Repository: hive Updated Branches: refs/heads/branch-2.1 82d284a45 -> 4af1be71e
HIVE-13867 restore HiveAuthorizer interface changes (Thejas Nair, reviewed by Sushanth Sowmyan) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/4af1be71 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/4af1be71 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/4af1be71 Branch: refs/heads/branch-2.1 Commit: 4af1be71ee1068262168c52ea8be6b2a619a5b9e Parents: 82d284a Author: Sushanth Sowmyan <[email protected]> Authored: Tue May 31 19:31:52 2016 -0700 Committer: Sushanth Sowmyan <[email protected]> Committed: Tue May 31 19:43:52 2016 -0700 ---------------------------------------------------------------------- .../TestHiveAuthorizerCheckInvocation.java | 2 +- .../plugin/TestHiveAuthorizerShowFilters.java | 4 +- .../jdbc/authorization/TestHS2AuthzContext.java | 12 +-- .../authorization/TestJdbcMetadataApiAuth.java | 4 +- .../hive/ql/security/DummyAuthenticator.java | 5 - .../security/InjectableDummyAuthenticator.java | 5 - ...SQLStdHiveAuthorizationValidatorForTest.java | 6 +- .../java/org/apache/hadoop/hive/ql/Driver.java | 5 +- .../apache/hadoop/hive/ql/parse/TableMask.java | 9 +- .../hadoop/hive/ql/processors/CommandUtil.java | 5 +- .../ql/security/HadoopDefaultAuthenticator.java | 5 - .../ql/security/HiveAuthenticationProvider.java | 2 - .../SessionStateConfigUserAuthenticator.java | 5 - .../security/SessionStateUserAuthenticator.java | 5 - .../AuthorizationMetaStoreFilterHook.java | 3 +- .../plugin/HiveAuthorizationValidator.java | 6 +- .../authorization/plugin/HiveAuthorizer.java | 6 +- .../plugin/HiveAuthorizerImpl.java | 6 +- .../authorization/plugin/HiveAuthzContext.java | 99 ++++++++++++++++++++ .../authorization/plugin/HiveV1Authorizer.java | 6 +- .../authorization/plugin/QueryContext.java | 78 --------------- .../sqlstd/DummyHiveAuthorizationValidator.java | 8 +- .../SQLStdHiveAuthorizationValidator.java | 8 +- .../cli/operation/MetadataOperation.java | 5 +- 24 files changed, 150 insertions(+), 149 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java index 5e601c9..9aca713 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -425,7 +425,7 @@ public class TestHiveAuthorizerCheckInvocation { verify(mockedAuthorizer).checkPrivileges(any(HiveOperationType.class), inputsCapturer.capture(), outputsCapturer.capture(), - any(QueryContext.class)); + any(HiveAuthzContext.class)); return new ImmutablePair(inputsCapturer.getValue(), outputsCapturer.getValue()); } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java index 0209044..5922a8c 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerShowFilters.java @@ -77,7 +77,7 @@ public class TestHiveAuthorizerShowFilters { protected abstract class AuthorizerWithFilterCmdImpl implements HiveAuthorizer { @Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException { + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { // capture arguments in static filterArguments = listObjs; // return static variable with results, if it is set to some set of @@ -101,7 +101,7 @@ public class TestHiveAuthorizerShowFilters { try { Mockito.when( mockedAuthorizer.filterListCmdObjects((List<HivePrivilegeObject>) any(), - (QueryContext) any())).thenCallRealMethod(); + (HiveAuthzContext) any())).thenCallRealMethod(); } catch (Exception e) { org.junit.Assert.fail("Caught exception " + e); } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java index 96e922b..273ec36 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java @@ -41,7 +41,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionC import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hive.jdbc.miniHS2.MiniHS2; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -112,19 +112,19 @@ public class TestHS2AuthzContext { stmt.close(); hs2Conn.close(); - ArgumentCaptor<QueryContext> contextCapturer = ArgumentCaptor - .forClass(QueryContext.class); + ArgumentCaptor<HiveAuthzContext> contextCapturer = ArgumentCaptor + .forClass(HiveAuthzContext.class); verify(mockedAuthorizer).checkPrivileges(any(HiveOperationType.class), Matchers.anyListOf(HivePrivilegeObject.class), Matchers.anyListOf(HivePrivilegeObject.class), contextCapturer.capture()); - QueryContext context = contextCapturer.getValue(); + HiveAuthzContext context = contextCapturer.getValue(); assertEquals("Command ", ctxCmd, context.getCommandString()); - assertTrue("ip address pattern check", authenticator.getUserIpAddress().matches("[.:a-fA-F0-9]+")); + assertTrue("ip address pattern check", context.getIpAddress().matches("[.:a-fA-F0-9]+")); // ip address size check - check for something better than non zero - assertTrue("ip address size check", authenticator.getUserIpAddress().length() > 7); + assertTrue("ip address size check", context.getIpAddress().length() > 7); } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java ---------------------------------------------------------------------- diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java index f67f5c3..692bfa0 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcMetadataApiAuth.java @@ -39,7 +39,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControl import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; @@ -76,7 +76,7 @@ public class TestJdbcMetadataApiAuth { @Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (!allowActions) { throw new HiveAccessControlException(DENIED_ERR); http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java ---------------------------------------------------------------------- diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java index 8dc801f..a296ac5 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java @@ -67,9 +67,4 @@ public class DummyAuthenticator implements HiveAuthenticationProvider { //no op } - @Override - public String getUserIpAddress() { - return null; - } - } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java ---------------------------------------------------------------------- diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java index 40b0185..322834e 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java @@ -105,9 +105,4 @@ public class InjectableDummyAuthenticator implements HiveMetastoreAuthentication //no-op } - @Override - public String getUserIpAddress() { - return null; - } - } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java ---------------------------------------------------------------------- diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java index 04c1887..41dd966 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java @@ -29,7 +29,7 @@ import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; @@ -93,7 +93,7 @@ public class SQLStdHiveAuthorizationValidatorForTest extends SQLStdHiveAuthoriza @Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) throws HiveAuthzPluginException, + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { switch (hiveOpType) { case DFS: @@ -115,7 +115,7 @@ public class SQLStdHiveAuthorizationValidatorForTest extends SQLStdHiveAuthoriza // Please take a look at the instructions in HiveAuthorizer.java before // implementing applyRowFilterAndColumnMasking - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context, + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException { List<HivePrivilegeObject> needRewritePrivObjs = new ArrayList<>(); for (HivePrivilegeObject privObj : privObjs) { http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/Driver.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index 3fecc5c..2263192 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -102,7 +102,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.session.OperationLog; import org.apache.hadoop.hive.ql.session.OperationLog.LoggingLevel; import org.apache.hadoop.hive.ql.session.SessionState; @@ -805,7 +805,8 @@ public class Driver implements CommandProcessor { since the insert will get passed the columns from the select. */ - QueryContext.Builder authzContextBuilder = new QueryContext.Builder(); + HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); + authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); authzContextBuilder.setCommandString(command); http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java index f3c7262..41d5900 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/TableMask.java @@ -27,7 +27,7 @@ import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.session.SessionState; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -45,14 +45,17 @@ public class TableMask { private UnparseTranslator translator; private boolean enable; private boolean needsRewrite; - private QueryContext queryContext; + private HiveAuthzContext queryContext; public TableMask(SemanticAnalyzer analyzer, HiveConf conf) throws SemanticException { try { authorizer = SessionState.get().getAuthorizerV2(); String cmdString = analyzer.ctx.getCmd(); - QueryContext.Builder ctxBuilder = new QueryContext.Builder(); + SessionState ss = SessionState.get(); + HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(cmdString); + ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); + ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); queryContext = ctxBuilder.build(); if (authorizer != null && needTransform()) { enable = true; http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java index 9288ee2..1b4d15e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java @@ -25,7 +25,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; @@ -80,8 +80,9 @@ class CommandUtil { static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List<String> command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); - QueryContext.Builder ctxBuilder = new QueryContext.Builder(); + HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); ctxBuilder.setCommandString(Joiner.on(' ').join(command)); + ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java index 8a036ac..18e4e00 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java @@ -81,9 +81,4 @@ public class HadoopDefaultAuthenticator implements HiveAuthenticationProvider { //no op } - @Override - public String getUserIpAddress() { - return null; - } - } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java index 761352a..7befff8 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java @@ -32,8 +32,6 @@ public interface HiveAuthenticationProvider extends Configurable{ public String getUserName(); - public String getUserIpAddress(); - public List<String> getGroupNames(); public void destroy() throws HiveException; http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java index 87f4afa..8c7809e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java @@ -71,9 +71,4 @@ public class SessionStateConfigUserAuthenticator implements HiveAuthenticationPr this.sessionState = sessionState; } - @Override - public String getUserIpAddress() { - return this.sessionState.getUserIpAddress(); - } - } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java index 8f10914..a77e93f 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java @@ -65,9 +65,4 @@ public class SessionStateUserAuthenticator implements HiveAuthenticationProvider this.sessionState = sessionState; } - @Override - public String getUserIpAddress() { - return this.sessionState.getUserIpAddress(); - } - } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java index 20367da..b08c63d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AuthorizationMetaStoreFilterHook.java @@ -73,7 +73,8 @@ public class AuthorizationMetaStoreFilterHook extends DefaultMetaStoreFilterHook private List<HivePrivilegeObject> getFilteredObjects(List<HivePrivilegeObject> listObjs) throws MetaException { SessionState ss = SessionState.get(); - QueryContext.Builder authzContextBuilder = new QueryContext.Builder(); + HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); + authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); authzContextBuilder.setForwardedAddresses(ss.getForwardedAddresses()); try { return ss.getAuthorizerV2().filterListCmdObjects(listObjs, authzContextBuilder.build()); http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java index 5e8b66a..d00138c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java @@ -34,15 +34,15 @@ public interface HiveAuthorizationValidator { * see HiveAuthorizer.checkPrivileges */ void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException; + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; /** * see HiveAuthorizer.filterListCmdObjects */ List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - QueryContext context); + HiveAuthzContext context); - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context, + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException; public boolean needTransform(); http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 4f27137..4814fc1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -161,7 +161,7 @@ public interface HiveAuthorizer { * @throws HiveAccessControlException */ void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; @@ -175,7 +175,7 @@ public interface HiveAuthorizer { * @throws HiveAccessControlException */ List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - QueryContext context) + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; @@ -263,7 +263,7 @@ public interface HiveAuthorizer { * * @throws SemanticException */ - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context, + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException; /** http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java index b9ef483..570571b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java @@ -82,7 +82,7 @@ public class HiveAuthorizerImpl extends AbstractHiveAuthorizer { @Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context); } @@ -90,7 +90,7 @@ public class HiveAuthorizerImpl extends AbstractHiveAuthorizer { @Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException { + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { return authValidator.filterListCmdObjects(listObjs, context); } @@ -143,7 +143,7 @@ public class HiveAuthorizerImpl extends AbstractHiveAuthorizer { } @Override - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context, + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException { return authValidator.applyRowFilterAndColumnMasking(context, privObjs); } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java new file mode 100644 index 0000000..aeb0048 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java @@ -0,0 +1,99 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.List; + +import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; + +/** + * Provides context information in authorization check call that can be used for + * auditing and/or authorization. + * It is an immutable class. Builder inner class is used instantiate it. + */ +@LimitedPrivate(value = { "Apache Argus (incubating)" }) +@Evolving +public final class HiveAuthzContext { + + public static class Builder { + private String commandString; + private List<String> forwardedAddresses; + private String userIpAddress; + + /** + * Get user's ip address. This is set only if the authorization api is + * invoked from a HiveServer2 instance in standalone mode. + * + * @return ip address + */ + public String getUserIpAddress() { + return userIpAddress; + } + + public void setUserIpAddress(String userIpAddress) { + this.userIpAddress = userIpAddress; + } + + public String getCommandString() { + return commandString; + } + public void setCommandString(String commandString) { + this.commandString = commandString; + } + + public List<String> getForwardedAddresses() { + return forwardedAddresses; + } + public void setForwardedAddresses(List<String> forwardedAddresses) { + this.forwardedAddresses = forwardedAddresses; + } + + public HiveAuthzContext build(){ + return new HiveAuthzContext(this); + } + } + + private final String userIpAddress; + private final String commandString; + private final List<String> forwardedAddresses; + + private HiveAuthzContext(Builder builder) { + this.userIpAddress = builder.userIpAddress; + this.commandString = builder.commandString; + this.forwardedAddresses = builder.forwardedAddresses; + } + + public String getIpAddress() { + return userIpAddress; + } + + public String getCommandString() { + return commandString; + } + + public List<String> getForwardedAddresses() { + return forwardedAddresses; + } + + @Override + public String toString() { + return "QueryContext [commandString=" + commandString + ", forwardedAddresses=" + forwardedAddresses + "]"; + } + +} http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java index 845fd85..485416e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -66,7 +66,7 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer { @Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { throw new UnsupportedOperationException("Should not be called for v1 authorizer"); } @@ -391,7 +391,7 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer { @Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - QueryContext context) throws HiveAuthzPluginException, HiveAccessControlException { + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { // do no filtering in old authorizer return listObjs; } @@ -402,7 +402,7 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer { } @Override - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context, + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException { return null; } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java deleted file mode 100644 index 17f8913..0000000 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/QueryContext.java +++ /dev/null @@ -1,78 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hive.ql.security.authorization.plugin; - -import java.util.List; - -import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; -import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; - -/** - * Provides context information in authorization check call that can be used for - * auditing and/or authorization. - * It is an immutable class. Builder inner class is used instantiate it. - */ -@LimitedPrivate(value = { "Apache Argus (incubating)" }) -@Evolving -public final class QueryContext { - - public static class Builder { - private String commandString; - private List<String> forwardedAddresses; - - public String getCommandString() { - return commandString; - } - public void setCommandString(String commandString) { - this.commandString = commandString; - } - - public List<String> getForwardedAddresses() { - return forwardedAddresses; - } - public void setForwardedAddresses(List<String> forwardedAddresses) { - this.forwardedAddresses = forwardedAddresses; - } - - public QueryContext build(){ - return new QueryContext(this); - } - } - - private final String commandString; - private final List<String> forwardedAddresses; - - private QueryContext(Builder builder) { - this.commandString = builder.commandString; - this.forwardedAddresses = builder.forwardedAddresses; - } - - public String getCommandString() { - return commandString; - } - - public List<String> getForwardedAddresses() { - return forwardedAddresses; - } - - @Override - public String toString() { - return "QueryContext [commandString=" + commandString + ", forwardedAddresses=" + forwardedAddresses + "]"; - } - -} http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java index 1356e29..170f458 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java @@ -25,7 +25,7 @@ import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; @@ -39,14 +39,14 @@ public class DummyHiveAuthorizationValidator implements HiveAuthorizationValidat @Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { // no-op } @Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - QueryContext context) { + HiveAuthzContext context) { return listObjs; } @@ -57,7 +57,7 @@ public class DummyHiveAuthorizationValidator implements HiveAuthorizationValidat } @Override - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context, + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException { return null; } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 0edfb64..2977675 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -31,7 +31,7 @@ import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; @@ -65,7 +65,7 @@ public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValida @Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, QueryContext context) + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { if (LOG.isDebugEnabled()) { @@ -141,7 +141,7 @@ public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValida @Override public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - QueryContext context) { + HiveAuthzContext context) { if (LOG.isDebugEnabled()) { String msg = "Obtained following objects in filterListCmdObjects " + listObjs + " for user " + authenticator.getUserName() + ". Context Info: " + context; @@ -156,7 +156,7 @@ public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValida } @Override - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(QueryContext context, + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException { return null; } http://git-wip-us.apache.org/repos/asf/hive/blob/4af1be71/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java b/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java index fd6e428..44463c9 100644 --- a/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java +++ b/service/src/java/org/apache/hive/service/cli/operation/MetadataOperation.java @@ -22,7 +22,7 @@ import java.util.List; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.QueryContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; @@ -134,7 +134,8 @@ public abstract class MetadataOperation extends Operation { protected void authorizeMetaGets(HiveOperationType opType, List<HivePrivilegeObject> inpObjs, String cmdString) throws HiveSQLException { SessionState ss = SessionState.get(); - QueryContext.Builder ctxBuilder = new QueryContext.Builder(); + HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); + ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); ctxBuilder.setForwardedAddresses(ss.getForwardedAddresses()); ctxBuilder.setCommandString(cmdString); try {
