HIVE-17701 : Added restriction to historic queries on web UI (Tao Li via Thejas Nair)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/c681726d Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/c681726d Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/c681726d Branch: refs/heads/hive-14535 Commit: c681726d7961d6f36299a8127b8b7874d54ede9a Parents: e46e473 Author: Tao LI <[email protected]> Authored: Sun Oct 8 17:03:43 2017 -0700 Committer: Thejas M Nair <[email protected]> Committed: Sun Oct 8 22:32:47 2017 -0700 ---------------------------------------------------------------------- .../java/org/apache/hive/http/HttpServer.java | 34 ++++++++++++++++---- .../hive-webapps/hiveserver2/hiveserver2.jsp | 16 ++++++++- 2 files changed, 42 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/c681726d/common/src/java/org/apache/hive/http/HttpServer.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hive/http/HttpServer.java b/common/src/java/org/apache/hive/http/HttpServer.java index 0624a7e..99af2be 100644 --- a/common/src/java/org/apache/hive/http/HttpServer.java +++ b/common/src/java/org/apache/hive/http/HttpServer.java @@ -34,6 +34,7 @@ import javax.servlet.http.HttpServletResponse; import com.google.common.base.Preconditions; +import org.apache.commons.lang.StringUtils; import org.apache.commons.math3.util.Pair; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; @@ -250,12 +251,28 @@ public class HttpServer { } /** + * Check if the remote user has access to an object (e.g. query history) that belongs to a user + * + * @param ctx the context containing the admin ACL. + * @param request the HTTP request. + * @param remoteUser the user that sent out the request. + * @param user the user of the object being checked against. + * @return true if the remote user is the same as the user or has the admin access + * @throws IOException + */ + public static boolean hasAccess(String remoteUser, String user, + ServletContext ctx, HttpServletRequest request) throws IOException { + return StringUtils.equalsIgnoreCase(remoteUser, user) || + HttpServer.hasAdministratorAccess(ctx, request, null); + } + + /** * Does the user sending the HttpServletRequest have the administrator ACLs? If * it isn't the case, response will be modified to send an error to the user. * * @param servletContext * @param request - * @param response used to send the error response if user does not have admin access. + * @param response used to send the error response if user does not have admin access (no error if null) * @return true if admin-authorized, false otherwise * @throws IOException */ @@ -269,19 +286,22 @@ public class HttpServer { CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) { return true; } - String remoteUser = request.getRemoteUser(); if (remoteUser == null) { - response.sendError(HttpServletResponse.SC_UNAUTHORIZED, - "Unauthenticated users are not " + - "authorized to access this page."); + if (response != null) { + response.sendError(HttpServletResponse.SC_UNAUTHORIZED, + "Unauthenticated users are not " + + "authorized to access this page."); + } return false; } if (servletContext.getAttribute(ADMINS_ACL) != null && !userHasAdministratorAccess(servletContext, remoteUser)) { - response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User " - + remoteUser + " is unauthorized to access this page."); + if (response != null) { + response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User " + + remoteUser + " is unauthorized to access this page."); + } return false; } http://git-wip-us.apache.org/repos/asf/hive/blob/c681726d/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp ---------------------------------------------------------------------- diff --git a/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp b/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp index c0ece6d..5d82029 100644 --- a/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp +++ b/service/src/resources/hive-webapps/hiveserver2/hiveserver2.jsp @@ -22,6 +22,7 @@ import="org.apache.hadoop.hive.conf.HiveConf" import="org.apache.hadoop.hive.conf.HiveConf.ConfVars" import="org.apache.hive.common.util.HiveVersionInfo" + import="org.apache.hive.http.HttpServer" import="org.apache.hive.service.cli.operation.Operation" import="org.apache.hive.service.cli.operation.SQLOperation" import="org.apache.hadoop.hive.ql.QueryInfo" @@ -40,6 +41,7 @@ Configuration conf = (Configuration)ctx.getAttribute("hive.conf"); long startcode = conf.getLong("startcode", System.currentTimeMillis()); SessionManager sessionManager = (SessionManager)ctx.getAttribute("hive.sm"); +String remoteUser = request.getRemoteUser(); %> <!--[if IE]> @@ -108,7 +110,13 @@ if (sessionManager != null) { </tr> <% Collection<HiveSession> hiveSessions = sessionManager.getSessions(); +int sessionCount = 0; for (HiveSession hiveSession: hiveSessions) { + // Permission check + if (!HttpServer.hasAccess(remoteUser, hiveSession.getUserName(), ctx, request)) { + continue; + } + sessionCount++; %> <tr> <td><%= hiveSession.getUserName() %></td> @@ -121,7 +129,7 @@ for (HiveSession hiveSession: hiveSessions) { } %> <tr> - <td colspan="5">Total number of sessions: <%= hiveSessions.size() %></td> + <td colspan="5">Total number of sessions: <%= sessionCount %></td> </tr> </table> </section> @@ -143,6 +151,9 @@ for (HiveSession hiveSession: hiveSessions) { int queries = 0; Collection<QueryInfo> operations = sessionManager.getOperationManager().getLiveQueryInfos(); for (QueryInfo operation : operations) { + if (!HttpServer.hasAccess(remoteUser, operation.getUserName(), ctx, request)) { + continue; + } queries++; %> <tr> @@ -184,6 +195,9 @@ for (HiveSession hiveSession: hiveSessions) { queries = 0; operations = sessionManager.getOperationManager().getHistoricalQueryInfos(); for (QueryInfo operation : operations) { + if (!HttpServer.hasAccess(remoteUser, operation.getUserName(), ctx, request)) { + continue; + } queries++; %> <tr>
