Hive db, RoleDDLDesc roleDDLDesc) throws Exception { HiveAuthorizer authorizer = getSessionAuthorizer(db); RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation(); //call the appropriate hive authorizer function switch(operation){ case CREATE_ROLE: - authorizer.createRole(roleDDLDesc.getName(), null); + authorizer.createRole(roleDDLDesc.getName(), null, getAuthzContext()); break; case DROP_ROLE: - authorizer.dropRole(roleDDLDesc.getName()); + authorizer.dropRole(roleDDLDesc.getName(), getAuthzContext()); break; case SHOW_ROLE_GRANT: boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List roles = authorizer.getRoleGrantInfoForPrincipal( - AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType())); + AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), + roleDDLDesc.getPrincipalType()), getAuthzContext()); writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile()); break; case SHOW_ROLES: - List allRoles = authorizer.getAllRoles(); + List allRoles = authorizer.getAllRoles(getAuthzContext()); writeListToFileAfterSort(allRoles, roleDDLDesc.getResFile()); break; case SHOW_CURRENT_ROLE: - List roleNames = authorizer.getCurrentRoleNames(); + List roleNames = authorizer.getCurrentRoleNames(getAuthzContext()); writeListToFileAfterSort(roleNames, roleDDLDesc.getResFile()); break; case SET_ROLE: - authorizer.setCurrentRole(roleDDLDesc.getName()); + authorizer.setCurrentRole(roleDDLDesc.getName(), getAuthzContext()); break; case SHOW_ROLE_PRINCIPALS: testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - List roleGrants = authorizer.getPrincipalGrantInfoForRole(roleDDLDesc.getName()); + List roleGrants = authorizer.getPrincipalGrantInfoForRole(roleDDLDesc.getName(), getAuthzContext()); writeToFile(writeHiveRoleGrantInfo(roleGrants, testMode), roleDDLDesc.getResFile()); break; default: diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java index 522ff3f..a13e840 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java @@ -17,6 +17,8 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin; +import java.util.List; + /** * Abstract class that extends HiveAuthorizer. This will help to shield @@ -38,4 +40,145 @@ public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveA return null; } + + public void grantPrivileges(List hivePrincipals, List hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) + throws HiveAuthzPluginException, HiveAccessControlException{ + } + + @Override + public void grantPrivileges(List hivePrincipals, List hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption, + HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); + } + + public void revokePrivileges(List hivePrincipals, List hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) + throws HiveAuthzPluginException, HiveAccessControlException { + } + + @Override + public void revokePrivileges(List hivePrincipals, List hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption, + HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); + } + + public void createRole(String roleName, HivePrincipal adminGrantor) + throws HiveAuthzPluginException, HiveAccessControlException { + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + createRole(roleName, adminGrantor); + } + + public void dropRole(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException { + } + + @Override + public void dropRole(String roleName, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + dropRole(roleName); + } + + public List getPrincipalGrantInfoForRole(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException { + return null; + } + + public List getPrincipalGrantInfoForRole(String roleName, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + return getPrincipalGrantInfoForRole(roleName); + } + + public List getRoleGrantInfoForPrincipal(HivePrincipal principal) + throws HiveAuthzPluginException, HiveAccessControlException { + return null; + } + + + public List getRoleGrantInfoForPrincipal(HivePrincipal principal, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + return getRoleGrantInfoForPrincipal(principal); + } + + public void grantRole(List hivePrincipals, List roles, boolean grantOption, + HivePrincipal grantorPrinc) + throws HiveAuthzPluginException, HiveAccessControlException { + } + + public void grantRole(List hivePrincipals, List roles, boolean grantOption, + HivePrincipal grantorPrinc, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + grantRole(hivePrincipals, roles, grantOption, grantorPrinc); + } + + public void revokeRole(List hivePrincipals, List roles, boolean grantOption, + HivePrincipal grantorPrinc) + throws HiveAuthzPluginException, HiveAccessControlException { + } + + public void revokeRole(List hivePrincipals, List roles, boolean grantOption, + HivePrincipal grantorPrinc, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + revokeRole(hivePrincipals, roles, grantOption, grantorPrinc); + } + + public void checkPrivileges(HiveOperationType hiveOpType, List inputsHObjs, + List outputHObjs) + throws HiveAuthzPluginException, HiveAccessControlException { + } + + public void checkPrivileges(HiveOperationType hiveOpType, List inputsHObjs, + List outputHObjs, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + checkPrivileges(hiveOpType, inputsHObjs, outputHObjs); + } + + public List getAllRoles() + throws HiveAuthzPluginException, HiveAccessControlException { + return null; + } + + + public List getAllRoles(HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + return getAllRoles(); + } + + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + throws HiveAuthzPluginException, HiveAccessControlException { + return null; + } + + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj, + HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + return showPrivileges(principal, privObj); + } + + public void setCurrentRole(String roleName) + throws HiveAccessControlException, HiveAuthzPluginException { + } + + public void setCurrentRole(String roleName, HiveAuthzContext hiveAuthzContext) + throws HiveAccessControlException, HiveAuthzPluginException { + setCurrentRole(roleName); + } + + public List getCurrentRoleNames() throws HiveAuthzPluginException { + return null; + } + + public List getCurrentRoleNames(HiveAuthzContext hiveAuthzContext) + throws HiveAuthzPluginException { + return getCurrentRoleNames(); + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java index 325fba7..4079ebd 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java @@ -31,42 +31,44 @@ public interface HiveAccessController { void grantPrivileges(List hivePrincipals, List hivePrivileges, - HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption, + HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; void revokePrivileges(List hivePrincipals, List hivePrivileges, - HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption, + HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; - void createRole(String roleName, HivePrincipal adminGrantor) + void createRole(String roleName, HivePrincipal adminGrantor, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; - void dropRole(String roleName) + void dropRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; void grantRole(List hivePrincipals, List roles, boolean grantOption, - HivePrincipal grantorPrinc) + HivePrincipal grantorPrinc, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; void revokeRole(List hivePrincipals, List roles, boolean grantOption, - HivePrincipal grantorPrinc) + HivePrincipal grantorPrinc, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; - List getAllRoles() + List getAllRoles(HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; - List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; - void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; + void setCurrentRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; - List getCurrentRoleNames() throws HiveAuthzPluginException; + List getCurrentRoleNames(HiveAuthzContext ctx) throws HiveAuthzPluginException; - List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, + List getPrincipalGrantInfoForRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException; - List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, - HiveAccessControlException; + List getRoleGrantInfoForPrincipal(HivePrincipal principal, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException; void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 4814fc1..35fcb21 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -62,11 +62,13 @@ * @param hivePrivObject * @param grantorPrincipal * @param grantOption + * @param context * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ void grantPrivileges(List hivePrincipals, List hivePrivileges, - HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption, + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** @@ -76,11 +78,13 @@ void grantPrivileges(List hivePrincipals, List hiv * @param hivePrivObject * @param grantorPrincipal * @param grantOption + * @param context * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ void revokePrivileges(List hivePrincipals, List hivePrivileges, - HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption, + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; @@ -88,40 +92,44 @@ void revokePrivileges(List hivePrincipals, List hi * Create role * @param roleName * @param adminGrantor - The user in "[ WITH ADMIN ]" clause of "create role" + * @param context * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - void createRole(String roleName, HivePrincipal adminGrantor) + void createRole(String roleName, HivePrincipal adminGrantor, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** * Drop role * @param roleName + * @param context * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - void dropRole(String roleName) + void dropRole(String roleName, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** * Get the grant information for principals granted the given role * @param roleName + * @param context * @return * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - List getPrincipalGrantInfoForRole(String roleName) + List getPrincipalGrantInfoForRole(String roleName, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** * Get the grant information of roles the given principal belongs to * @param principal + * @param context * @return * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - List getRoleGrantInfoForPrincipal(HivePrincipal principal) + List getRoleGrantInfoForPrincipal(HivePrincipal principal, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** @@ -130,11 +138,12 @@ void dropRole(String roleName) * @param roles * @param grantOption * @param grantorPrinc + * @param context * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ void grantRole(List hivePrincipals, List roles, boolean grantOption, - HivePrincipal grantorPrinc) + HivePrincipal grantorPrinc, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; @@ -144,11 +153,12 @@ void grantRole(List hivePrincipals, List roles, boolean g * @param roles * @param grantOption * @param grantorPrinc + * @param context * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ void revokeRole(List hivePrincipals, List roles, boolean grantOption, - HivePrincipal grantorPrinc) + HivePrincipal grantorPrinc, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** @@ -178,39 +188,44 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; - /** + * @param context * @return all existing roles * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - List getAllRoles() + List getAllRoles(HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** * Show privileges for given principal on given object * @param principal * @param privObj + * @param context * @return * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj, + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** * Set the current role to roleName argument * @param roleName + * @param hiveAuthzContext * @throws HiveAccessControlException * @throws HiveAuthzPluginException */ - void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException; + void setCurrentRole(String roleName, HiveAuthzContext hiveAuthzContext) + throws HiveAccessControlException, HiveAuthzPluginException; /** + * @param hiveAuthzContext * @return List having names of current roles * @throws HiveAuthzPluginException */ - List getCurrentRoleNames() throws HiveAuthzPluginException; + List getCurrentRoleNames(HiveAuthzContext hiveAuthzContext) throws HiveAuthzPluginException; /** * Modify the given HiveConf object to configure authorization related parameters diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java index 570571b..30716a7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java @@ -23,7 +23,6 @@ import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.parse.SemanticException; -import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; /** * Convenience implementation of HiveAuthorizer. @@ -45,39 +44,45 @@ public HiveAuthorizerImpl(HiveAccessController accessController, HiveAuthorizati @Override public void grantPrivileges(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { + HivePrincipal grantorPrincipal, boolean grantOption, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, - grantorPrincipal, grantOption); + grantorPrincipal, grantOption, ctx); } @Override public void revokePrivileges(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { + HivePrincipal grantorPrincipal, boolean grantOption, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, - grantorPrincipal, grantOption); + grantorPrincipal, grantOption, ctx); } @Override - public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { - accessController.createRole(roleName, adminGrantor); + public void createRole(String roleName, HivePrincipal adminGrantor, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + accessController.createRole(roleName, adminGrantor, ctx); } @Override - public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { - accessController.dropRole(roleName); + public void dropRole(String roleName, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + accessController.dropRole(roleName, ctx); } @Override public void grantRole(List hivePrincipals, List roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { - accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc); + boolean grantOption, HivePrincipal grantorPrinc, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc, ctx); } @Override public void revokeRole(List hivePrincipals, List roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { - accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc); + boolean grantOption, HivePrincipal grantorPrinc, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc, ctx); } @Override @@ -95,14 +100,16 @@ public void checkPrivileges(HiveOperationType hiveOpType, List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getAllRoles(); + public List getAllRoles(HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.getAllRoles(ctx); } @Override public List showPrivileges(HivePrincipal principal, - HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.showPrivileges(principal, privObj); + HivePrivilegeObject privObj, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.showPrivileges(principal, privObj, ctx); } @Override @@ -111,25 +118,25 @@ public VERSION getVersion() { } @Override - public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { - accessController.setCurrentRole(roleName); + public void setCurrentRole(String roleName, HiveAuthzContext ctx) throws HiveAccessControlException, HiveAuthzPluginException { + accessController.setCurrentRole(roleName, ctx); } @Override - public List getCurrentRoleNames() throws HiveAuthzPluginException { - return accessController.getCurrentRoleNames(); + public List getCurrentRoleNames(HiveAuthzContext ctx) throws HiveAuthzPluginException { + return accessController.getCurrentRoleNames(ctx); } @Override - public List getPrincipalGrantInfoForRole(String roleName) + public List getPrincipalGrantInfoForRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getPrincipalGrantInfoForRole(roleName); + return accessController.getPrincipalGrantInfoForRole(roleName, ctx); } @Override - public List getRoleGrantInfoForPrincipal(HivePrincipal principal) + public List getRoleGrantInfoForPrincipal(HivePrincipal principal, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getRoleGrantInfoForPrincipal(principal); + return accessController.getRoleGrantInfoForPrincipal(principal, ctx); } @Override diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java index 485416e..c02b823 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -75,7 +75,7 @@ public void checkPrivileges(HiveOperationType hiveOpType, List principals, List privileges, HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption) - throws HiveAuthzPluginException, HiveAccessControlException { + throws HiveAuthzPluginException, HiveAccessControlException { try { PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); grantOrRevokePrivs(principals, privBag, true, grantOption); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index d5c3a1a..511d185 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -50,6 +50,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; @@ -168,7 +169,7 @@ private void getAllRoleAncestors(Map processedRolesMap, L @Override public void grantPrivileges(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) + HivePrincipal grantorPrincipal, boolean grantOption, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); @@ -176,7 +177,7 @@ public void grantPrivileges(List hivePrincipals, IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, - metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); + metastoreClient, authenticator.getUserName(), getCurrentRoleNames(ctx), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, @@ -189,7 +190,7 @@ public void grantPrivileges(List hivePrincipals, } @Override - public List getCurrentRoleNames() throws HiveAuthzPluginException { + public List getCurrentRoleNames(HiveAuthzContext ctx) throws HiveAuthzPluginException { List roleNames = new ArrayList(); for(HiveRoleGrant role : getCurrentRoles()){ roleNames.add(role.getRoleName()); @@ -224,7 +225,7 @@ public void grantPrivileges(List hivePrincipals, @Override public void revokePrivileges(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) + HivePrincipal grantorPrincipal, boolean grantOption, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { hivePrivileges = expandAndValidatePrivileges(hivePrivileges); @@ -249,7 +250,7 @@ public void revokePrivileges(List hivePrincipals, } @Override - public void createRole(String roleName, HivePrincipal adminGrantor) + public void createRole(String roleName, HivePrincipal adminGrantor, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can create new roles. if (!isUserAdmin()) { @@ -270,7 +271,7 @@ public void createRole(String roleName, HivePrincipal adminGrantor) } @Override - public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + public void dropRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can drop existing role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" @@ -285,8 +286,9 @@ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAcces @Override public void grantRole(List hivePrincipals, List roleNames, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, - HiveAccessControlException { + boolean grantOption, HivePrincipal grantorPrinc, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); @@ -312,8 +314,9 @@ public void grantRole(List hivePrincipals, List roleNames @Override public void revokeRole(List hivePrincipals, List roleNames, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, - HiveAccessControlException { + boolean grantOption, HivePrincipal grantorPrinc, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { + if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); @@ -334,7 +337,7 @@ public void revokeRole(List hivePrincipals, List roleName } @Override - public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + public List getAllRoles(HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" @@ -349,7 +352,8 @@ public void revokeRole(List hivePrincipals, List roleName @Override - public List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + public List getPrincipalGrantInfoForRole(String roleName, HiveAuthzContext ctx) + throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" @@ -377,7 +381,8 @@ public void revokeRole(List hivePrincipals, List roleName } @Override - public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj, + HiveAuthzContext ctx) throws HiveAuthzPluginException { try { @@ -516,7 +521,7 @@ private boolean isSupportedObjectType(HiveObjectType objectType) { } @Override - public void setCurrentRole(String roleName) throws HiveAccessControlException, + public void setCurrentRole(String roleName, HiveAuthzContext ctx) throws HiveAccessControlException, HiveAuthzPluginException { initUserRoles(); @@ -594,7 +599,7 @@ private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzP } @Override - public List getRoleGrantInfoForPrincipal(HivePrincipal principal) + public List getRoleGrantInfoForPrincipal(HivePrincipal principal, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { try { // first authorize the call diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerWrapper.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerWrapper.java index a7f47ce..152f616 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerWrapper.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerWrapper.java @@ -25,6 +25,7 @@ import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; @@ -61,116 +62,116 @@ public SQLStdHiveAccessControllerWrapper(HiveMetastoreClientFactory metastoreCli @Override public void grantPrivileges(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HivePrincipal grantorPrincipal, boolean grantOption, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate principals hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal); hiveAccessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, - grantorPrincipal, grantOption); + grantorPrincipal, grantOption, ctx); } @Override public void revokePrivileges(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HivePrincipal grantorPrincipal, boolean grantOption, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate principals hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal); hiveAccessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, - grantorPrincipal, grantOption); + grantorPrincipal, grantOption, ctx); } @Override - public void createRole(String roleName, HivePrincipal adminGrantor) + public void createRole(String roleName, HivePrincipal adminGrantor, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate principals roleName = roleName.toLowerCase(); adminGrantor = SQLAuthorizationUtils.getValidatedPrincipal(adminGrantor); - hiveAccessController.createRole(roleName, adminGrantor); + hiveAccessController.createRole(roleName, adminGrantor, ctx); } @Override - public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + public void dropRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // lower case roleName roleName = roleName.toLowerCase(); - hiveAccessController.dropRole(roleName); + hiveAccessController.dropRole(roleName, ctx); } @Override public void grantRole(List hivePrincipals, List roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + boolean grantOption, HivePrincipal grantorPrinc, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate principals hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); roles = getLowerCaseRoleNames(roles); grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc); - hiveAccessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc); + hiveAccessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc, ctx); } @Override public void revokeRole(List hivePrincipals, List roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + boolean grantOption, HivePrincipal grantorPrinc, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); roles = getLowerCaseRoleNames(roles); grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc); - hiveAccessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc); + hiveAccessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc, ctx); } @Override - public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { - return hiveAccessController.getAllRoles(); + public List getAllRoles(HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { + return hiveAccessController.getAllRoles(ctx); } @Override - public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate principal = SQLAuthorizationUtils.getValidatedPrincipal(principal); - return hiveAccessController.showPrivileges(principal, privObj); + return hiveAccessController.showPrivileges(principal, privObj, ctx); } @Override - public void setCurrentRole(String roleName) throws HiveAuthzPluginException, + public void setCurrentRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate roleName = roleName.toLowerCase(); - hiveAccessController.setCurrentRole(roleName); + hiveAccessController.setCurrentRole(roleName, ctx); } @Override - public List getCurrentRoleNames() throws HiveAuthzPluginException { - return hiveAccessController.getCurrentRoleNames(); + public List getCurrentRoleNames(HiveAuthzContext ctx) throws HiveAuthzPluginException { + return hiveAccessController.getCurrentRoleNames(ctx); } @Override - public List getPrincipalGrantInfoForRole(String roleName) + public List getPrincipalGrantInfoForRole(String roleName, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate roleName = roleName.toLowerCase(); - return hiveAccessController.getPrincipalGrantInfoForRole(roleName); + return hiveAccessController.getPrincipalGrantInfoForRole(roleName, ctx); } @Override - public List getRoleGrantInfoForPrincipal(HivePrincipal principal) + public List getRoleGrantInfoForPrincipal(HivePrincipal principal, HiveAuthzContext ctx) throws HiveAuthzPluginException, HiveAccessControlException { // validate principal = SQLAuthorizationUtils.getValidatedPrincipal(principal); - return hiveAccessController.getRoleGrantInfoForPrincipal(principal); + return hiveAccessController.getRoleGrantInfoForPrincipal(principal, ctx); } @Override diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 2977675..a81d181 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -80,16 +80,19 @@ public void checkPrivileges(HiveOperationType hiveOpType, List deniedMessages = new ArrayList(); - checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, deniedMessages); - checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, deniedMessages); + checkPrivileges(hiveOpType, inputHObjs, metastoreClient, userName, IOType.INPUT, + deniedMessages, context); + checkPrivileges(hiveOpType, outputHObjs, metastoreClient, userName, IOType.OUTPUT, + deniedMessages, context); SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipalType.USER), hiveOpType, deniedMessages); } private void checkPrivileges(HiveOperationType hiveOpType, List hiveObjects, - IMetaStoreClient metastoreClient, String userName, IOType ioType, List deniedMessages) - throws HiveAuthzPluginException, HiveAccessControlException { + IMetaStoreClient metastoreClient, String userName, IOType ioType, + List deniedMessages, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { if (hiveObjects == null) { return; @@ -129,7 +132,7 @@ private void checkPrivileges(HiveOperationType hiveOpType, List