This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new bcfb4c6 RANGER-2390:Ranger should add service admin privilege support
for hive service objects - LLAP command sets
bcfb4c6 is described below
commit bcfb4c6b3eceecd819aa0ccbbcb3a1685de447b3
Author: rmani <[email protected]>
AuthorDate: Thu Apr 11 13:26:13 2019 -0700
RANGER-2390:Ranger should add service admin privilege support for hive
service objects - LLAP command sets
Signed-off-by: rmani <[email protected]>
---
.../hive/authorizer/RangerHiveAuditHandler.java | 26 +++++++++++----
.../hive/authorizer/RangerHiveAuthorizer.java | 32 ++++++++++++++++++
.../services/hive/HIVERangerAuthorizerTest.java | 39 ++++++++++++++++++++++
.../services/hive/RangerHiveOperationType.java | 10 +++---
hive-agent/src/test/resources/hive-policies.json | 2 ++
5 files changed, 97 insertions(+), 12 deletions(-)
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index 8fd48f8..bf4d6c1 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -23,6 +23,9 @@ import java.util.*;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.model.RangerPolicy;
@@ -34,6 +37,8 @@ import com.google.common.collect.Lists;
public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
+ private static final Log LOG =
LogFactory.getLog(RangerDefaultAuditHandler.class);
+
public static final String ACCESS_TYPE_ROWFILTER = "ROW_FILTER";
Collection<AuthzAuditEvent> auditEvents = null;
boolean deniedExists = false;
@@ -71,14 +76,17 @@ public class RangerHiveAuditHandler extends
RangerDefaultAuditHandler {
}
if (hiveAccessType == HiveAccessType.SERVICEADMIN) {
+ String hiveOperationType = request.getAction();
String commandStr = request.getRequestData();
- String queryId =
getServiceAdminQueryId(commandStr);
- if (!StringUtils.isEmpty(queryId)) {
- auditEvent.setRequestData(queryId);
- }
- commandStr = getServiceAdminCmd(commandStr);
- if (StringUtils.isEmpty(commandStr)) {
- commandStr = hiveAccessType.name();
+ if
(HiveOperationType.KILL_QUERY.name().equalsIgnoreCase(hiveOperationType)) {
+ String queryId =
getServiceAdminQueryId(commandStr);
+ if (!StringUtils.isEmpty(queryId)) {
+
auditEvent.setRequestData(queryId);
+ }
+ commandStr =
getServiceAdminCmd(commandStr);
+ if (StringUtils.isEmpty(commandStr)) {
+ commandStr =
hiveAccessType.name();
+ }
}
auditEvent.setAccessType(commandStr);
}
@@ -201,6 +209,10 @@ public class RangerHiveAuditHandler extends
RangerDefaultAuditHandler {
auditEvent.setResourcePath(dfsCommand);
+ if(LOG.isDebugEnabled()){
+ LOG.debug("Logging DFS event " + auditEvent.toString());
+ }
+
addAuthzAuditEvent(auditEvent);
}
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 88ecf5f..1566aa0 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -1013,6 +1013,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
case ALTERTABLE_UNARCHIVE:
case ALTERTABLE_UPDATEPARTSTATS:
case ALTERTABLE_UPDATETABLESTATS:
+ case ALTERTABLE_UPDATECOLUMNS:
case ALTERTBLPART_SKEWED_LOCATION:
case ALTERVIEW_AS:
case ALTERVIEW_PROPERTIES:
@@ -1116,6 +1117,21 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
break;
case KILL_QUERY:
+ case CREATE_RESOURCEPLAN:
+ case SHOW_RESOURCEPLAN:
+ case ALTER_RESOURCEPLAN:
+ case DROP_RESOURCEPLAN:
+ case CREATE_TRIGGER:
+ case ALTER_TRIGGER:
+ case DROP_TRIGGER:
+ case CREATE_POOL:
+ case ALTER_POOL:
+ case DROP_POOL:
+ case CREATE_MAPPING:
+ case ALTER_MAPPING:
+ case DROP_MAPPING:
+ case LLAP_CACHE_PURGE:
+ case LLAP_CLUSTER_INFO:
accessType =
HiveAccessType.SERVICEADMIN;
break;
@@ -1189,6 +1205,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
case ALTERTABLE_BUCKETNUM:
case ALTERTABLE_UPDATETABLESTATS:
case ALTERTABLE_UPDATEPARTSTATS:
+ case ALTERTABLE_UPDATECOLUMNS:
case ALTERTABLE_PROTECTMODE:
case ALTERTABLE_FILEFORMAT:
case ALTERTABLE_LOCATION:
@@ -1287,6 +1304,21 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
case REPLLOAD:
case REPLSTATUS:
case KILL_QUERY:
+ case LLAP_CACHE_PURGE:
+ case LLAP_CLUSTER_INFO:
+ case CREATE_RESOURCEPLAN:
+ case SHOW_RESOURCEPLAN:
+ case ALTER_RESOURCEPLAN:
+ case DROP_RESOURCEPLAN:
+ case CREATE_TRIGGER:
+ case ALTER_TRIGGER:
+ case DROP_TRIGGER:
+ case CREATE_POOL:
+ case ALTER_POOL:
+ case DROP_POOL:
+ case CREATE_MAPPING:
+ case ALTER_MAPPING:
+ case DROP_MAPPING:
break;
}
diff --git
a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
index e7bed94..6238174 100644
---
a/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
+++
b/hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
@@ -93,6 +93,7 @@ public class HIVERangerAuthorizerTest {
conf.set(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_PORT.varname, "" +
port);
conf.set(HiveConf.ConfVars.METASTORE_SCHEMA_VERIFICATION.toString(),
"false");
conf.set(HiveConf.ConfVars.HIVE_SERVER2_WEBUI_PORT.varname, "0");
+ conf.set(HiveConf.ConfVars.HIVE_EXECUTION_ENGINE.varname,"mr");
hiveServer = new HiveServer2();
hiveServer.init(conf);
@@ -617,6 +618,7 @@ public class HIVERangerAuthorizerTest {
ResultSet resultSet = statement.executeQuery("SELECT * FROM words
where count == '100'");
if (resultSet.next()) {
Assert.assertNotEquals("Mr.", resultSet.getString(1));
+
Assert.assertEquals("1a24b7688c199c24d87b5984d152b37d1d528911ec852d9cdf98c3ef29b916ea",
resultSet.getString(1));
Assert.assertEquals(100, resultSet.getInt(2));
} else {
Assert.fail("No ResultSet found");
@@ -1032,4 +1034,41 @@ public class HIVERangerAuthorizerTest {
statement.close();
connection.close();
}
+
+ @Test
+ public void testWorkLoadManagementCommands() throws Exception {
+
+ String url = "jdbc:hive2://localhost:" + port + "/rangerauthz";
+ Connection connection = DriverManager.getConnection(url,
"da_test_user", "da_test_user");
+
+ Statement statement = connection.createStatement();
+ try {
+ statement.execute("show resource plans");
+ } catch (SQLException ex) {
+ Assert.fail("access should have been granted to da_test_user");
+ }
+ statement.close();
+ connection.close();
+
+ connection = DriverManager.getConnection(url, "da_test_user",
"da_test_user");
+ statement = connection.createStatement();
+ try {
+ statement.execute("create resource plan myplan1");
+ } catch (SQLException ex) {
+ Assert.fail("access should have been granted to da_test_user");
+ }
+ statement.close();
+ connection.close();
+
+ connection = DriverManager.getConnection(url, "bob", "bob");
+ statement = connection.createStatement();
+ try {
+ statement.execute("create resource plan myplan1");
+ Assert.fail("Failure expected on an unauthorized call");
+ } catch (SQLException ex) {
+ //Excepted
+ }
+ statement.close();
+ connection.close();
+ }
}
diff --git
a/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerHiveOperationType.java
b/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerHiveOperationType.java
index e0142c9..cccab0f 100644
---
a/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerHiveOperationType.java
+++
b/hive-agent/src/test/java/org/apache/ranger/services/hive/RangerHiveOperationType.java
@@ -69,16 +69,16 @@ public enum RangerHiveOperationType {
ALTERTABLE_UPDATETABLESTATS,
ALTERTABLE_UPDATECOLUMNS,
ALTERTABLE_EXCHANGEPARTITION,
- ALTER_RESOURCEPLAN,
- ALTER_MATERIALIZED_VIEW_REWRITE,
- ALTER_MAPPING,
- ALTER_TRIGGER,
- ALTER_POOL,
ALTERTABLE_OWNER,
ALTERTBLPART_SKEWED_LOCATION,
ALTERVIEW_AS,
ALTERVIEW_PROPERTIES,
ALTERVIEW_RENAME,
+ ALTER_RESOURCEPLAN,
+ ALTER_MATERIALIZED_VIEW_REWRITE,
+ ALTER_MAPPING,
+ ALTER_TRIGGER,
+ ALTER_POOL,
DROPVIEW_PROPERTIES,
MSCK,
DROPFUNCTION,
diff --git a/hive-agent/src/test/resources/hive-policies.json
b/hive-agent/src/test/resources/hive-policies.json
index 473381c..d82f032 100644
--- a/hive-agent/src/test/resources/hive-policies.json
+++ b/hive-agent/src/test/resources/hive-policies.json
@@ -1165,6 +1165,8 @@
"alter",
"index",
"lock",
+ "read",
+ "write",
"repladmin",
"serviceadmin"
]
