svn commit: r1577731 - in /hive/branches/branch-0.13: hcatalog/core/ hcatalog/core/src/main/java/org/apache/hcatalog/security/ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/

rhbutani Fri, 14 Mar 2014 14:35:07 -0700

Author: rhbutani
Date: Fri Mar 14 21:33:48 2014
New Revision: 1577731

URL: http://svn.apache.org/r1577731
Log:
HIVE-6392 : Hive (and HCatalog) don't allow super-users to add partitions to 
tables. (Mithun Radhakrishnan via Thejas Nair)


Modified:
    hive/branches/branch-0.13/hcatalog/core/pom.xml
    
hive/branches/branch-0.13/hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java
    
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java

Modified: hive/branches/branch-0.13/hcatalog/core/pom.xml
URL: 
http://svn.apache.org/viewvc/hive/branches/branch-0.13/hcatalog/core/pom.xml?rev=1577731&r1=1577730&r2=1577731&view=diff
==============================================================================
--- hive/branches/branch-0.13/hcatalog/core/pom.xml (original)
+++ hive/branches/branch-0.13/hcatalog/core/pom.xml Fri Mar 14 21:33:48 2014
@@ -125,6 +125,11 @@
           <artifactId>hadoop-mapreduce-client-core</artifactId>
           <version>${hadoop-23.version}</version>
         </dependency>
+        <dependency>
+          <groupId>org.apache.hadoop</groupId>
+          <artifactId>hadoop-hdfs</artifactId>
+          <version>${hadoop-23.version}</version>
+        </dependency>
         <!-- test -->
         <dependency>
           <groupId>com.sun.jersey</groupId>
@@ -143,12 +148,6 @@
           <groupId>org.apache.hadoop</groupId>
           <artifactId>hadoop-hdfs</artifactId>
           <version>${hadoop-23.version}</version>
-          <scope>test</scope>
-        </dependency>
-        <dependency>
-          <groupId>org.apache.hadoop</groupId>
-          <artifactId>hadoop-hdfs</artifactId>
-          <version>${hadoop-23.version}</version>
           <classifier>tests</classifier>
           <scope>test</scope>
         </dependency>

Modified: 
hive/branches/branch-0.13/hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java
URL: 
http://svn.apache.org/viewvc/hive/branches/branch-0.13/hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java?rev=1577731&r1=1577730&r2=1577731&view=diff
==============================================================================
--- 
hive/branches/branch-0.13/hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java
 (original)
+++ 
hive/branches/branch-0.13/hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java
 Fri Mar 14 21:33:48 2014
@@ -23,6 +23,7 @@ import static org.apache.hadoop.hive.met
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.List;
 
@@ -35,6 +36,7 @@ import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.Warehouse;
 import org.apache.hadoop.hive.metastore.api.Database;
@@ -302,6 +304,16 @@ public class HdfsAuthorizationProvider e
                        final EnumSet<FsAction> actions, String user, String[] 
groups) throws IOException,
     AccessControlException {
 
+    if (groups != null) {
+      List<String> groupList = Arrays.asList(groups);
+      String superGroupName = getSuperGroupName(fs.getConf());
+      if (userBelongsToSuperGroup(superGroupName, groupList)) {
+        LOG.info("User \"" + user + "\" belongs to super-group \"" + 
superGroupName + "\". " +
+            "Permission granted for actions: (" + actions + ").");
+        return;
+      }
+    }
+
     final FileStatus stat;
 
     try {
@@ -335,4 +347,12 @@ public class HdfsAuthorizationProvider e
         + path + " for user " + user);
     }
   }
+
+  private static String getSuperGroupName(Configuration configuration) {
+    return configuration.get(DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY, 
"");
+  }
+
+  private static boolean userBelongsToSuperGroup(String superGroupName, 
List<String> groups) {
+    return groups.contains(superGroupName);
+  }
 }

Modified: 
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java
URL: 
http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java?rev=1577731&r1=1577730&r2=1577731&view=diff
==============================================================================
--- 
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java
 (original)
+++ 
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java
 Fri Mar 14 21:33:48 2014
@@ -26,12 +26,15 @@ import java.util.List;
 
 import javax.security.auth.login.LoginException;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.hdfs.DFSConfigKeys;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.HiveMetaStore.HMSHandler;
 import org.apache.hadoop.hive.metastore.Warehouse;
@@ -66,6 +69,8 @@ public class StorageBasedAuthorizationPr
   private Warehouse wh;
   private boolean isRunFromMetaStore = false;
 
+  private static Log LOG = 
LogFactory.getLog(StorageBasedAuthorizationProvider.class);
+
   /**
    * Make sure that the warehouse variable is set up properly.
    * @throws MetaException if unable to instantiate
@@ -319,6 +324,13 @@ public class StorageBasedAuthorizationPr
       final EnumSet<FsAction> actions, String user, List<String> groups) 
throws IOException,
       AccessControlException {
 
+    String superGroupName = getSuperGroupName(fs.getConf());
+    if (userBelongsToSuperGroup(superGroupName, groups)) {
+      LOG.info("User \"" + user + "\" belongs to super-group \"" + 
superGroupName + "\". " +
+          "Permission granted for actions: (" + actions + ").");
+      return;
+    }
+
     final FileStatus stat;
 
     try {
@@ -353,6 +365,14 @@ public class StorageBasedAuthorizationPr
     }
   }
 
+  private static String getSuperGroupName(Configuration configuration) {
+    return configuration.get(DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY, 
"");
+  }
+
+  private static boolean userBelongsToSuperGroup(String superGroupName, 
List<String> groups) {
+    return groups.contains(superGroupName);
+  }
+
   protected Path getDbLocation(Database db) throws HiveException {
     try {
       initWh();

svn commit: r1577731 - in /hive/branches/branch-0.13: hcatalog/core/ hcatalog/core/src/main/java/org/apache/hcatalog/security/ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/

Reply via email to