org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessControllerWrapper Maven / Gradle / Ivy
The newest version!
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
import java.util.List;
import java.util.ListIterator;
import org.apache.hadoop.classification.InterfaceAudience.Private;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
/**
* Wrapper for {@link SQLStdHiveAccessController} that does validation of
* arguments and then calls the real object. Doing the validation in this
* separate class, so that the chances of missing any validation is small.
*
* Validations/Conversions to be done
* 1. Call SQLAuthorizationUtils.getValidatedPrincipals on HivePrincipal to validate and
* update
* 2. Convert roleName to lower case
*
*/
@Private
public class SQLStdHiveAccessControllerWrapper implements HiveAccessController {
private final SQLStdHiveAccessController hiveAccessController;
public SQLStdHiveAccessControllerWrapper(HiveMetastoreClientFactory metastoreClientFactory,
HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx)
throws HiveAuthzPluginException {
this.hiveAccessController = new SQLStdHiveAccessController(metastoreClientFactory, conf,
authenticator, ctx);
}
@Override
public void grantPrivileges(List hivePrincipals,
List hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
// validate principals
hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal);
hiveAccessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
@Override
public void revokePrivileges(List hivePrincipals,
List hivePrivileges, HivePrivilegeObject hivePrivObject,
HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
HiveAccessControlException {
// validate principals
hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal);
hiveAccessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
grantorPrincipal, grantOption);
}
@Override
public void createRole(String roleName, HivePrincipal adminGrantor)
throws HiveAuthzPluginException, HiveAccessControlException {
// validate principals
roleName = roleName.toLowerCase();
adminGrantor = SQLAuthorizationUtils.getValidatedPrincipal(adminGrantor);
hiveAccessController.createRole(roleName, adminGrantor);
}
@Override
public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
// lower case roleName
roleName = roleName.toLowerCase();
hiveAccessController.dropRole(roleName);
}
@Override
public void grantRole(List hivePrincipals, List roles,
boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
HiveAccessControlException {
// validate principals
hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
roles = getLowerCaseRoleNames(roles);
grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc);
hiveAccessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
}
@Override
public void revokeRole(List hivePrincipals, List roles,
boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
HiveAccessControlException {
// validate
hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals);
roles = getLowerCaseRoleNames(roles);
grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc);
hiveAccessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
}
@Override
public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
return hiveAccessController.getAllRoles();
}
@Override
public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
throws HiveAuthzPluginException, HiveAccessControlException {
// validate
principal = SQLAuthorizationUtils.getValidatedPrincipal(principal);
return hiveAccessController.showPrivileges(principal, privObj);
}
@Override
public void setCurrentRole(String roleName) throws HiveAuthzPluginException,
HiveAccessControlException {
// validate
roleName = roleName.toLowerCase();
hiveAccessController.setCurrentRole(roleName);
}
@Override
public List getCurrentRoleNames() throws HiveAuthzPluginException {
return hiveAccessController.getCurrentRoleNames();
}
@Override
public List getPrincipalGrantInfoForRole(String roleName)
throws HiveAuthzPluginException, HiveAccessControlException {
// validate
roleName = roleName.toLowerCase();
return hiveAccessController.getPrincipalGrantInfoForRole(roleName);
}
@Override
public List getRoleGrantInfoForPrincipal(HivePrincipal principal)
throws HiveAuthzPluginException, HiveAccessControlException {
// validate
principal = SQLAuthorizationUtils.getValidatedPrincipal(principal);
return hiveAccessController.getRoleGrantInfoForPrincipal(principal);
}
@Override
public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
hiveAccessController.applyAuthorizationConfigPolicy(hiveConf);
}
public boolean isUserAdmin() throws HiveAuthzPluginException {
return hiveAccessController.isUserAdmin();
}
private List getLowerCaseRoleNames(List roles) {
ListIterator roleIter = roles.listIterator();
while (roleIter.hasNext()) {
roleIter.set(roleIter.next().toLowerCase());
}
return roles;
}
}