This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 33c7165 RANGER-2391:Ranger authorization for ADD, COMPILE and CREATE
TEMPORARY UDF operation in Hive
33c7165 is described below
commit 33c716502db9498abe34c96ef47591946407c9b1
Author: rmani <[email protected]>
AuthorDate: Tue Apr 2 10:51:04 2019 -0700
RANGER-2391:Ranger authorization for ADD, COMPILE and CREATE TEMPORARY UDF
operation in Hive
---
.../service-defs/ranger-servicedef-hive.json | 26 +++
.../hive/authorizer/RangerHiveAuthorizer.java | 28 ++-
.../hive/authorizer/RangerHiveResource.java | 12 +-
hive-agent/src/test/resources/hive-policies.json | 72 ++++++-
.../optimized/current/ranger_core_db_mysql.sql | 1 +
.../optimized/current/ranger_core_db_oracle.sql | 1 +
.../optimized/current/ranger_core_db_postgres.sql | 1 +
.../current/ranger_core_db_sqlanywhere.sql | 2 +
.../optimized/current/ranger_core_db_sqlserver.sql | 1 +
.../org/apache/ranger/common/AppConstants.java | 14 +-
.../java/org/apache/ranger/common/ServiceUtil.java | 1 +
.../patch/PatchForHiveServiceDefUpdate_J10017.java | 213 +++++++++++++++++++++
.../org/apache/ranger/util/RangerEnumUtil.java | 7 +
.../src/main/webapp/scripts/modules/XAOverrides.js | 4 +
.../src/main/webapp/scripts/utils/XAEnums.js | 1 +
15 files changed, 375 insertions(+), 9 deletions(-)
diff --git
a/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json
b/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json
index 0b2f78d..08e04e9 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json
@@ -119,6 +119,26 @@
"uiHint":"",
"label": "Hive Service",
"description": "Hive Service"
+ },
+ {
+ "itemId": 7,
+ "name": "global",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": false
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Global",
+ "description": "Global"
}
],
@@ -208,6 +228,12 @@
"itemId": 12,
"name": "serviceadmin",
"label": "Service Admin"
+ },
+
+ {
+ "itemId": 13,
+ "name": "tempudfadmin",
+ "label": "Temporary UDF Admin"
}
],
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 1566aa0..992de3d 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -866,6 +866,10 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
ret = new RangerHiveResource(objectType,
hiveObj.getObjectName());
break;
+ case GLOBAL:
+ ret = new
RangerHiveResource(objectType,hiveObj.getObjectName());
+ break;
+
case NONE:
break;
}
@@ -879,6 +883,8 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
private HiveObjectType getObjectType(HivePrivilegeObject hiveObj,
HiveOperationType hiveOpType) {
HiveObjectType objType = HiveObjectType.NONE;
+ String hiveOpTypeName = hiveOpType.name().toLowerCase();
+
if (hiveObj.getType() == null) {
return HiveObjectType.DATABASE;
}
@@ -893,7 +899,6 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
break;
case TABLE_OR_VIEW:
- String hiveOpTypeName =
hiveOpType.name().toLowerCase();
if(hiveOpTypeName.contains("index")) {
objType = HiveObjectType.INDEX;
} else if(!
StringUtil.isEmpty(hiveObj.getColumns())) {
@@ -907,6 +912,12 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
case FUNCTION:
objType = HiveObjectType.FUNCTION;
+ if (hiveOpTypeName.contains("createfunction") &&
+
StringUtils.isEmpty(hiveObj.getDbname())) {
+ // This happens for temp udf function
and will use
+ // global resource policy in ranger for
auth
+ objType = HiveObjectType.GLOBAL;
+ }
break;
case DFS_URI:
@@ -916,6 +927,9 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
case COMMAND_PARAMS:
case GLOBAL:
+ if ( "add".equals(hiveOpTypeName) ||
"compile".equals(hiveOpTypeName)) {
+ objType = HiveObjectType.GLOBAL;
+ }
break;
case SERVICE_NAME:
@@ -964,6 +978,9 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
if(hiveObj.getType() ==
HivePrivilegeObjectType.FUNCTION) {
accessType =
HiveAccessType.CREATE;
}
+ if(hiveObjectType ==
HiveObjectType.GLOBAL ) {
+ accessType =
HiveAccessType.TEMPUDFADMIN;
+ }
break;
case CREATETABLE:
@@ -1136,8 +1153,11 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
break;
case ADD:
- case DELETE:
case COMPILE:
+ accessType =
HiveAccessType.TEMPUDFADMIN;
+ break;
+
+ case DELETE:
case CREATEMACRO:
case CREATEROLE:
case DESCFUNCTION:
@@ -2006,8 +2026,8 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
}
}
-enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN,
FUNCTION, URI, SERVICE_NAME };
-enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE,
USE, READ, WRITE, ALL, REPLADMIN, SERVICEADMIN };
+enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN,
FUNCTION, URI, SERVICE_NAME, GLOBAL };
+enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE,
USE, READ, WRITE, ALL, REPLADMIN, SERVICEADMIN, TEMPUDFADMIN };
class HiveObj {
String databaseName;
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
index bbddff5..ddc0982 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
@@ -31,10 +31,12 @@ public class RangerHiveResource extends
RangerAccessResourceImpl {
public static final String KEY_COLUMN = "column";
public static final String KEY_URL = "url";
public static final String KEY_HIVESERVICE = "hiveservice";
+ public static final String KEY_GLOBAL = "global";
+
private HiveObjectType objectType = null;
- //FirstLevelResource => Database or URL or Hive Service
+ //FirstLevelResource => Database or URL or Hive Service or Global
//SecondLevelResource => Table or UDF
//ThirdLevelResource => column
public RangerHiveResource(HiveObjectType objectType, String
firstLevelResource) {
@@ -86,6 +88,14 @@ public class RangerHiveResource extends
RangerAccessResourceImpl {
setValue(KEY_HIVESERVICE,firstLevelResource);
break;
+ case GLOBAL:
+ if (firstLevelResource == null) {
+ firstLevelResource = KEY_GLOBAL;
+ //There is no resource name associated
to global operations
+ }
+ setValue(KEY_GLOBAL,firstLevelResource);
+ break;
+
case NONE:
default:
break;
diff --git a/hive-agent/src/test/resources/hive-policies.json
b/hive-agent/src/test/resources/hive-policies.json
index d82f032..e51edc4 100644
--- a/hive-agent/src/test/resources/hive-policies.json
+++ b/hive-agent/src/test/resources/hive-policies.json
@@ -636,7 +636,7 @@
"resources": {
"database": {
"values": [
- "test1"
+ "test1" , "tmp"
],
"isExcludes": false,
"isRecursive": false
@@ -925,6 +925,45 @@
"id": 16,
"isEnabled": true,
"version": 1
+ },
+ {
+ "service": "HIVETest",
+ "name": "Create Temp UDF test",
+ "policyType": 0,
+ "isAuditEnabled": true,
+ "resources": {
+ "global": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "tempudfadmin",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "tom"
+ ],
+ "groups": [],
+ "conditions": [],
+ "delegateAdmin": true
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 17,
+ "isEnabled": true,
+ "version": 1
}
],
"serviceDef": {
@@ -1108,6 +1147,28 @@
"description": "Hive Service",
"accessTypeRestrictions": [],
"isValidLeaf": true
+ },
+ {
+ "itemId": 7,
+ "name": "global",
+ "type": "string",
+ "level": 10,
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": "true",
+ "ignoreCase": "false"
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Global",
+ "description": "Global",
+ "accessTypeRestrictions": [],
+ "isValidLeaf": true
}
],
"accessTypes": [
@@ -1168,7 +1229,8 @@
"read",
"write",
"repladmin",
- "serviceadmin"
+ "serviceadmin",
+ "tempudfadmin"
]
},
{
@@ -1194,6 +1256,12 @@
"name": "serviceadmin",
"label": "Service Admin",
"impliedGrants": []
+ },
+ {
+ "itemId": 13,
+ "name": "tempudfadmin",
+ "label": "Temporary UDF Admin",
+ "impliedGrants": []
}
],
"policyConditions": [],
diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
index 2eaffcc..0a529b4 100644
--- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
+++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
@@ -1602,6 +1602,7 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10014',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10015',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10016',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10017',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10019',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10020',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10025',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
diff --git
a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
index 5ca1e36..9be7e8d 100644
--- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
+++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
@@ -1747,6 +1747,7 @@ INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,act
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10014',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10015',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10016',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10017',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10019',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10020',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10025',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
diff --git
a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
index 51f4999..ec39c32 100644
--- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
+++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
@@ -1694,6 +1694,7 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10014',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10015',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10016',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10017',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10019',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10020',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10025',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
diff --git
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
index 5f64a2d..abfe120 100644
---
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
+++
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
@@ -2051,6 +2051,8 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10016',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10017',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10019',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10020',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
diff --git
a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
index fc21cec..1e8dff9 100644
--- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
@@ -3672,6 +3672,7 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10014',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10015',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10016',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10017',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10019',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10020',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10025',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java
b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java
index d28f3de..039e4e8 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/AppConstants.java
@@ -351,11 +351,15 @@ public class AppConstants extends RangerCommonEnums {
* XA_PERM_TYPE_SERVICEADMIN is an element of enum XAPermType. Its
value is "XA_PERM_TYPE_HIVE_SERVICE".
*/
public static final int XA_PERM_TYPE_SERVICEADMIN = 33;
+ /**
+ * XA_PERM_TYPE_TEMPUDFADMIN is an element of enum XAPermType. Its
value is "XA_PERM_TYPE_TEMPUDFADMIN".
+ */
+ public static final int XA_PERM_TYPE_TEMPUDFADMIN = 34;
/**
* Max value for enum XAPermType_MAX
*/
- public static final int XAPermType_MAX = 33;
+ public static final int XAPermType_MAX = 34;
/***************************************************************
* Enum values for DatabaseFavor
@@ -877,6 +881,10 @@ public class AppConstants extends RangerCommonEnums {
// return "serviceadmin"; //XA_PERM_TYPE_SERVICEADMIN
return "serviceadmin";
}
+ if( elementValue == 34 ) {
+ // return "tempudfadmin"; //XA_PERM_TYPE_TEMPUDFADMIN
+ return "tempudfadmin";
+ }
return null;
}
@@ -1190,7 +1198,9 @@ public class AppConstants extends RangerCommonEnums {
if(label.equalsIgnoreCase("serviceadmin")) {
return AppConstants.XA_PERM_TYPE_SERVICEADMIN;
//XA_PERM_TYPE_SERVICEADMIN
}
-
+ if("tempudfadmin".equalsIgnoreCase(label)) {
+ return AppConstants.XA_PERM_TYPE_TEMPUDFADMIN;
//XA_PERM_TYPE_TEMPUDFADMIN
+ }
return 0;
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
index 1afe20e..2003474 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
@@ -128,6 +128,7 @@ public class ServiceUtil {
mapAccessTypeToPermType.put("uploadNewCredentials", 31);
mapAccessTypeToPermType.put("repladmin",32);
mapAccessTypeToPermType.put("serviceadmin",33);
+ mapAccessTypeToPermType.put("tempudfadmin",34);
version = "0";
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/patch/PatchForHiveServiceDefUpdate_J10017.java
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForHiveServiceDefUpdate_J10017.java
new file mode 100644
index 0000000..8cccc6f
--- /dev/null
+++
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForHiveServiceDefUpdate_J10017.java
@@ -0,0 +1,213 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.RangerBizUtil;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.JSONUtil;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
+import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.service.RangerPolicyService;
+import org.apache.ranger.service.XPermMapService;
+import org.apache.ranger.service.XPolicyService;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class PatchForHiveServiceDefUpdate_J10017 extends BaseLoader {
+ private static final Logger logger =
Logger.getLogger(PatchForHiveServiceDefUpdate_J10017.class);
+ public static final String SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME =
"hive";
+ public static final String HIVE_GLOBAL_RESOURCE_NAME ="global";
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ @Autowired
+ JSONUtil jsonUtil;
+
+ @Autowired
+ RangerPolicyService policyService;
+
+ @Autowired
+ StringUtil stringUtil;
+
+ @Autowired
+ XPolicyService xPolService;
+
+ @Autowired
+ XPermMapService xPermMapService;
+
+ @Autowired
+ RangerBizUtil bizUtil;
+
+ @Autowired
+ RangerValidatorFactory validatorFactory;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForHiveServiceDefUpdate_J10017 loader =
(PatchForHiveServiceDefUpdate_J10017)
CLIUtil.getBean(PatchForHiveServiceDefUpdate_J10017.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==>
PatchForHiveServiceDefUpdateForResourceSpecificAccesses.execLoad()");
+ try {
+ updateHiveServiceDef();
+ } catch (Exception e) {
+ logger.error("Error whille
updateHiveServiceDef()data.", e);
+ }
+ logger.info("<==
PatchForHiveServiceDefUpdateForResourceSpecificAccesses.execLoad()");
+ }
+
+ @Override
+ public void printStats() {
+
logger.info("PatchForHiveServiceDefUpdateForResourceSpecificAccesses data ");
+ }
+
+ private void updateHiveServiceDef(){
+ RangerServiceDef embeddedHiveServiceDef = null;
+ RangerServiceDef dbHiveServiceDef = null;
+ XXServiceDef xXServiceDefObj = null;
+ try{
+ embeddedHiveServiceDef =
EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
+
+ if (embeddedHiveServiceDef != null) {
+ xXServiceDefObj =
daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
+ if (xXServiceDefObj == null) {
+ logger.error("Service def for " +
SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME + " is not found!!");
+ return;
+ }
+
+ String jsonStrPreUpdate =
xXServiceDefObj.getDefOptions();
+ Map<String, String> serviceDefOptionsPreUpdate
= jsonUtil.jsonToMap(jsonStrPreUpdate);
+ String valueBeforeUpdate =
serviceDefOptionsPreUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+
+ dbHiveServiceDef =
svcDBStore.getServiceDefByName(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
+
+ if(dbHiveServiceDef != null) {
+ boolean isServiceDefUpdated =
updateServiceDef(dbHiveServiceDef, embeddedHiveServiceDef);
+
+ if (isServiceDefUpdated) {
+ xXServiceDefObj =
daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME);
+
+ if (xXServiceDefObj != null) {
+ String
jsonStrPostUpdate = xXServiceDefObj.getDefOptions();
+ Map<String, String>
serviceDefOptionsPostUpdate = jsonUtil.jsonToMap(jsonStrPostUpdate);
+ String valueAfterUpdate
=
serviceDefOptionsPostUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+
+ if
(!StringUtils.equals(valueBeforeUpdate, valueAfterUpdate)) {
+ if
(StringUtils.isEmpty(valueBeforeUpdate)) {
+
serviceDefOptionsPostUpdate.remove(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+ } else {
+
serviceDefOptionsPostUpdate.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES,
valueBeforeUpdate);
+ }
+
xXServiceDefObj.setDefOptions(mapToJsonString(serviceDefOptionsPostUpdate));
+
daoMgr.getXXServiceDef().update(xXServiceDefObj);
+ }
+ }
+ }
+ }
+ }
+ } catch(Exception e) {
+ logger.error("Error while updating
"+SERVICEDBSTORE_SERVICEDEFBYNAME_HIVE_NAME+"service-def", e);
+ }
+ }
+
+ private boolean updateServiceDef(RangerServiceDef serviceDef,
RangerServiceDef embeddedHiveServiceDef ) throws Exception {
+ boolean ret = false;
+
+ List<RangerServiceDef.RangerResourceDef>
embeddedHiveResourceDefs = null;
+ List<RangerServiceDef.RangerAccessTypeDef>
embeddedHiveAccessTypes = null;
+
+ embeddedHiveResourceDefs =
embeddedHiveServiceDef.getResources();
+ embeddedHiveAccessTypes =
embeddedHiveServiceDef.getAccessTypes();
+
+ if (checkHiveGlobalresourcePresent(embeddedHiveResourceDefs)) {
+ // This is to check if HIVESERVICE def is added to the
resource definition, if so update the resource def and accessType def
+ if (embeddedHiveResourceDefs != null) {
+
serviceDef.setResources(embeddedHiveResourceDefs);
+ }
+ if (embeddedHiveAccessTypes != null) {
+
if(!embeddedHiveAccessTypes.toString().equalsIgnoreCase(serviceDef.getAccessTypes().toString()))
{
+
serviceDef.setAccessTypes(embeddedHiveAccessTypes);
+ }
+ }
+ ret = true;
+ }
+
+ RangerServiceDefValidator validator =
validatorFactory.getServiceDefValidator(svcStore);
+ validator.validate(serviceDef, Action.UPDATE);
+ svcStore.updateServiceDef(serviceDef);
+
+ return ret;
+ }
+
+ private boolean
checkHiveGlobalresourcePresent(List<RangerServiceDef.RangerResourceDef>
resourceDefs) {
+ boolean ret = false;
+ for(RangerServiceDef.RangerResourceDef resourceDef :
resourceDefs) {
+ if
(HIVE_GLOBAL_RESOURCE_NAME.equals(resourceDef.getName()) ) {
+ ret = true ;
+ break;
+ }
+ }
+ return ret;
+ }
+
+ private String mapToJsonString(Map<String, String> map) throws
Exception {
+ String ret = null;
+ if(map != null) {
+ ret = jsonUtil.readMapToString(map);
+ }
+ return ret;
+ }
+}
+
diff --git
a/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
b/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
index b39bcf4..059b75a 100644
--- a/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
@@ -1236,7 +1236,14 @@ public class RangerEnumUtil {
vEnum.getElementList().add(vElement);
+ vElement = new VEnumElement();
+ vElement.setElementName("RESOURCE_GLOBAL");
+ vElement.setElementValue(11);
+ vElement.setElementLabel("Global");
+ vElement.setRbKey("xa.enum.ResourceType.RESOURCE_GLOBAL");
+ vElement.setEnumName(vEnum.getEnumName());
+ vEnum.getElementList().add(vElement);
///////////////////////////////////
// CommonEnums::XAGroupType
///////////////////////////////////
diff --git a/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
b/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
index 7af481f..5721ba3 100644
--- a/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
+++ b/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
@@ -649,6 +649,10 @@
&& ( XAUtil.capitaliseFirstLetter(this.value) ===
XAEnums.ResourceType.RESOURCE_UDF.label) ){
XAUtil.alertPopup({ msg
:localization.tt('msg.udfPolicyViolation') });
}
+ if(!_.isUndefined(this.value)
+ && ( XAUtil.capitaliseFirstLetter(this.value) ===
XAEnums.ResourceType.RESOURCE_GLOBAL.label) ){
+ XAUtil.alertPopup({ msg
:localization.tt('msg.udfPolicyViolation') });
+ }
// if value is "none" hide recursive/exclude toggles
if(this.value == "none"){
that.recursiveSupport = false;
diff --git a/security-admin/src/main/webapp/scripts/utils/XAEnums.js
b/security-admin/src/main/webapp/scripts/utils/XAEnums.js
index c67ad3d..c6956ea 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAEnums.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAEnums.js
@@ -290,6 +290,7 @@ define(function(require) {
RESOURCE_VIEW_COL:{value:8, label:'View Column',
rbkey:'xa.enum.ResourceType.RESOURCE_VIEW_COL', tt:
'lbl.ResourceType_RESOURCE_VIEW_COL'},
RESOURCE_TOPOLOGY:{value:9, label:'Topology',
rbkey:'xa.enum.ResourceType.RESOURCE_TOPOLOGY', tt: 'lbl.RESOURCE_TOPOLOGY'},
RESOURCE_SERVICE:{value:10, label:'Service',
rbkey:'xa.enum.ResourceType.RESOURCE_SERVICE', tt: 'lbl.RESOURCE_SERVICE'},
+ RESOURCE_GLOBAL:{value:11, label:'Global',
rbkey:'xa.enum.ResourceType.RESOURCE_GLOBAL', tt: 'lbl.RESOURCE_GLOBAL'}
});
XAEnums.ResponseStatus = mergeParams(XAEnums.ResponseStatus, {
