Repository: hive Updated Branches: refs/heads/branch-2.3 12d2b2dbf -> 00c0ee7bc
HIVE-20420: Provide a fallback authorizer when no other authorizer is in use (Daniel Dai, reviewed by Laszlo Pinter, Thejas Nair) Signed-off-by: Thejas M Nair <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/00c0ee7b Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/00c0ee7b Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/00c0ee7b Branch: refs/heads/branch-2.3 Commit: 00c0ee7bc4b8492476b377a6edafcc33411f14b6 Parents: 12d2b2d Author: Daniel Dai <[email protected]> Authored: Thu Oct 25 00:11:20 2018 -0700 Committer: Daniel Dai <[email protected]> Committed: Thu Oct 25 00:12:32 2018 -0700 ---------------------------------------------------------------------- .../plugin/fallback/FallbackHiveAuthorizer.java | 8 +++++++- .../plugin/sqlstd/Operation2Privilege.java | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/00c0ee7b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java index 10cf4d4..07f0a4e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java @@ -154,7 +154,13 @@ public class FallbackHiveAuthorizer extends AbstractHiveAuthorizer { if (hiveObjects == null) { return; } - if (admins != null && Arrays.stream(admins).parallel().anyMatch(n -> n.equals(userName))) { + + boolean isAdmin = false; + if (admins != null && admins.length > 0) { + isAdmin = Arrays.asList(admins).contains(userName); + } + + if (isAdmin) { return; // Skip rest of checks if user is admin } http://git-wip-us.apache.org/repos/asf/hive/blob/00c0ee7b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 18b0e1c..cb07c53 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -113,6 +113,7 @@ public class Operation2Privilege { } private static Map<HiveOperationType, List<PrivRequirement>> op2Priv; + private static List<HiveOperationType> adminPrivOps; private static SQLPrivTypeGrant[] OWNER_PRIV_AR = arr(SQLPrivTypeGrant.OWNER_PRIV); private static SQLPrivTypeGrant[] SEL_NOGRANT_AR = arr(SQLPrivTypeGrant.SELECT_NOGRANT); @@ -130,6 +131,7 @@ public class Operation2Privilege { static { + adminPrivOps = new ArrayList<HiveOperationType>(); op2Priv = new HashMap<HiveOperationType, List<PrivRequirement>>(); op2Priv.put(HiveOperationType.EXPLAIN, PrivRequirement.newIOPrivRequirement @@ -292,6 +294,8 @@ public class Operation2Privilege { new PrivRequirement(arr(SQLPrivTypeGrant.INSERT_NOGRANT, SQLPrivTypeGrant.DELETE_NOGRANT), IOType.OUTPUT, null, HivePrivilegeObjectType.TABLE_OR_VIEW), new PrivRequirement(OWNER_PRIV_AR, IOType.OUTPUT, null, HivePrivilegeObjectType.DATABASE))); + adminPrivOps.add(HiveOperationType.CREATEFUNCTION); + adminPrivOps.add(HiveOperationType.DROPFUNCTION); // operations require select priv op2Priv.put(HiveOperationType.SHOWCOLUMNS, PrivRequirement.newIOPrivRequirement @@ -500,6 +504,17 @@ public class Operation2Privilege { return reqPrivs; } + /** + * Some operations are tagged as requiring admin privileges, ignoring any object that + * might be checked on it. This check is run in those cases. + * + * @param hiveOpType + * @return + */ + public static boolean isAdminPrivOperation(HiveOperationType hiveOpType) { + return adminPrivOps.contains(hiveOpType); + } + // for unit tests public static Set<HiveOperationType> getOperationTypes() { return op2Priv.keySet();
