This is an automated email from the ASF dual-hosted git repository.

spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 6e8873b  RANGER-3058: [ranger-hive] create table fails when 
ViewDFS(client side HDFS mounting fs) mount points are targeting to Ozone/S3 FS.
6e8873b is described below

commit 6e8873b03b8dad9e498af69e1cff73ea1889cda6
Author: Uma Maheswara Rao G <[email protected]>
AuthorDate: Thu Nov 12 11:12:34 2020 -0800

    RANGER-3058: [ranger-hive] create table fails when ViewDFS(client side HDFS 
mounting fs) mount points are targeting to Ozone/S3 FS.
    
    Signed-off-by: Sailaja Polavarapu <[email protected]>
---
 .../hive/authorizer/RangerHiveAuthorizer.java      | 117 +++++++++++++++++----
 1 file changed, 99 insertions(+), 18 deletions(-)

diff --git 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 1bec50b..b909e30 100644
--- 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -19,6 +19,7 @@
 
 package org.apache.ranger.authorization.hive.authorizer;
 
+import java.io.IOException;
 import java.net.InetAddress;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -808,17 +809,46 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                                                continue;
                                        }
 
-                                       String  path                    = 
hiveObj.getObjectName();
+          String pathStr = hiveObj.getObjectName();
                                        HiveObjectType hiveObjType  = 
resource.getObjectType();
 
-                                       if(hiveObjType == HiveObjectType.URI && 
isPathInFSScheme(path)) {
-                                               FsAction permission = 
getURIAccessType(hiveOpType);
+          if (hiveObjType == HiveObjectType.URI && isPathInFSScheme(pathStr)) {
 
-                                               if(!isURIAccessAllowed(user, 
permission, path, getHiveConf())) {
-                                                       throw new 
HiveAccessControlException(String.format("Permission denied: user [%s] does not 
have [%s] privilege on [%s]", user, permission.name(), path));
-                                               }
+            FsAction permission = getURIAccessType(hiveOpType);
+            Path path = new Path(pathStr);
+            FileSystem fs = null;
 
-                                               continue;
+            try {
+              fs = FileSystem.get(path.toUri(), getHiveConf());
+            } catch (IOException e) {
+              LOG.error("Error getting permissions for " + path, e);
+              throw new HiveAccessControlException(
+                  String.format("Permission denied: user [%s] does not have 
[%s] privilege on [%s]", user,
+                      permission.name(), path),
+                  e);
+            }
+
+            boolean shouldCheckAccess = true;
+
+            if (isMountedFs(fs)) {
+              Path resolvedPath = resolvePath(path, fs);
+              if (resolvedPath != null) {
+                // we know the resolved path scheme. Let's check the resolved 
path
+                // scheme is part of hivePlugin.getFSScheme.
+                shouldCheckAccess = 
isPathInFSScheme(resolvedPath.toUri().toString());
+              }
+            }
+
+            if (shouldCheckAccess) {
+              if (!isURIAccessAllowed(user, permission, path, fs)) {
+                throw new HiveAccessControlException(
+                    String.format("Permission denied: user [%s] does not have 
[%s] privilege on [%s]", user,
+                        permission.name(), path));
+              }
+              continue;
+            }
+            // This means we got resolved path scheme is not part of
+            // hivePlugin.getFSScheme
                                        }
 
                                        HiveAccessType accessType = 
getAccessType(hiveObj, hiveOpType, hiveObjType, true);
@@ -869,17 +899,46 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                                                continue;
                                        }
 
-                                       String   path       = 
hiveObj.getObjectName();
+          String pathStr = hiveObj.getObjectName();
                                        HiveObjectType hiveObjType  = 
resource.getObjectType();
 
-                                       if(hiveObjType == HiveObjectType.URI  
&& isPathInFSScheme(path)) {
-                                               FsAction permission = 
getURIAccessType(hiveOpType);
+          if (hiveObjType == HiveObjectType.URI && isPathInFSScheme(pathStr)) {
 
-                               if(!isURIAccessAllowed(user, permission, path, 
getHiveConf())) {
-                                               throw new 
HiveAccessControlException(String.format("Permission denied: user [%s] does not 
have [%s] privilege on [%s]", user, permission.name(), path));
-                               }
+            FsAction permission = getURIAccessType(hiveOpType);
+            Path path = new Path(pathStr);
+            FileSystem fs = null;
 
-                                               continue;
+            try {
+              fs = FileSystem.get(path.toUri(), getHiveConf());
+            } catch (IOException e) {
+              LOG.error("Error getting permissions for " + path, e);
+              throw new HiveAccessControlException(
+                  String.format("Permission denied: user [%s] does not have 
[%s] privilege on [%s]", user,
+                      permission.name(), path),
+                  e);
+            }
+
+            boolean shouldCheckAccess = true;
+
+            if (isMountedFs(fs)) {
+              Path resolvedPath = resolvePath(path, fs);
+              if (resolvedPath != null) {
+                // we know the resolved path scheme. Let's check the resolved 
path
+                // scheme is part of hivePlugin.getFSScheme.
+                shouldCheckAccess = 
isPathInFSScheme(resolvedPath.toUri().toString());
+              }
+            }
+
+            if (shouldCheckAccess) {
+              if (!isURIAccessAllowed(user, permission, path, fs)) {
+                throw new HiveAccessControlException(
+                    String.format("Permission denied: user [%s] does not have 
[%s] privilege on [%s]", user,
+                        permission.name(), path));
+              }
+              continue;
+            }
+            // This means we got resolved path scheme is not part of
+            // hivePlugin.getFSScheme
                                        }
 
                                        HiveAccessType accessType = 
getAccessType(hiveObj, hiveOpType, hiveObjType, false);
@@ -2007,15 +2066,13 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                return ret;
        }
 
-    private boolean isURIAccessAllowed(String userName, FsAction action, 
String uri, HiveConf conf) {
+  private boolean isURIAccessAllowed(String userName, FsAction action, Path 
filePath, FileSystem fs) {
         boolean ret = false;
 
         if(action == FsAction.NONE) {
             ret = true;
         } else {
             try {
-                Path       filePath   = new Path(uri);
-                FileSystem fs         = FileSystem.get(filePath.toUri(), conf);
                 FileStatus[] filestat = fs.globStatus(filePath);
 
                 if(filestat != null && filestat.length > 0) {
@@ -2039,7 +2096,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                 }
             } catch(Exception excp) {
                                ret = false;
-                LOG.error("Error getting permissions for " + uri, excp);
+                LOG.error("Error getting permissions for " + filePath, excp);
             }
         }
 
@@ -2062,6 +2119,30 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                return ret;
        }
 
+  /**
+   * Resolves the path to actual target fs path. In the mount based file 
systems
+   * like ViewHDFS, the resolved target path could be the path of other mounted
+   * target fs path. Returns null if file does not exist or any other 
IOException.
+   */
+  private Path resolvePath(Path path, FileSystem fs) {
+    try {
+      return fs.resolvePath(path);
+    } catch (IOException e) {
+      return null;
+    }
+  }
+
+  /**
+   * Returns true if the given fs supports mount functionality. In general we 
can
+   * have child file systems only in the case of mount fs like ViewFileSystem,
+   * ViewFsOverloadScheme or ViewDistributedFileSystem. Returns false if the
+   * getChildFileSystems API returns null.
+   */
+  private boolean isMountedFs(FileSystem fs) {
+    return fs.getChildFileSystems() != null;
+  }
+
+
 
        private void handleDfsCommand(HiveOperationType         hiveOpType,
                                                                  
List<HivePrivilegeObject> inputHObjs,

Reply via email to