• Home
• org.apache.hive
• hive-exec
• 1.2.1
• source code
• SQLStdHiveAccessControllerWrapper.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessControllerWrapper Maven / Gradle / Ivy

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;

import java.util.List;
import java.util.ListIterator;

import org.apache.hadoop.classification.InterfaceAudience.Private;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;

/**
 * Wrapper for {@link SQLStdHiveAccessController} that does validation of
 * arguments and then calls the real object. Doing the validation in this
 * separate class, so that the chances of missing any validation is small.
 *
 * Validations/Conversions to be done
 * 1. Call SQLAuthorizationUtils.getValidatedPrincipals on HivePrincipal to validate and
 * update
 * 2. Convert roleName to lower case
 *
 */

@Private
public class SQLStdHiveAccessControllerWrapper implements HiveAccessController {

  private final SQLStdHiveAccessController hiveAccessController;

  public SQLStdHiveAccessControllerWrapper(HiveMetastoreClientFactory metastoreClientFactory,
      HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx)
      throws HiveAuthzPluginException {
    this.hiveAccessController = new SQLStdHiveAccessController(metastoreClientFactory, conf,
        authenticator, ctx);
  }

  @Override
  public void grantPrivileges(List hivePrincipals,
      List hivePrivileges, HivePrivilegeObject hivePrivObject,
      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
      HiveAccessControlException {
    // validate principals
    hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
    grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal);

    hiveAccessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
        grantorPrincipal, grantOption);

  }

  @Override
  public void revokePrivileges(List hivePrincipals,
      List hivePrivileges, HivePrivilegeObject hivePrivObject,
      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
      HiveAccessControlException {
    // validate principals
    hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
    grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal);

    hiveAccessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
        grantorPrincipal, grantOption);
  }

  @Override
  public void createRole(String roleName, HivePrincipal adminGrantor)
      throws HiveAuthzPluginException, HiveAccessControlException {
    // validate principals
    roleName = roleName.toLowerCase();
    adminGrantor = SQLAuthorizationUtils.getValidatedPrincipal(adminGrantor);

    hiveAccessController.createRole(roleName, adminGrantor);
  }

  @Override
  public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
    // lower case roleName
    roleName = roleName.toLowerCase();

    hiveAccessController.dropRole(roleName);
  }

  @Override
  public void grantRole(List hivePrincipals, List roles,
      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
      HiveAccessControlException {
    // validate principals
    hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
    roles = getLowerCaseRoleNames(roles);
    grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc);

    hiveAccessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
  }

  @Override
  public void revokeRole(List hivePrincipals, List roles,
      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
      HiveAccessControlException {
    // validate
    hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
    roles = getLowerCaseRoleNames(roles);
    grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc);

    hiveAccessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
  }

  @Override
  public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
    return hiveAccessController.getAllRoles();
  }

  @Override
  public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
      throws HiveAuthzPluginException, HiveAccessControlException {
    // validate
    principal = SQLAuthorizationUtils.getValidatedPrincipal(principal);

    return hiveAccessController.showPrivileges(principal, privObj);
  }

  @Override
  public void setCurrentRole(String roleName) throws HiveAuthzPluginException,
      HiveAccessControlException {
    // validate
    roleName = roleName.toLowerCase();

    hiveAccessController.setCurrentRole(roleName);
  }

  @Override
  public List getCurrentRoleNames() throws HiveAuthzPluginException {
    return hiveAccessController.getCurrentRoleNames();
  }

  @Override
  public List getPrincipalGrantInfoForRole(String roleName)
      throws HiveAuthzPluginException, HiveAccessControlException {
    // validate
    roleName = roleName.toLowerCase();

    return hiveAccessController.getPrincipalGrantInfoForRole(roleName);
  }

  @Override
  public List getRoleGrantInfoForPrincipal(HivePrincipal principal)
      throws HiveAuthzPluginException, HiveAccessControlException {
    // validate
    principal = SQLAuthorizationUtils.getValidatedPrincipal(principal);

    return hiveAccessController.getRoleGrantInfoForPrincipal(principal);
  }

  @Override
  public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
    hiveAccessController.applyAuthorizationConfigPolicy(hiveConf);
  }

  public boolean isUserAdmin() throws HiveAuthzPluginException {
    return hiveAccessController.isUserAdmin();
  }

  private List getLowerCaseRoleNames(List roles) {
    ListIterator roleIter = roles.listIterator();
    while (roleIter.hasNext()) {
      roleIter.set(roleIter.next().toLowerCase());
    }
    return roles;
  }

}