diff --git ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java index 706459a..90535d2 100644 --- ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java +++ ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java @@ -19,9 +19,11 @@ import java.io.Serializable; import java.util.ArrayList; +import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Set; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.conf.HiveConf; @@ -265,17 +267,50 @@ protected PrivilegeObjectDesc parsePrivObject(ASTNode ast) throws SemanticExcept return subject; } + static class PriviligeTypeLookup extends HashMap { + private static final long serialVersionUID = 1L; + public static final PriviligeTypeLookup instance = new PriviligeTypeLookup(); + + private PriviligeTypeLookup() { + super(); + put(HiveParser.TOK_PRIV_ALL, PrivilegeType.ALL); + put(HiveParser.TOK_PRIV_ALTER_DATA, PrivilegeType.ALTER_DATA); + put(HiveParser.TOK_PRIV_ALTER_METADATA, PrivilegeType.ALTER_METADATA); + put(HiveParser.TOK_PRIV_CREATE, PrivilegeType.CREATE); + put(HiveParser.TOK_PRIV_DROP, PrivilegeType.DROP); + put(HiveParser.TOK_PRIV_INDEX, PrivilegeType.INDEX); + put(HiveParser.TOK_PRIV_LOCK, PrivilegeType.LOCK); + put(HiveParser.TOK_PRIV_SELECT, PrivilegeType.SELECT); + put(HiveParser.TOK_PRIV_SHOW_DATABASE, PrivilegeType.SHOW_DATABASE); + put(HiveParser.TOK_PRIV_INSERT, PrivilegeType.INSERT); + put(HiveParser.TOK_PRIV_DELETE, PrivilegeType.DELETE); + Set valueSet = new HashSet<>(); + valueSet.addAll(values()); + // the old enum covered this contract...it can't hurt + for (PrivilegeType privilegeType : PrivilegeType.values()) { + if (privilegeType != PrivilegeType.UNKNOWN && valueSet.contains(privilegeType)) { + throw new RuntimeException("not mapped privilegtype: " + privilegeType); + } + } + } + + static PrivilegeType lookup(Integer token) { + return instance.getOrDefault(token, PrivilegeType.UNKNOWN); + } + } + private List analyzePrivilegeListDef(ASTNode node) throws SemanticException { List ret = new ArrayList(); for (int i = 0; i < node.getChildCount(); i++) { ASTNode privilegeDef = (ASTNode) node.getChild(i); - ASTNode privilegeType = (ASTNode) privilegeDef.getChild(0); - Privilege privObj = PrivilegeRegistry.getPrivilege(privilegeType.getType()); + ASTNode privilegeTypeNode = (ASTNode) privilegeDef.getChild(0); + + PrivilegeType privilegeType = PriviligeTypeLookup.lookup(privilegeTypeNode.getType()); + Privilege privObj = SessionState.lookupPrivilegType(privilegeType); if (privObj == null) { - throw new SemanticException("Undefined privilege " + PrivilegeType. - getPrivTypeByToken(privilegeType.getType())); + throw new SemanticException("Undefined privilege: " + privilegeType + " for token: "+privilegeTypeNode.getType()); } List cols = null; if (privilegeDef.getChildCount() > 1) { diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java index 6ae2d99..b112a1a 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java @@ -21,8 +21,6 @@ import java.util.HashMap; import java.util.Map; -import org.apache.hadoop.hive.ql.session.SessionState; - /** * PrivilegeRegistry is used to do privilege lookups. Given a privilege name, it * will return the Privilege object. @@ -32,10 +30,6 @@ protected static Map Registry = null; protected static Map RegistryV2 = null; - public static Privilege getPrivilege(PrivilegeType privilegeType) { - return Registry.get(privilegeType); - } - /** * Add entries to registry. */ @@ -63,18 +57,11 @@ public static Privilege getPrivilege(PrivilegeType privilegeType) { RegistryV2.put(Privilege.DELETE.getPriv(), Privilege.DELETE); } - public static Privilege getPrivilege(int privilegeToken) { - PrivilegeType ptype = PrivilegeType.getPrivTypeByToken(privilegeToken); - return getPrivilegeFromRegistry(ptype); - } - - public static Privilege getPrivilege(String privilegeName) { - PrivilegeType ptype = PrivilegeType.getPrivTypeByName(privilegeName); - return getPrivilegeFromRegistry(ptype); - } - - private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) { - return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) : Registry.get(ptype); + public static Privilege getPrivilege(boolean authorizationModeV2, PrivilegeType privilegeType) { + if (authorizationModeV2) + return RegistryV2.get(privilegeType); + else + return Registry.get(privilegeType); } } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java index 5c2f389..6c63686 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java @@ -21,32 +21,28 @@ import java.util.HashMap; import java.util.Map; -import org.apache.hadoop.hive.ql.parse.HiveParser; - /** * Privilege type */ public enum PrivilegeType { - ALL(HiveParser.TOK_PRIV_ALL, "All"), - ALTER_DATA(HiveParser.TOK_PRIV_ALTER_DATA, "Update"), - ALTER_METADATA(HiveParser.TOK_PRIV_ALTER_METADATA, "Alter"), - CREATE(HiveParser.TOK_PRIV_CREATE, "Create"), - DROP(HiveParser.TOK_PRIV_DROP, "Drop"), - INDEX(HiveParser.TOK_PRIV_INDEX, "Index"), - LOCK(HiveParser.TOK_PRIV_LOCK, "Lock"), - SELECT(HiveParser.TOK_PRIV_SELECT, "Select"), - SHOW_DATABASE(HiveParser.TOK_PRIV_SHOW_DATABASE, "Show_Database"), - INSERT(HiveParser.TOK_PRIV_INSERT, "Insert"), - DELETE(HiveParser.TOK_PRIV_DELETE, "Delete"), - UNKNOWN(null, null); + ALL("All"), + ALTER_DATA("Update"), + ALTER_METADATA("Alter"), + CREATE("Create"), + DROP("Drop"), + INDEX("Index"), + LOCK("Lock"), + SELECT("Select"), + SHOW_DATABASE("Show_Database"), + INSERT("Insert"), + DELETE("Delete"), + UNKNOWN(null); private final String name; - private final Integer token; - PrivilegeType(Integer token, String name){ + PrivilegeType(String name){ this.name = name; - this.token = token; } @Override @@ -54,38 +50,9 @@ public String toString(){ return name == null ? "unkown" : name; } - public Integer getToken() { - return token; - } - - private static Map token2Type; private static Map name2Type; /** - * Do case lookup of PrivilegeType associated with this antlr token - * @param privilegeName - * @return corresponding PrivilegeType - */ - public static PrivilegeType getPrivTypeByToken(int token) { - populateToken2Type(); - PrivilegeType privType = token2Type.get(token); - if(privType != null){ - return privType; - } - return PrivilegeType.UNKNOWN; - } - - private static synchronized void populateToken2Type() { - if(token2Type != null){ - return; - } - token2Type = new HashMap(); - for(PrivilegeType privType : PrivilegeType.values()){ - token2Type.put(privType.getToken(), privType); - } - } - - /** * Do case insensitive lookup of PrivilegeType with this name * @param privilegeName * @return corresponding PrivilegeType diff --git ql/src/java/org/apache/hadoop/hive/ql/session/CreateTableAutomaticGrant.java ql/src/java/org/apache/hadoop/hive/ql/session/CreateTableAutomaticGrant.java index 3ade2c7..b9d900a 100644 --- ql/src/java/org/apache/hadoop/hive/ql/session/CreateTableAutomaticGrant.java +++ ql/src/java/org/apache/hadoop/hive/ql/session/CreateTableAutomaticGrant.java @@ -29,6 +29,7 @@ import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.security.authorization.Privilege; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; public class CreateTableAutomaticGrant { private Map> userGrants; @@ -105,7 +106,7 @@ private static void validatePrivilege(String ownerGrantsInConfig) String[] ownerGrantArray = ownerGrantsInConfig.split(","); // verify the config for (String ownerGrant : ownerGrantArray) { - Privilege prive = PrivilegeRegistry.getPrivilege(ownerGrant); + Privilege prive = SessionState.lookupPrivilegType(PrivilegeType.getPrivTypeByName(ownerGrant)); if (prive == null) { throw new HiveException("Privilege " + ownerGrant + " is not found."); } diff --git ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java index ffce1d1..bfef255 100644 --- ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java +++ ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java @@ -76,6 +76,9 @@ import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.Privilege; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; import org.apache.hadoop.hive.ql.security.authorization.plugin.AuthorizationMetaStoreFilterHook; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; @@ -1808,6 +1811,10 @@ public ProgressMonitor getProgressMonitor() { return progressMonitor; } + public static Privilege lookupPrivilegType(PrivilegeType privilegeType) { + return PrivilegeRegistry.getPrivilege(SessionState.get().isAuthorizationModeV2(),privilegeType); + } + } class ResourceMaps {