This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new acbaa5c RANGER-2367:Hive show grants when Ranger is authorizer should
show permission details from Ranger
acbaa5c is described below
commit acbaa5c8800917a682ae756b16939c57cfbae948
Author: rmani <[email protected]>
AuthorDate: Wed Mar 20 17:54:39 2019 -0700
RANGER-2367:Hive show grants when Ranger is authorizer should show
permission details from Ranger
Signed-off-by: rmani <[email protected]>
---
.../policyengine/RangerPolicyEngineImpl.java | 6 +-
.../plugin/policyengine/RangerResourceACLs.java | 34 +-
.../hive/authorizer/RangerHiveAuthorizer.java | 353 ++++++++++++++++-----
.../services/hive/HIVERangerAuthorizerTest.java | 2 +-
.../RangerSampleProjectProvider.java | 2 +-
5 files changed, 312 insertions(+), 85 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5e68363..9fe0531 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -628,7 +628,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
-
ret.setUserAccessInfo(userName, accessInfo.getKey(), accessResult);
+ RangerPolicy policy =
evaluator.getPolicy();
+
ret.setUserAccessInfo(userName, accessInfo.getKey(), accessResult, policy);
}
}
@@ -644,7 +645,8 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
accessResult = RangerPolicyEvaluator.ACCESS_DENIED;
}
}
-
ret.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult);
+ RangerPolicy policy =
evaluator.getPolicy();
+
ret.setGroupAccessInfo(groupName, accessInfo.getKey(), accessResult, policy);
}
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
index adee37e..eafbde2 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
@@ -20,6 +20,8 @@
package org.apache.ranger.plugin.policyengine;
import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.model.RangerPolicy;
+
import org.codehaus.jackson.annotate.JsonAutoDetect;
import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.map.annotate.JsonSerialize;
@@ -38,7 +40,6 @@ import static
org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator.ACC
public class RangerResourceACLs {
final private Map<String, Map<String, AccessResult>> userACLs = new
HashMap<>();
final private Map<String, Map<String, AccessResult>> groupACLs = new
HashMap<>();
-
public RangerResourceACLs() {
}
@@ -84,7 +85,7 @@ public class RangerResourceACLs {
finalizeAcls(groupACLs);
}
- public void setUserAccessInfo(String userName, String accessType,
Integer access) {
+ public void setUserAccessInfo(String userName, String accessType,
Integer access, RangerPolicy policy) {
Map<String, AccessResult> userAccessInfo =
userACLs.get(userName);
if (userAccessInfo == null) {
@@ -96,15 +97,16 @@ public class RangerResourceACLs {
AccessResult accessResult = userAccessInfo.get(accessType);
if (accessResult == null) {
- accessResult = new AccessResult(access);
+ accessResult = new AccessResult(access, policy);
userAccessInfo.put(accessType, accessResult);
} else {
accessResult.setResult(access);
+ accessResult.setPolicy(policy);
}
}
- public void setGroupAccessInfo(String groupName, String accessType,
Integer access) {
+ public void setGroupAccessInfo(String groupName, String accessType,
Integer access, RangerPolicy policy) {
Map<String, AccessResult> groupAccessInfo =
groupACLs.get(groupName);
if (groupAccessInfo == null) {
@@ -116,11 +118,12 @@ public class RangerResourceACLs {
AccessResult accessResult = groupAccessInfo.get(accessType);
if (accessResult == null) {
- accessResult = new AccessResult(access);
+ accessResult = new AccessResult(access, policy);
groupAccessInfo.put(accessType, accessResult);
} else {
accessResult.setResult(access);
+ accessResult.setPolicy(policy);
}
}
@@ -135,6 +138,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry<String, AccessResult> permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("},");
+
sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -145,6 +149,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry<String, AccessResult> permission :
entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(",
value=").append(permission.getValue()).append("}, ");
+ sb.append("{RangerPolicy
ID=").append(permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -179,19 +184,20 @@ public class RangerResourceACLs {
public static class AccessResult {
private int result;
private boolean isFinal;
-
+ private RangerPolicy policy;
public AccessResult() {
- this(-1);
+ this(-1, null);
}
- public AccessResult(int result) {
- this(result, false);
+ public AccessResult(int result, RangerPolicy policy) {
+ this(result, false, policy);
}
- public AccessResult(int result, boolean isFinal) {
+ public AccessResult(int result, boolean isFinal, RangerPolicy
policy) {
setIsFinal(isFinal);
setResult(result);
+ setPolicy(policy);
}
public int getResult() { return result; }
@@ -210,6 +216,14 @@ public class RangerResourceACLs {
public void setIsFinal(boolean isFinal) { this.isFinal =
isFinal; }
+ public RangerPolicy getPolicy() {
+ return policy;
+ }
+
+ public void setPolicy(RangerPolicy policy){
+ this.policy = policy;
+ }
+
@Override
public boolean equals(Object other) {
if (other == null)
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 0f3bee5..be82639 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -29,6 +29,7 @@ import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -38,11 +39,7 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.metastore.IMetaStoreClient;
-import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
-import org.apache.hadoop.hive.metastore.api.PrincipalType;
-import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
@@ -59,6 +56,7 @@ import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
+import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
@@ -67,7 +65,12 @@ import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.service.RangerAuthContext;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
@@ -86,8 +89,12 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
private static final String HIVE_CONF_VAR_QUERY_STRING =
"hive.query.string";
+ private static final String DEFAULT_RANGER_POLICY_GRANTOR = "ranger";
+
private static volatile RangerHivePlugin hivePlugin = null;
+ private static RangerAuthContext authContext;
+
public RangerHiveAuthorizer(HiveMetastoreClientFactory
metastoreClientFactory,
HiveConf
hiveConf,
HiveAuthenticationProvider hiveAuthenticator,
@@ -771,7 +778,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
return ret;
}
- RangerHiveResource createHiveResource(HivePrivilegeObject
privilegeObject) {
+ private RangerHiveResource createHiveResource(HivePrivilegeObject
privilegeObject) {
RangerHiveResource resource = null;
HivePrivilegeObjectType objectType = privilegeObject.getType();
@@ -1475,82 +1482,37 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
@Override
public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
- HivePrivilegeObject privObj) throws
HiveAuthzPluginException {
- try {
+
HivePrivilegeObject privObj) throws HiveAuthzPluginException {
+ List<HivePrivilegeInfo> ret;
- LOG.debug("RangerHiveAuthorizer.showPrivileges()");
- IMetaStoreClient mClient = getMetastoreClientFactory()
- .getHiveMetastoreClient();
- List<HivePrivilegeInfo> resPrivInfos = new
ArrayList<HivePrivilegeInfo>();
- String principalName = null;
- PrincipalType principalType = null;
- if (principal != null) {
- principalName = principal.getName();
- principalType = AuthorizationUtils
-
.getThriftPrincipalType(principal.getType());
- }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHiveAuthorizer.showPrivileges ==>
principal: " + principal+ "HivePrivilegeObject : " + privObj.getObjectName());
+ }
- List<HiveObjectPrivilege> msObjPrivs =
mClient.list_privileges(
- principalName, principalType,
- this.getThriftHiveObjectRef(privObj));
- if (msObjPrivs != null) {
- for (HiveObjectPrivilege msObjPriv :
msObjPrivs) {
- HiveObjectRef msObjRef =
msObjPriv.getHiveObject();
-
org.apache.hadoop.hive.metastore.api.HiveObjectType objectType = msObjRef
- .getObjectType();
- if (!isSupportedObjectType(objectType))
{
- continue;
- }
- HivePrincipal resPrincipal = new
HivePrincipal(
-
msObjPriv.getPrincipalName(),
-
AuthorizationUtils.getHivePrincipalType(msObjPriv
-
.getPrincipalType()));
-
- PrivilegeGrantInfo msGrantInfo =
msObjPriv.getGrantInfo();
- HivePrivilege resPrivilege = new
HivePrivilege(
-
msGrantInfo.getPrivilege(), null);
-
- HivePrivilegeObject resPrivObj = new
HivePrivilegeObject(
-
getPluginPrivilegeObjType(objectType),
- msObjRef.getDbName(),
msObjRef.getObjectName(),
-
msObjRef.getPartValues(), msObjRef.getColumnName());
-
- HivePrincipal grantorPrincipal = new
HivePrincipal(
-
msGrantInfo.getGrantor(),
-
AuthorizationUtils.getHivePrincipalType(msGrantInfo
-
.getGrantorType()));
-
- HivePrivilegeInfo resPrivInfo = new
HivePrivilegeInfo(
- resPrincipal,
resPrivilege, resPrivObj,
- grantorPrincipal,
msGrantInfo.isGrantOption(),
-
msGrantInfo.getCreateTime());
- resPrivInfos.add(resPrivInfo);
- }
+ if ( hivePlugin == null) {
+ new
HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges error: hivePlugin
is null");
+ }
- } else {
- throw new HiveAccessControlException(
-
"RangerHiveAuthorizer.showPrivileges():User has to specify"
- + " a user name
or role in the show grant. ");
+ try {
+ authContext =
hivePlugin.createRangerAuthContext();
+ HiveObjectRef msObjRef =
AuthorizationUtils.getThriftHiveObjectRef(privObj);
+
+ if (msObjRef.getObjectName() == null) {
+ throw new
HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() only supports
SHOW PRIVILEGES for Hive resources and not user level");
}
- return resPrivInfos;
+
+ ret = getHivePrivilegeInfos(principal, privObj);
} catch (Exception e) {
- LOG.error("RangerHiveAuthorizer.showPrivileges:
showPrivileges returned by showPrivileges is null");
- throw new HiveAuthzPluginException("hive
showPrivileges" + ": "
- + e.getMessage(), e);
+ LOG.error("RangerHiveAuthorizer.showPrivileges()
error", e);
+ throw new
HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() error: " +
e.getMessage(), e);
}
- }
- private boolean isSupportedObjectType(
- org.apache.hadoop.hive.metastore.api.HiveObjectType
objectType) {
- switch (objectType) {
- case DATABASE:
- case TABLE:
- return true;
- default:
- return false;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHiveAuthorizer.showPrivileges()
Result: " + ret);
}
+ return ret;
}
private HivePrivilegeObjectType getPluginPrivilegeObjType(
@@ -1640,6 +1602,255 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
return ret;
}
+ private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal
principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
+ List<HivePrivilegeInfo> ret = new ArrayList<>();
+ HivePrivilegeObject.HivePrivilegeObjectType objectType = null;
+ Map<String, Map<HiveResourceACLs.Privilege,
HiveResourceACLs.AccessResult>> userPermissions = null;
+ Map<String, Map<HiveResourceACLs.Privilege,
HiveResourceACLs.AccessResult>> groupPermissions = null;
+
+ String dbName = null;
+ String objectName = null;
+ String columnName = null;
+ List<String> partValues = null;
+
+ try {
+ HiveObjectRef msObjRef =
AuthorizationUtils.getThriftHiveObjectRef(privObj);
+
+ if (msObjRef != null) {
+ HivePrivilegeObject hivePrivilegeObject = null;
+
+ if (msObjRef.getObjectName() != null) {
+ // when resource is specified in the
show grants, acl will be for that resource / user / groups
+ objectType =
getPluginPrivilegeObjType(msObjRef.getObjectType());
+ dbName = msObjRef.getDbName();
+ objectName = msObjRef.getObjectName();
+ columnName = (msObjRef.getColumnName()
== null) ? new String() : msObjRef.getColumnName();
+ partValues = (msObjRef.getPartValues()
== null) ? new ArrayList<>() : msObjRef.getPartValues();
+ hivePrivilegeObject = new
HivePrivilegeObject(objectType, dbName, objectName);
+
+ RangerResourceACLs rangerResourceACLs =
getRangerResourceACLs(hivePrivilegeObject);
+
+ if (rangerResourceACLs != null) {
+ Map<String, Map<String,
RangerResourceACLs.AccessResult>> userRangerACLs =
rangerResourceACLs.getUserACLs();
+ Map<String, Map<String,
RangerResourceACLs.AccessResult>> groupRangerACLs =
rangerResourceACLs.getGroupACLs();
+ userPermissions =
convertRangerACLsToHiveACLs(userRangerACLs);
+ groupPermissions =
convertRangerACLsToHiveACLs(groupRangerACLs);
+
+ if (principal != null) {
+ String user =
principal.getName();
+
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs =
userPermissions.get(user);
+ if (userACLs != null) {
+ Map<String,
RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
+ for
(HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
+
RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
+ if
(policy != null) {
+
String aclname = getPermission(userACL, userAccessResult, policy);
+
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal,
objectType, dbName, objectName, columnName, partValues, aclname, policy);
+
ret.add(privilegeInfo);
+ }
+ }
+ }
+
+ Set<String> groups =
getPrincipalGroup(user);
+ for(String group :
groups) {
+
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs =
groupPermissions.get(group);
+ if (groupACLs
!= null) {
+
Map<String, RangerResourceACLs.AccessResult> groupAccessResult =
groupRangerACLs.get(group);
+ for
(HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
+
RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
+
if (policy != null) {
+
String aclname = getPermission(groupACL, groupAccessResult, policy);
+
HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal,
objectType, dbName, objectName, columnName, partValues, aclname, policy);
+
ret.add(privilegeInfo);
+
}
+ }
+ }
+ }
+ } else {
+ // Request is for all
the ACLs on a resource
+ for (String user :
userRangerACLs.keySet()) {
+ HivePrincipal
hivePrincipal = new HivePrincipal(user, HivePrincipal.HivePrincipalType.USER);
+
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs =
userPermissions.get(user);
+
+ if (userACLs !=
null) {
+
Map<String, RangerResourceACLs.AccessResult> userAccessResult =
userRangerACLs.get(user);
+ for
(HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
+
RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
+
if (policy != null) {
+
String aclname = getPermission(userACL, userAccessResult, policy);
+
HivePrivilegeInfo privilegeInfo =
createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName,
columnName, partValues, aclname, policy);
+
ret.add(privilegeInfo);
+
}
+ }
+ }
+ }
+
+ for (String group :
groupRangerACLs.keySet()) {
+ HivePrincipal
hivePrincipal = new HivePrincipal(group, HivePrincipal.HivePrincipalType.GROUP);
+
Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs =
groupPermissions.get(group);
+ if (groupACLs
!= null) {
+
Map<String, RangerResourceACLs.AccessResult> groupAccessResult =
groupRangerACLs.get(group);
+ for
(HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
+
RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
+
if (policy != null) {
+
String aclname = getPermission(groupACL, groupAccessResult, policy);
+
HivePrivilegeInfo privilegeInfo =
createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName,
columnName, partValues, aclname, policy);
+
ret.add(privilegeInfo);
+
}
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException("hive
showPrivileges" + ": " + e.getMessage(), e);
+ }
+ return ret;
+ }
+
+ private RangerPolicy getRangerPolicy(Map<String,
RangerResourceACLs.AccessResult> accessResults, String rangerACL){
+ RangerPolicy ret = null;
+ if (MapUtils.isNotEmpty(accessResults)) {
+ RangerResourceACLs.AccessResult accessResult =
accessResults.get(rangerACL.toLowerCase());
+ if (accessResult != null) {
+ ret = accessResult.getPolicy();
+ }
+ }
+ return ret;
+ }
+
+ private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal
hivePrincipal,
+
HivePrivilegeObject.HivePrivilegeObjectType
objectType,
+
String dbName,
+
String objectName,
+
String columnName,
+
List<String> partValues,
+
String aclName,
+
RangerPolicy policy) {
+ HivePrivilegeInfo ret = null;
+ int creationDate = 0;
+ boolean delegateAdmin = false;
+
+ for (RangerPolicy.RangerPolicyItem policyItem :
policy.getPolicyItems()) {
+ List<RangerPolicy.RangerPolicyItemAccess>
policyItemAccesses = policyItem.getAccesses();
+ List<String> users = policyItem.getUsers();
+ List<String> groups = policyItem.getGroups();
+ List<String> accessTypes = new ArrayList<>();
+
+ for (RangerPolicy.RangerPolicyItemAccess
policyItemAccess : policyItemAccesses) {
+ accessTypes.add(policyItemAccess.getType());
+ }
+
+ if (accessTypes.contains(aclName.toLowerCase()) &&
(users.contains(hivePrincipal.getName())
+ ||
groups.contains(hivePrincipal.getName()))) {
+ creationDate = (policy.getCreateTime() == null)
? creationDate : (int) (policy.getCreateTime().getTime()/1000);
+ delegateAdmin = (policyItem.getDelegateAdmin()
== null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
+ }
+ }
+
+ HivePrincipal grantorPrincipal = new
HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR,
HivePrincipal.HivePrincipalType.USER);
+ HivePrivilegeObject privilegeObject = new
HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
+ HivePrivilege privilege = new HivePrivilege(aclName, null);
+ ret = new HivePrivilegeInfo(hivePrincipal, privilege,
privilegeObject, grantorPrincipal, delegateAdmin, creationDate);
+
+ return ret;
+ }
+
+ private Set<String> getPrincipalGroup(String user) {
+ Set<String> groups = null;
+ UserGroupInformation ugi =
UserGroupInformation.createRemoteUser(user);
+ groups = Sets.newHashSet(ugi.getGroupNames());
+ return groups;
+ }
+
+ private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject
hiveObject) {
+
+ RangerResourceACLs ret = null;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]");
+ }
+
+ RangerHiveResource hiveResource =
createHiveResource(hiveObject);
+ RangerAccessRequestImpl request = new
RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null,
null);
+
+ ret = authContext.getResourceACLs(request);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "], Computed
ACLS:[" + ret + "]");
+ }
+
+ return ret;
+ }
+
+ private Map<String, Map<HiveResourceACLs.Privilege,
HiveResourceACLs.AccessResult>> convertRangerACLsToHiveACLs(Map<String,
Map<String, RangerResourceACLs.AccessResult>> rangerACLs) {
+
+ Map<String, Map<HiveResourceACLs.Privilege,
HiveResourceACLs.AccessResult>> ret = new HashMap<>();
+
+ if (MapUtils.isNotEmpty(rangerACLs)) {
+ Set<String> hivePrivileges = new HashSet<>();
+ for (HiveResourceACLs.Privilege privilege :
HiveResourceACLs.Privilege.values()) {
+
hivePrivileges.add(privilege.name().toLowerCase());
+ }
+
+ for (Map.Entry<String, Map<String,
RangerResourceACLs.AccessResult>> entry : rangerACLs.entrySet()) {
+
+ Map<HiveResourceACLs.Privilege,
HiveResourceACLs.AccessResult> permissions = new HashMap<>();
+ ret.put(entry.getKey(), permissions);
+
+ for (Map.Entry<String,
RangerResourceACLs.AccessResult> permission : entry.getValue().entrySet()) {
+
+ if
(hivePrivileges.contains(permission.getKey())) {
+ HiveResourceACLs.Privilege
privilege =
HiveResourceACLs.Privilege.valueOf(StringUtils.upperCase(permission.getKey()));
+ HiveResourceACLs.AccessResult
accessResult;
+ int rangerResultValue =
permission.getValue().getResult();
+
+ if (rangerResultValue ==
RangerPolicyEvaluator.ACCESS_ALLOWED) {
+ accessResult =
HiveResourceACLs.AccessResult.ALLOWED;
+ } else if (rangerResultValue ==
RangerPolicyEvaluator.ACCESS_DENIED) {
+ accessResult =
HiveResourceACLs.AccessResult.NOT_ALLOWED;
+ } else if (rangerResultValue ==
RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
+ accessResult =
HiveResourceACLs.AccessResult.CONDITIONAL_ALLOWED;
+ } else {
+ // Should not get here
+ accessResult =
HiveResourceACLs.AccessResult.NOT_ALLOWED;
+ }
+ permissions.put(privilege,
accessResult);
+ }
+ }
+ }
+ }
+ return ret;
+ }
+
+ private String getPermission(HiveResourceACLs.Privilege acl,
Map<String, RangerResourceACLs.AccessResult> accessResultMap, RangerPolicy
policy ) {
+ String aclname = acl.name();
+ int aclResult = checkACLIsAllowed(acl, accessResultMap);
+ if (aclResult > RangerPolicyEvaluator.ACCESS_DENIED) {
+ // Other than denied ACLs are considered
+ if (policy != null) {
+ if (aclResult ==
RangerPolicyEvaluator.ACCESS_UNDETERMINED) {
+ aclname = aclname + " " +
"(ACCESS_UNDETERMINED)";
+ } else if (aclResult ==
RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
+ aclname = aclname + " " +
"(ACCESS_CONDITIONAL)";
+ }
+ }
+ }
+ return aclname;
+ }
+
+ private int checkACLIsAllowed(HiveResourceACLs.Privilege acl,
Map<String, RangerResourceACLs.AccessResult> accessResultMap ) {
+ int result = -1;
+ String aclName = acl.name().toLowerCase();
+ RangerResourceACLs.AccessResult accessResult =
accessResultMap.get(aclName);
+ if (accessResult != null) {
+ result = accessResult.getResult();
+ }
+ return result;
+ }
+
private String toString(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
diff --git
a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
index af60479..b04e8bc 100644
---
a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
+++
b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
@@ -940,7 +940,7 @@ public class HIVERangerAuthorizerTest {
String initialUrl = "jdbc:hive2://localhost:" + port;
Connection connection = DriverManager.getConnection(initialUrl,
"admin", "admin");
Statement statement = connection.createStatement();
- Assert.assertTrue(statement.execute("show grant user admin"));
+ Assert.assertTrue(statement.execute("show grant user admin on table
words"));
statement.close();
connection.close();
}
diff --git
a/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
b/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
index df6da7c..be17e83 100644
---
a/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
+++
b/ranger-examples/conditions-enrichers/src/main/java/org/apache/ranger/plugin/contextenricher/RangerSampleProjectProvider.java
@@ -83,7 +83,7 @@ public class RangerSampleProjectProvider extends
RangerAbstractContextEnricher {
LOG.debug("==> RangerSampleProjectProvider.enrich(" +
request + ")");
}
- if(request != null && userProjectMap != null) {
+ if(request != null && userProjectMap != null &&
request.getUser() != null) {
Map<String, Object> context = request.getContext();
String project =
userProjectMap.getProperty(request.getUser());
