Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchronizer.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchronizer.java (revision 9678eb09d9485c5fff0a42c7a40076944e7ffc78) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchronizer.java (date 1588572851490) @@ -17,9 +17,13 @@ */ package org.apache.hadoop.hive.ql.security.authorization; +import java.util.Arrays; import java.util.Map; import java.util.concurrent.TimeUnit; + +import org.apache.commons.lang3.ArrayUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.curator.framework.recipes.leader.LeaderLatch; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; @@ -56,8 +60,8 @@ private HiveConf hiveConf; private PolicyProviderContainer policyProviderContainer; - public PrivilegeSynchronizer(LeaderLatch privilegeSynchronizerLatch, - PolicyProviderContainer policyProviderContainer, HiveConf hiveConf) { + public PrivilegeSynchronizer(LeaderLatch privilegeSynchronizerLatch, PolicyProviderContainer policyProviderContainer, + HiveConf hiveConf) { this.hiveConf = new HiveConf(hiveConf); this.hiveConf.set(MetastoreConf.ConfVars.FILTER_HOOK.getVarname(), DefaultMetaStoreFilterHookImpl.class.getName()); try { @@ -75,9 +79,12 @@ PrivilegeBag privBag, HiveObjectType objectType, String dbName, String tblName, String columnName, PrincipalType principalType, String authorizer) { - for (Map.Entry> principalAcls - : principalAclsMap.entrySet()) { + for (Map.Entry> principalAcls : principalAclsMap + .entrySet()) { String principal = principalAcls.getKey(); + int[] columnPrivilegeBits = new int[] {0, 0, 0, 0, 0, 0, 0, 0, 0}; + int columnUpdateFlag = 0; + for (Map.Entry acl : principalAcls.getValue() .entrySet()) { if (acl.getValue() == HiveResourceACLs.AccessResult.ALLOWED) { @@ -85,27 +92,42 @@ case DATABASE: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.DATABASE, dbName, null, null, null), principal, - principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); + principalType, + new PrivilegeGrantInfo(acl.getKey().toString(), (int) (System.currentTimeMillis() / 1000), GRANTOR, + PrincipalType.USER, false), authorizer)); break; case TABLE: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.TABLE, dbName, tblName, null, null), principal, - principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); + principalType, + new PrivilegeGrantInfo(acl.getKey().toString(), (int) (System.currentTimeMillis() / 1000), GRANTOR, + PrincipalType.USER, false), authorizer)); break; case COLUMN: - privBag.addToPrivileges( - new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.COLUMN, dbName, tblName, null, columnName), - principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); + + int privilegeBit = acl.getKey().ordinal(); + columnPrivilegeBits[privilegeBit] = columnPrivilegeBits[privilegeBit] == 0 ? 1:0; + columnUpdateFlag = 1; + break; default: throw new RuntimeException("Get unknown object type " + objectType); } } } + if(columnUpdateFlag == 1){ + String columnPrivilegeBitsString = StringUtils.join(Arrays.asList(ArrayUtils.toObject(columnPrivilegeBits)), " "); + privBag.addToPrivileges( + new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.COLUMN, dbName, tblName, null, columnName), + principal, principalType, + new PrivilegeGrantInfo(columnPrivilegeBitsString, (int) (System.currentTimeMillis() / 1000), GRANTOR, + PrincipalType.USER, false), authorizer)); + + + columnUpdateFlag = 0; + } } + } private HiveObjectRef getObjToRefresh(HiveObjectType type, String dbName, String tblName) throws Exception { @@ -133,8 +155,8 @@ switch (type) { case DATABASE: - objectAcls = policyProvider - .getResourceACLs(new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null)); + objectAcls = + policyProvider.getResourceACLs(new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, dbName, null)); break; case TABLE: @@ -155,14 +177,13 @@ return; } - addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, - PrincipalType.USER, authorizer); - addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, - PrincipalType.GROUP, authorizer); + addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.USER, + authorizer); + addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.GROUP, + authorizer); } - @Override - public void run() { + @Override public void run() { while (true) { long interval = HiveConf.getTimeVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL, TimeUnit.SECONDS); try { @@ -178,8 +199,8 @@ numDb++; HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); PrivilegeBag grantDatabaseBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, - dbName, null, null, authorizer); + addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, dbName, null, null, + authorizer); hiveClient.refresh_privileges(dbToRefresh, authorizer, grantDatabaseBag); LOG.debug("processing " + dbName); @@ -188,8 +209,8 @@ LOG.debug("processing " + dbName + "." + tblName); HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); PrivilegeBag grantTableBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, - dbName, tblName, null, authorizer); + addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, dbName, tblName, null, + authorizer); hiveClient.refresh_privileges(tableToRefresh, authorizer, grantTableBag); HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); @@ -198,12 +219,12 @@ try { tbl = hiveClient.getTable(dbName, tblName); for (FieldSchema fs : tbl.getPartitionKeys()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, - dbName, tblName, fs.getName(), authorizer); + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, + fs.getName(), authorizer); } for (FieldSchema fs : tbl.getSd().getCols()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, - dbName, tblName, fs.getName(), authorizer); + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, + fs.getName(), authorizer); } hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); } catch (MetaException e) { @@ -212,7 +233,7 @@ } } LOG.info("Success synchronize privilege " + policyProvider.getClass().getName() + ":" + numDb + " databases, " - + numTbl + " tables"); + + numTbl + " tables"); } } catch (Exception e) { LOG.error("Error initializing PrivilegeSynchronizer: " + e.getMessage(), e); Index: metastore/scripts/upgrade/hive/hive-schema-4.0.0.hive.sql IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- metastore/scripts/upgrade/hive/hive-schema-4.0.0.hive.sql (revision 9678eb09d9485c5fff0a42c7a40076944e7ffc78) +++ metastore/scripts/upgrade/hive/hive-schema-4.0.0.hive.sql (date 1588062074358) @@ -1672,6 +1672,7 @@ JOIN `sys`.`TBLS` T ON (S.`SD_ID` = T.`SD_ID`) JOIN `sys`.`DBS` D ON (T.`DB_ID` = D.`DB_ID`) LEFT JOIN `sys`.`TBL_COL_PRIVS` P ON (T.`TBL_ID` = P.`TBL_ID`) + LEFT JOIN (SELECT * FROM `sys`.`TBL_COL_PRIVS` lateral view explode(split_map_privs(`TBL_COL_PRIVS`,' ')) `TBL_COL_PRIVS` AS `TBL_COL_PRIVS`) P WHERE NOT restrict_information_schema() OR P.`TBL_ID` IS NOT NULL AND C.`COLUMN_NAME` = P.`COLUMN_NAME` @@ -1700,7 +1701,8 @@ P.`TBL_COL_PRIV`, IF (P.`GRANT_OPTION` == 0, 'NO', 'YES') FROM - `sys`.`TBL_COL_PRIVS` P JOIN `sys`.`TBLS` T ON (P.`TBL_ID` = T.`TBL_ID`) + (SELECT * FROM `sys`.`TBL_COL_PRIVS` lateral view explode(split_map_privs(`TBL_COL_PRIV`,' ')) `TBL_COL_PRIV`) AS P + JOIN `sys`.`TBLS` T ON (P.`TBL_ID` = T.`TBL_ID`) JOIN `sys`.`DBS` D ON (T.`DB_ID` = D.`DB_ID`) JOIN `sys`.`SDS` S ON (S.`SD_ID` = T.`SD_ID`) LEFT JOIN `sys`.`TBL_PRIVS` P2 ON (P.`TBL_ID` = P2.`TBL_ID`)