Repository: hive Updated Branches: refs/heads/branch-3 d4b1caa92 -> c8f873383
HIVE-20344: PrivilegeSynchronizer for SBA might hit AccessControlException (Daniel Dai, reviewed by Vaibhav Gumashta) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/c8f87338 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/c8f87338 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/c8f87338 Branch: refs/heads/branch-3 Commit: c8f8733831d5bb18731b908f9030f99e6dbbbf24 Parents: d4b1caa Author: Daniel Dai <dai...@gmail.com> Authored: Fri Aug 10 09:34:44 2018 -0700 Committer: Daniel Dai <dai...@gmail.com> Committed: Fri Aug 10 09:34:44 2018 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/hive/conf/HiveConf.java | 2 ++ .../authorization/PrivilegeSynchonizer.java | 24 ++++++++++++-------- .../apache/hive/service/server/HiveServer2.java | 9 +++++--- 3 files changed, 23 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/c8f87338/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 6f2690e..9523640 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -2999,6 +2999,8 @@ public class HiveConf extends Configuration { HIVE_SSL_PROTOCOL_BLACKLIST("hive.ssl.protocol.blacklist", "SSLv2,SSLv3", "SSL Versions to disable for all Hive Servers"), + HIVE_PRIVILEGE_SYNCHRONIZER("hive.privilege.synchronizer", true, + "Whether to synchronize privileges from external authorizer periodically in HS2"), HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL("hive.privilege.synchronizer.interval", "1800s", new TimeValidator(TimeUnit.SECONDS), "Interval to synchronize privileges from external authorizer periodically in HS2"), http://git-wip-us.apache.org/repos/asf/hive/blob/c8f87338/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java index 9ce665f..61e3cec 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java @@ -33,6 +33,7 @@ import org.apache.hadoop.hive.metastore.api.PrincipalType; import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.hadoop.hive.metastore.api.MetaException; import org.apache.hadoop.hive.metastore.conf.MetastoreConf; import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; @@ -193,16 +194,21 @@ public class PrivilegeSynchonizer implements Runnable { HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); PrivilegeBag grantColumnBag = new PrivilegeBag(); - Table tbl = hiveClient.getTable(dbName, tblName); - for (FieldSchema fs : tbl.getPartitionKeys()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, - dbName, tblName, fs.getName(), authorizer); + Table tbl = null; + try { + tbl = hiveClient.getTable(dbName, tblName); + for (FieldSchema fs : tbl.getPartitionKeys()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + for (FieldSchema fs : tbl.getSd().getCols()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); + } catch (MetaException e) { + LOG.debug("Unable to synchronize " + tblName + ":" + e.getMessage()); } - for (FieldSchema fs : tbl.getSd().getCols()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, - dbName, tblName, fs.getName(), authorizer); - } - hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); } } LOG.info("Success synchronize privilege " + policyProvider.getClass().getName() + ":" + numDb + " databases, " http://git-wip-us.apache.org/repos/asf/hive/blob/c8f87338/service/src/java/org/apache/hive/service/server/HiveServer2.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/server/HiveServer2.java b/service/src/java/org/apache/hive/service/server/HiveServer2.java index fe3bf1d..ed48064 100644 --- a/service/src/java/org/apache/hive/service/server/HiveServer2.java +++ b/service/src/java/org/apache/hive/service/server/HiveServer2.java @@ -980,15 +980,18 @@ public class HiveServer2 extends CompositeService { public void startPrivilegeSynchonizer(HiveConf hiveConf) throws Exception { + if (!HiveConf.getBoolVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { + return; + } PolicyProviderContainer policyContainer = new PolicyProviderContainer(); HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); if (authorizer.getHivePolicyProvider() != null) { policyContainer.addAuthorizer(authorizer); } - if (hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()) != null && - hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()).contains( + if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && + MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).contains( "org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener") && - hiveConf.get(MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname())!= null) { + MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER)!= null) { List<HiveMetastoreAuthorizationProvider> providers = HiveUtils.getMetaStoreAuthorizeProviderManagers( hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, SessionState.get().getAuthenticator()); for (HiveMetastoreAuthorizationProvider provider : providers) {