Repository: hive Updated Branches: refs/heads/branch-2 2c8422b52 -> 55fcff151
HIVE-20420: Provide a fallback authorizer when no other authorizer is in use (Daniel Dai, reviewed by Laszlo Pinter, Thejas Nair) Signed-off-by: Thejas M Nair <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/55fcff15 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/55fcff15 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/55fcff15 Branch: refs/heads/branch-2 Commit: 55fcff1517ec137cb80a1d01828c567d31dca183 Parents: 2c8422b Author: Daniel Dai <[email protected]> Authored: Thu Oct 25 00:11:20 2018 -0700 Committer: Daniel Dai <[email protected]> Committed: Thu Oct 25 00:11:52 2018 -0700 ---------------------------------------------------------------------- .../plugin/fallback/FallbackHiveAuthorizer.java | 8 +++++++- .../plugin/sqlstd/Operation2Privilege.java | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/55fcff15/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java index 10cf4d4..07f0a4e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java @@ -154,7 +154,13 @@ public class FallbackHiveAuthorizer extends AbstractHiveAuthorizer { if (hiveObjects == null) { return; } - if (admins != null && Arrays.stream(admins).parallel().anyMatch(n -> n.equals(userName))) { + + boolean isAdmin = false; + if (admins != null && admins.length > 0) { + isAdmin = Arrays.asList(admins).contains(userName); + } + + if (isAdmin) { return; // Skip rest of checks if user is admin } http://git-wip-us.apache.org/repos/asf/hive/blob/55fcff15/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 26a49d1..0b72d49 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -113,6 +113,7 @@ public class Operation2Privilege { } private static Map<HiveOperationType, List<PrivRequirement>> op2Priv; + private static List<HiveOperationType> adminPrivOps; private static SQLPrivTypeGrant[] OWNER_PRIV_AR = arr(SQLPrivTypeGrant.OWNER_PRIV); private static SQLPrivTypeGrant[] SEL_NOGRANT_AR = arr(SQLPrivTypeGrant.SELECT_NOGRANT); @@ -130,6 +131,7 @@ public class Operation2Privilege { static { + adminPrivOps = new ArrayList<HiveOperationType>(); op2Priv = new HashMap<HiveOperationType, List<PrivRequirement>>(); op2Priv.put(HiveOperationType.EXPLAIN, PrivRequirement.newIOPrivRequirement @@ -294,6 +296,8 @@ public class Operation2Privilege { new PrivRequirement(arr(SQLPrivTypeGrant.INSERT_NOGRANT, SQLPrivTypeGrant.DELETE_NOGRANT), IOType.OUTPUT, null, HivePrivilegeObjectType.TABLE_OR_VIEW), new PrivRequirement(OWNER_PRIV_AR, IOType.OUTPUT, null, HivePrivilegeObjectType.DATABASE))); + adminPrivOps.add(HiveOperationType.CREATEFUNCTION); + adminPrivOps.add(HiveOperationType.DROPFUNCTION); // operations require select priv op2Priv.put(HiveOperationType.SHOWCOLUMNS, PrivRequirement.newIOPrivRequirement @@ -505,6 +509,17 @@ public class Operation2Privilege { return reqPrivs; } + /** + * Some operations are tagged as requiring admin privileges, ignoring any object that + * might be checked on it. This check is run in those cases. + * + * @param hiveOpType + * @return + */ + public static boolean isAdminPrivOperation(HiveOperationType hiveOpType) { + return adminPrivOps.contains(hiveOpType); + } + // for unit tests public static Set<HiveOperationType> getOperationTypes() { return op2Priv.keySet();
