diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 5bdcac8..929feb6 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -3018,6 +3018,8 @@ private static void populateLlapDaemonVarsSet(Set llapDaemonVarsSetLocal HIVE_SSL_PROTOCOL_BLACKLIST("hive.ssl.protocol.blacklist", "SSLv2,SSLv3", "SSL Versions to disable for all Hive Servers"), + HIVE_PRIVILEGE_SYNCHRONIZER("hive.privilege.synchronizer", true, + "Whether to synchronize privileges from external authorizer periodically in HS2"), HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL("hive.privilege.synchronizer.interval", "1800s", new TimeValidator(TimeUnit.SECONDS), "Interval to synchronize privileges from external authorizer periodically in HS2"), diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java index 9ce665f..61e3cec 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java @@ -33,6 +33,7 @@ import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.hadoop.hive.metastore.api.MetaException; import org.apache.hadoop.hive.metastore.conf.MetastoreConf; import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; @@ -193,16 +194,21 @@ public void run() { HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); PrivilegeBag grantColumnBag = new PrivilegeBag(); - Table tbl = hiveClient.getTable(dbName, tblName); - for (FieldSchema fs : tbl.getPartitionKeys()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, - dbName, tblName, fs.getName(), authorizer); + Table tbl = null; + try { + tbl = hiveClient.getTable(dbName, tblName); + for (FieldSchema fs : tbl.getPartitionKeys()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + for (FieldSchema fs : tbl.getSd().getCols()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); + } catch (MetaException e) { + LOG.debug("Unable to synchronize " + tblName + ":" + e.getMessage()); } - for (FieldSchema fs : tbl.getSd().getCols()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, - dbName, tblName, fs.getName(), authorizer); - } - hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); } } LOG.info("Success synchronize privilege " + policyProvider.getClass().getName() + ":" + numDb + " databases, " diff --git a/service/src/java/org/apache/hive/service/server/HiveServer2.java b/service/src/java/org/apache/hive/service/server/HiveServer2.java index 1f6a097..c4d110e 100644 --- a/service/src/java/org/apache/hive/service/server/HiveServer2.java +++ b/service/src/java/org/apache/hive/service/server/HiveServer2.java @@ -986,15 +986,18 @@ public static void scheduleClearDanglingScratchDir(HiveConf hiveConf, int initia public void startPrivilegeSynchonizer(HiveConf hiveConf) throws Exception { + if (!HiveConf.getBoolVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { + return; + } PolicyProviderContainer policyContainer = new PolicyProviderContainer(); HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); if (authorizer.getHivePolicyProvider() != null) { policyContainer.addAuthorizer(authorizer); } - if (hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()) != null && - hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()).contains( + if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && + MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).contains( "org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener") && - hiveConf.get(MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname())!= null) { + MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER)!= null) { List providers = HiveUtils.getMetaStoreAuthorizeProviderManagers( hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, SessionState.get().getAuthenticator()); for (HiveMetastoreAuthorizationProvider provider : providers) {