diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java index 4441934c2b..29d988e5fe 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin; - /** * Abstract class that extends HiveAuthorizer. This will help to shield * Hive authorization implementations from some of the changes to HiveAuthorizer @@ -38,4 +37,16 @@ public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveA return null; } + /* + * (non-Javadoc) + * + * @see + * org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer# + * getHivePolicyProvider() + */ + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 9783c564d1..b69d6e804c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -275,5 +275,9 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp */ public boolean needTransform(); + /** + * @return HivePolicyProvider instance (expected to be a singleton) + * @throws HiveAuthzPluginException + */ + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException; } - diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java new file mode 100644 index 0000000000..e75776c690 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java @@ -0,0 +1,35 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.List; + +/** + * This would be implemented by a class that needs to be notified when there is + * a policy change + */ +public interface HivePolicyChangeListener { + /** + * @param hpo + * List of Objects whose privileges have changed. If undetermined, + * null can be returned (implies that it should be treated as if all object + * policies might have changed). + */ + void notifyPolicyChange(List hpo); + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java new file mode 100644 index 0000000000..c2494930c8 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +/** + * Interface that can be used to retrieve authorization policy information from + * authorization plugins + */ +public interface HivePolicyProvider { + /** + * @param hiveObject + * @return representation of user/group to permissions mapping. + */ + public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject); + + /** + * @param listener + */ + public void registerHivePolicyChangeListener(HivePolicyChangeListener listener); + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java new file mode 100644 index 0000000000..8be613fc75 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java @@ -0,0 +1,41 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.Map; + +public interface HiveResourceACLs { + enum Privilege { + SELECT, UPDATE, CREATE, DROP, ALTER, INDEX, LOCK, READ, WRITE + }; + + enum AccessResult { + ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED + }; + + /** + * @return Returns mapping of user name to privilege-access result pairs + */ + public Map> getUserPermissions(); + + /** + * @return Returns mapping of group name to privilege-access result pairs + */ + public Map> getGroupPermissions(); + +}