diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index e2bd38b4e1..2e4eb9c447 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -794,6 +794,9 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal METASTORE_EVENT_DB_LISTENER_TTL("hive.metastore.event.db.listener.timetolive", "86400s", new TimeValidator(TimeUnit.SECONDS), "time after which events will be removed from the database listener queue"), + METASTORE_EVENT_DB_NOTIFICATION_API_AUTH("hive.metastore.event.db.notification.api.auth", true, + "Should metastore do authorization against database notification related APIs such as get_next_notification.\n" + + "If set to true, then only the superusers in proxy settings have the permission"), METASTORE_AUTHORIZATION_STORAGE_AUTH_CHECKS("hive.metastore.authorization.storage.checks", false, "Should the metastore do authorization checks against the underlying storage (usually hdfs) \n" + "for operations like drop-partition (disallow the drop-partition if the user in\n" + diff --git a/itests/hcatalog-unit/src/test/java/org/apache/hive/hcatalog/listener/TestDbNotificationListener.java b/itests/hcatalog-unit/src/test/java/org/apache/hive/hcatalog/listener/TestDbNotificationListener.java index c36b632fd1..5da2286070 100644 --- a/itests/hcatalog-unit/src/test/java/org/apache/hive/hcatalog/listener/TestDbNotificationListener.java +++ b/itests/hcatalog-unit/src/test/java/org/apache/hive/hcatalog/listener/TestDbNotificationListener.java @@ -96,8 +96,10 @@ import org.apache.hadoop.hive.metastore.messaging.MessageFactory; import org.apache.hadoop.hive.ql.Driver; import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.shims.Utils; import org.apache.hive.hcatalog.api.repl.ReplicationV1CompatRule; import org.apache.hive.hcatalog.data.Pair; +import org.apache.thrift.TException; import org.junit.After; import org.junit.Before; import org.junit.BeforeClass; @@ -117,9 +119,12 @@ private static final int EVENTS_TTL = 30; private static final int CLEANUP_SLEEP_TIME = 10; private static Map emptyParameters = new HashMap(); + private static HiveConf conf; private static IMetaStoreClient msClient; private static Driver driver; private static MessageDeserializer md = null; + private static String proxySettingName = null; + private int startTime; private long firstEventId; @@ -232,7 +237,7 @@ public void onInsert(InsertEvent insertEvent) throws MetaException { @SuppressWarnings("rawtypes") @BeforeClass public static void connectToMetastore() throws Exception { - HiveConf conf = new HiveConf(); + conf = new HiveConf(); conf.setVar(HiveConf.ConfVars.METASTORE_TRANSACTIONAL_EVENT_LISTENERS, DbNotificationListener.class.getName()); conf.setVar(HiveConf.ConfVars.METASTORE_EVENT_LISTENERS, MockMetaStoreEventListener.class.getName()); @@ -253,6 +258,10 @@ public static void connectToMetastore() throws Exception { } conf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER, "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory"); + + proxySettingName = "hadoop.proxyuser." + Utils.getUGI().getShortUserName() + ".hosts"; + conf.set(proxySettingName, "*"); + SessionState.start(new CliSessionState(conf)); msClient = new HiveMetaStoreClient(conf); driver = new Driver(conf); @@ -1575,4 +1584,38 @@ public void cleanupNotifs() throws Exception { LOG.info("second trigger done"); assertEquals(0, rsp2.getEventsSize()); } + + @Test(expected = TException.class) + public void testAuthForNotificationAPIs() throws Exception { + // Setup + String dbName = "testAuthForNotificationAPIs"; + driver.run("create database " + dbName); + // Test the getNextNotification API + try { + NotificationEventResponse rsp = msClient.getNextNotification(firstEventId, 0, null); + assertEquals(1, rsp.getEventsSize()); + // Remove the proxy privilege + conf.unset(proxySettingName); + // Disable auth so it should still work + conf.setBoolVar(HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH, false); + msClient.close(); + msClient = new HiveMetaStoreClient(conf); + rsp = msClient.getNextNotification(firstEventId, 0, null); + assertEquals(1, rsp.getEventsSize()); + // Turn auth back on, which should fail + conf.setBoolVar(HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH, true); + msClient.close(); + msClient = new HiveMetaStoreClient(conf); + rsp = msClient.getNextNotification(firstEventId, 0, null); + } catch (Exception ex) { + throw ex; + } finally { + conf.setBoolVar(HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH, true); + conf.set(proxySettingName, "*"); + msClient.close(); + msClient = new HiveMetaStoreClient(conf); + driver.close(); + driver = new Driver(conf); + } + } } diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index d5de4f2c7b..316b67e5dc 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -7055,12 +7055,28 @@ private Table getTable(String dbName, String tableName) @Override public NotificationEventResponse get_next_notification(NotificationEventRequest rqst) throws TException { + try { + authorizeProxyPrivilege(); + } catch (Exception ex) { + LOG.error("Not authorized to make the get_next_notification call. You can try to disable " + + HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH.varname, ex); + throw new TException(ex); + } + RawStore ms = getMS(); return ms.getNextNotification(rqst); } @Override public CurrentNotificationEventId get_current_notificationEventId() throws TException { + try { + authorizeProxyPrivilege(); + } catch (Exception ex) { + LOG.error("Not authorized to make the get_current_notificationEventId call. You can try to disable " + + HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH.varname, ex); + throw new TException(ex); + } + RawStore ms = getMS(); return ms.getCurrentNotificationEventId(); } @@ -7068,10 +7084,35 @@ public CurrentNotificationEventId get_current_notificationEventId() throws TExce @Override public NotificationEventsCountResponse get_notification_events_count(NotificationEventsCountRequest rqst) throws TException { + try { + authorizeProxyPrivilege(); + } catch (Exception ex) { + LOG.error("Not authorized to make the get_notification_events_count call. You can try to disable " + + HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH.varname, ex); + throw new TException(ex); + } + RawStore ms = getMS(); return ms.getNotificationEventsCount(rqst); } + private void authorizeProxyPrivilege() throws Exception + { + if (!hiveConf.getBoolVar(HiveConf.ConfVars.METASTORE_EVENT_DB_NOTIFICATION_API_AUTH)) { + return; + } + try { + String user = Utils.getUGI().getShortUserName(); + if (!MetaStoreUtils.hasPermissionForDbNotificationCalls(user, hiveConf, getIPAddress())) + { + throw new MetaException("User " + user + " is not allowed to perform this API call"); + } + } catch (Exception ex) { + LOG.error("Cannot obtain username", ex); + throw ex; + } + } + @Override public FireEventResponse fire_listener_event(FireEventRequest rqst) throws TException { switch (rqst.getData().getSetField()) { diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java b/metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java index b51446d5c6..e4e5ae37b1 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java @@ -31,6 +31,7 @@ import java.security.MessageDigest; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -106,6 +107,9 @@ import org.apache.hadoop.hive.serde2.typeinfo.TypeInfo; import org.apache.hadoop.hive.serde2.typeinfo.TypeInfoUtils; import org.apache.hadoop.security.SaslRpcServer; +import org.apache.hadoop.security.authorize.DefaultImpersonationProvider; +import org.apache.hadoop.security.authorize.ProxyUsers; +import org.apache.hadoop.util.MachineList; import org.apache.hive.common.util.HiveStringUtils; import org.apache.hive.common.util.ReflectionUtil; @@ -1974,4 +1978,22 @@ public ColumnStatisticsObj call() throws Exception { public static double decimalToDouble(Decimal decimal) { return new BigDecimal(new BigInteger(decimal.getUnscaled()), decimal.getScale()).doubleValue(); } + + /** + * Verify if the user is allowed to make DB notification related calls. + * Only the superusers defined in the Hadoop proxy user settings have the permission. + * + * @param user the short user name + * @param config that contains the proxy user settings + * @return if the user has the permission + */ + public static boolean hasPermissionForDbNotificationCalls(String user, Configuration conf, String ipAddress) { + ProxyUsers.refreshSuperUserGroupsConfiguration(conf); + DefaultImpersonationProvider sip = ProxyUsers.getDefaultImpersonationProvider(); + Map> proxyHosts = sip.getProxyHosts(); + Collection hostEntries = proxyHosts.get(sip.getProxySuperuserIpConfKey(user)); + MachineList machineList = new MachineList(hostEntries); + ipAddress = (ipAddress == null) ? StringUtils.EMPTY : ipAddress; + return machineList.includes(ipAddress); + } }