diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java index 4441934c2b..29d988e5fe 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin; - /** * Abstract class that extends HiveAuthorizer. This will help to shield * Hive authorization implementations from some of the changes to HiveAuthorizer @@ -38,4 +37,16 @@ public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveA return null; } + /* + * (non-Javadoc) + * + * @see + * org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer# + * getHivePolicyProvider() + */ + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 9783c564d1..a4079b892e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -263,7 +263,7 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp * * @throws SemanticException */ - public List applyRowFilterAndColumnMasking(HiveAuthzContext context, + List applyRowFilterAndColumnMasking(HiveAuthzContext context, List privObjs) throws SemanticException; /** @@ -273,7 +273,11 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp * @return * @throws SemanticException */ - public boolean needTransform(); + boolean needTransform(); + /** + * @return HivePolicyProvider instance (expected to be a singleton) + * @throws HiveAuthzPluginException + */ + HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException; } - diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java new file mode 100644 index 0000000000..577f609f40 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java @@ -0,0 +1,35 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.List; + +/** + * This would be implemented by a class that needs to be notified when there is + * a policy change. + */ +public interface HivePolicyChangeListener { + /** + * @param hpo + * List of Objects whose privileges have changed. If undetermined, + * null can be returned (implies that it should be treated as if all object + * policies might have changed). + */ + void notifyPolicyChange(List hpo); + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java new file mode 100644 index 0000000000..a9d1bd5da9 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +/** + * Interface that can be used to retrieve authorization policy information from + * authorization plugins. + */ +public interface HivePolicyProvider { + /** + * @param hiveObject + * @return representation of user/group to permissions mapping. + */ + HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject); + + /** + * @param listener + */ + void registerHivePolicyChangeListener(HivePolicyChangeListener listener); + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java new file mode 100644 index 0000000000..53e221fe9c --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.Map; + +/** + * Captures authorization policy information on a {@link HivePrivilegeObject}. + */ +public interface HiveResourceACLs { + /** + * Privilege types. + */ + enum Privilege { + SELECT, UPDATE, CREATE, DROP, ALTER, INDEX, LOCK, READ, WRITE + }; + + /** + * Privilege access result. + */ + enum AccessResult { + ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED + }; + + /** + * @return Returns mapping of user name to privilege-access result pairs + */ + Map> getUserPermissions(); + + /** + * @return Returns mapping of group name to privilege-access result pairs + */ + Map> getGroupPermissions(); + +}