This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 35aa983  RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
35aa983 is described below

commit 35aa9830c14aec9ef47456f69dc7f4ff29a96cbc
Author: Ramesh Mani <[email protected]>
AuthorDate: Sat Jun 5 00:45:52 2021 -0700

    RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
    
    Signed-off-by: Ramesh Mani <[email protected]>
---
 .../hadoop/config/RangerPluginConfig.java          |   9 +
 .../plugin/policyengine/RangerPolicyEngine.java    |   5 +
 .../policyengine/RangerPolicyEngineImpl.java       |  31 +++
 .../ranger/plugin/service/RangerAuthContext.java   |   4 +
 .../ranger/plugin/service/RangerBasePlugin.java    |  75 ++++++
 .../apache/ranger/plugin/util/RangerRolesUtil.java |  55 +++-
 .../hive/authorizer/RangerHiveAuthorizer.java      | 279 ++++++++++++---------
 .../hive/authorizer/RangerHiveAuthorizerBase.java  |  11 -
 8 files changed, 337 insertions(+), 132 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
 
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index 10a2a83..f7478c6 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -53,6 +53,7 @@ public class RangerPluginConfig extends RangerConfiguration {
     private       Set<String>               auditExcludedRoles  = 
Collections.emptySet();
     private       Set<String>               superUsers          = 
Collections.emptySet();
     private       Set<String>               superGroups         = 
Collections.emptySet();
+    private       Set<String>               serviceAdmins       = 
Collections.emptySet();
 
 
     public RangerPluginConfig(String serviceType, String serviceName, String 
appId, String clusterName, String clusterType, RangerPolicyEngineOptions 
policyEngineOptions) {
@@ -198,6 +199,10 @@ public class RangerPluginConfig extends 
RangerConfiguration {
         }
     }
 
+    public void setServiceAdmins(Set<String> users) {
+        serviceAdmins  = CollectionUtils.isEmpty(users) ? 
Collections.emptySet() : new HashSet<>(users);
+    }
+
     public boolean isAuditExcludedUser(String userName) {
         return auditExcludedUsers.contains(userName);
     }
@@ -218,6 +223,10 @@ public class RangerPluginConfig extends 
RangerConfiguration {
         return userGroups != null && userGroups.size() > 0 && 
superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups);
     }
 
+    public boolean isServiceAdmin(String userName) {
+        return serviceAdmins.contains(userName);
+    }
+
     private void addResourcesForServiceType(String serviceType) {
         String auditCfg    = "ranger-" + serviceType + "-audit.xml";
         String securityCfg = "ranger-" + serviceType + "-security.xml";
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 71f8dae..7a4bb12 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -45,6 +45,7 @@ public interface RangerPolicyEngine {
        String PLUGIN_SUPER_USERS          = "ranger.plugin.super.users";
        String PLUGIN_SUPER_GROUPS         = "ranger.plugin.super.groups";
        String PLUGIN_AUDIT_FILTER         = "ranger.plugin.audit.filters";
+       String PLUGIN_SERVICE_ADMINS       = "ranger.plugin.service.admins";
 
        String USER_CURRENT   = "{" + RangerAccessRequestUtil.KEY_USER + "}";
        String RESOURCE_OWNER = "{OWNER}";
@@ -71,6 +72,10 @@ public interface RangerPolicyEngine {
 
        Set<String> getRolesFromUserAndGroups(String user, Set<String> groups);
 
+       RangerRoles getRangerRoles();
+
+       RangerPluginContext getPluginContext();
+
        String getUniquelyMatchedZoneName(GrantRevokeRequest 
grantRevokeRequest);
 
        // Helpers
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5ffd38f..3c0e32c 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -422,6 +422,16 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
        }
 
        @Override
+       public RangerRoles getRangerRoles() {
+               return 
policyEngine.getPluginContext().getAuthContext().getRangerRolesUtil().getRoles();
+       }
+
+       @Override
+       public RangerPluginContext getPluginContext() {
+               return policyEngine.getPluginContext();
+       }
+
+       @Override
        public String getUniquelyMatchedZoneName(GrantRevokeRequest 
grantRevokeRequest) {
                if (LOG.isDebugEnabled()) {
                        LOG.debug("==> 
RangerPolicyEngineImpl.getUniquelyMatchedZoneName(" + grantRevokeRequest + ")");
@@ -548,6 +558,19 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                }
        }
 
+       public boolean isServiceAdmin(String userName) {
+               boolean ret = serviceConfig.isServiceAdmin(userName);
+
+               if (!ret) {
+
+                       RangerPluginConfig pluginConfig = 
policyEngine.getPluginContext().getConfig();
+
+                       ret = pluginConfig.isServiceAdmin(userName);
+               }
+
+               return ret;
+       }
+
        PolicyEngine getPolicyEngine() {
                return policyEngine;
        }
@@ -1189,6 +1212,7 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                private final Set<String> auditExcludedRoles;
                private final Set<String> superUsers;
                private final Set<String> superGroups;
+               private final Set<String> serviceAdmins;
 
                public ServiceConfig(Map<String, String> svcConfig) {
                        if (svcConfig != null) {
@@ -1197,12 +1221,14 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                                auditExcludedRoles  = 
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES));
                                superUsers          = 
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_USERS));
                                superGroups         = 
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS));
+                               serviceAdmins       = 
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SERVICE_ADMINS));
                        } else {
                                auditExcludedUsers  = Collections.emptySet();
                                auditExcludedGroups = Collections.emptySet();
                                auditExcludedRoles  = Collections.emptySet();
                                superUsers          = Collections.emptySet();
                                superGroups         = Collections.emptySet();
+                               serviceAdmins       = Collections.emptySet();
                        }
                }
 
@@ -1212,6 +1238,7 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                        auditExcludedRoles  = other == null || 
CollectionUtils.isEmpty(other.auditExcludedRoles) ? Collections.emptySet() : 
new HashSet<>(other.auditExcludedRoles);
                        superUsers          = other == null || 
CollectionUtils.isEmpty(other.superUsers) ? Collections.emptySet() : new 
HashSet<>(other.superUsers);
                        superGroups         = other == null || 
CollectionUtils.isEmpty(other.superGroups) ? Collections.emptySet() : new 
HashSet<>(other.superGroups);
+                       serviceAdmins       = other == null || 
CollectionUtils.isEmpty(other.serviceAdmins) ? Collections.emptySet() : new 
HashSet<>(other.serviceAdmins);
                }
 
                public boolean isAuditExcludedUser(String userName) {
@@ -1233,5 +1260,9 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                public boolean hasSuperGroup(Set<String> userGroups) {
                        return userGroups != null && userGroups.size() > 0 && 
superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups);
                }
+
+               public boolean isServiceAdmin(String userName) {
+                       return serviceAdmins.contains(userName);
+               }
        }
 }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index 81b1971..78bd423 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -97,4 +97,8 @@ public class RangerAuthContext {
     }
 
     public long getRoleVersion() { return this.rolesUtil.getRoleVersion(); }
+
+    public RangerRolesUtil getRangerRolesUtil() {
+        return this.rolesUtil;
+    }
 }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 115a576..82b0481 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -86,10 +86,12 @@ public class RangerBasePlugin {
                Set<String> auditExcludeUsers  = 
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + 
".audit.exclude.users"));
                Set<String> auditExcludeGroups = 
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + 
".audit.exclude.groups"));
                Set<String> auditExcludeRoles  = 
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + 
".audit.exclude.roles"));
+               Set<String> serviceAdmins      = 
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".service.admins"));
 
                setSuperUsersAndGroups(superUsers, superGroups);
                setAuditExcludedUsersGroupsRoles(auditExcludeUsers, 
auditExcludeGroups, auditExcludeRoles);
                
setIsFallbackSupported(pluginConfig.getBoolean(pluginConfig.getPropertyPrefix() 
+ ".is.fallback.supported", false));
+               setServiceAdmins(serviceAdmins);
 
                RangerScriptExecutionContext.init(pluginConfig);
 
@@ -171,6 +173,10 @@ public class RangerBasePlugin {
                pluginConfig.setIsFallbackSupported(isFallbackSupported);
        }
 
+       public void setServiceAdmins(Set<String> users) {
+               pluginConfig.setServiceAdmins(users);
+       }
+
        public RangerServiceDef getServiceDef() {
                RangerPolicyEngine policyEngine = this.policyEngine;
 
@@ -548,6 +554,75 @@ public class RangerBasePlugin {
                return null;
        }
 
+       public RangerRoles getRangerRoles() {
+               RangerPolicyEngine policyEngine = this.policyEngine;
+
+               if(policyEngine != null) {
+                       return policyEngine.getRangerRoles();
+               }
+
+               return null;
+       }
+
+       public Set<RangerRole> getRangerRoleForPrincipal(String principal, 
String type) {
+               Set<RangerRole>                  ret                 = new 
HashSet<>();
+               Set<RangerRole>                  rangerRoles             = null;
+               Map<String, Set<String>> roleMapping         = null;
+               RangerRoles                              roles                  
 = getRangerRoles();
+               if (roles != null) {
+                       rangerRoles = roles.getRangerRoles();
+               }
+
+               if (rangerRoles != null) {
+                       RangerPluginContext rangerPluginContext = 
policyEngine.getPluginContext();
+                       if (rangerPluginContext != null) {
+                               RangerAuthContext rangerAuthContext = 
rangerPluginContext.getAuthContext();
+                               if (rangerAuthContext != null) {
+                                       RangerRolesUtil rangerRolesUtil = 
rangerAuthContext.getRangerRolesUtil();
+                                       if (rangerRolesUtil != null) {
+                                               switch (type) {
+                                                       case "USER":
+                                                               roleMapping = 
rangerRolesUtil.getUserRoleMapping();
+                                                               break;
+                                                       case "GROUP":
+                                                               roleMapping = 
rangerRolesUtil.getGroupRoleMapping();
+                                                               break;
+                                                       case "ROLE":
+                                                               roleMapping = 
rangerRolesUtil.getRoleRoleMapping();
+                                                               break;
+                                               }
+                                       }
+                               }
+                       }
+                       if (roleMapping != null) {
+                               Set<String>  principalRoles = 
roleMapping.get(principal);
+                               if (CollectionUtils.isNotEmpty(principalRoles)) 
{
+                                       for (String role : principalRoles) {
+                                               for (RangerRole rangerRole : 
rangerRoles) {
+                                                       if 
(rangerRole.getName().equals(role)) {
+                                                               
ret.add(rangerRole);
+                                                       }
+                                               }
+                                       }
+                               }
+                       }
+               }
+               return ret;
+       }
+
+       public boolean isServiceAdmin(String userName) {
+               boolean ret = false;
+
+               RangerPolicyEngine policyEngine = this.policyEngine;
+
+               if(policyEngine != null) {
+                       RangerPolicyEngineImpl rangerPolicyEngine = 
(RangerPolicyEngineImpl) policyEngine;
+                       ret = rangerPolicyEngine.isServiceAdmin(userName);
+               }
+
+               return ret;
+       }
+
        public RangerRole createRole(RangerRole request, 
RangerAccessResultProcessor resultProcessor) throws Exception {
                if(LOG.isDebugEnabled()) {
                        LOG.debug("==> RangerBasePlugin.createRole(" + request 
+ ")");
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
index 0268e2f..a6e461c 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
@@ -33,17 +33,22 @@ public class RangerRolesUtil {
     private final long                     roleVersion;
     private final Map<String, Set<String>> userRoleMapping = new HashMap<>();
     private final Map<String, Set<String>> groupRoleMapping = new HashMap<>();
+    private final Map<String, Set<String>> roleRoleMapping  = new HashMap<>();
+    private RangerRoles                    roles            = null;
+    private enum  ROLES_FOR {USER, GROUP, ROLE};
 
     public RangerRolesUtil(RangerRoles roles) {
         if (roles != null) {
+            this.roles  = roles;
             roleVersion = roles.getRoleVersion();
 
             if (CollectionUtils.isNotEmpty(roles.getRangerRoles())) {
                 for (RangerRole role : roles.getRangerRoles()) {
                     Set<RangerRole> containedRoles = 
getAllContainedRoles(roles.getRangerRoles(), role);
 
-                    buildMap(userRoleMapping, role, containedRoles, true);
-                    buildMap(groupRoleMapping, role, containedRoles, false);
+                    buildMap(userRoleMapping, role, containedRoles, 
ROLES_FOR.USER);
+                    buildMap(groupRoleMapping, role, containedRoles, 
ROLES_FOR.GROUP);
+                    buildMap(roleRoleMapping, role, containedRoles, 
ROLES_FOR.ROLE);
                 }
             }
         } else {
@@ -53,6 +58,10 @@ public class RangerRolesUtil {
 
     public long getRoleVersion() { return roleVersion; }
 
+    public RangerRoles getRoles() {
+        return this.roles;
+    }
+
     public Map<String, Set<String>> getUserRoleMapping() {
         return this.userRoleMapping;
     }
@@ -61,6 +70,10 @@ public class RangerRolesUtil {
         return this.groupRoleMapping;
     }
 
+    public Map<String, Set<String>> getRoleRoleMapping() {
+        return this.roleRoleMapping;
+    }
+
     private Set<RangerRole> getAllContainedRoles(Set<RangerRole> roles, 
RangerRole role) {
         Set<RangerRole> allRoles = new HashSet<>();
 
@@ -83,11 +96,11 @@ public class RangerRolesUtil {
         }
     }
 
-    private void buildMap(Map<String, Set<String>> map, RangerRole role, 
Set<RangerRole> containedRoles, boolean isUser) {
-        buildMap(map, role, role.getName(), isUser);
+    private void buildMap(Map<String, Set<String>> map, RangerRole role, 
Set<RangerRole> containedRoles, ROLES_FOR roleFor) {
+        buildMap(map, role, role.getName(), roleFor);
 
         for (RangerRole containedRole : containedRoles) {
-            buildMap(map, containedRole, role.getName(), isUser);
+            buildMap(map, containedRole, role.getName(), roleFor);
         }
     }
 
@@ -107,6 +120,38 @@ public class RangerRolesUtil {
         }
     }
 
+    private void buildMap(Map<String, Set<String>> map, RangerRole role, 
String roleName, ROLES_FOR roles_for) {
+        List<RangerRole.RoleMember> userOrGroupOrRole = null;
+        switch(roles_for) {
+            case USER:
+                userOrGroupOrRole = role.getUsers();
+                break;
+            case GROUP:
+                userOrGroupOrRole = role.getGroups();
+                break;
+            case ROLE:
+                userOrGroupOrRole = role.getRoles();
+                break;
+        }
+        if (CollectionUtils.isNotEmpty(userOrGroupOrRole)) {
+            getRoleMap(map, roleName, userOrGroupOrRole);
+        }
+    }
+
+    private void getRoleMap(Map<String, Set<String>> map, String roleName, 
List<RangerRole.RoleMember> userOrGroupOrRole) {
+        for (RangerRole.RoleMember roleMember : userOrGroupOrRole) {
+            if (StringUtils.isNotEmpty(roleMember.getName())) {
+                Set<String> roleNames = map.get(roleMember.getName());
+                if (roleNames == null) {
+                    roleNames = new HashSet<>();
+
+                    map.put(roleMember.getName(), roleNames);
+                }
+                roleNames.add(roleName);
+            }
+        }
+    }
+
     private RangerRole getContainedRole(Set<RangerRole> roles, String role) {
         return (roles
                 .stream()
diff --git 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index e145ea2..6df0bed 100644
--- 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -45,7 +45,6 @@ import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hive.common.FileUtils;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.parse.SemanticException;
 import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
 import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
@@ -86,6 +85,7 @@ import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
 
 import com.google.common.collect.Sets;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
+import org.apache.ranger.plugin.util.RangerRoles;
 import org.apache.ranger.plugin.util.RangerRequestedResources;
 
 public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
@@ -107,7 +107,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
        private static final String CMD_CREATE_ROLE        = "create role %s";
        private static final String CMD_DROP_ROLE          = "drop role %s";
        private static final String CMD_SHOW_ROLES         = "show roles";
-       private static final String CMD_SHOW_ROLE_GRANT    = "show role grant 
%s %s";
+       private static final String CMD_SHOW_ROLE_GRANT    = "show role grant 
%s";
        private static final String CMD_SHOW_PRINCIPALS    = "show principals 
%s";
        private static final String CMD_GRANT_ROLE         = "grant role %s to 
%s ";
        private static final String CMD_REVOKE_ROLE        = "revoke role %s 
from %s";
@@ -340,107 +340,182 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
        @Override
        public List<String> getAllRoles()
                        throws HiveAuthzPluginException, 
HiveAccessControlException {
-               LOG.debug("RangerHiveAuthorizer.getAllRoles()");
-               boolean                result       = false;
+               if (LOG.isDebugEnabled()) {
+                       LOG.debug("==> RangerHiveAuthorizer.getAllRoles()");
+               }
+               List<String>           ret          = null;
                RangerHiveAuditHandler auditHandler = new 
RangerHiveAuditHandler();
-               UserGroupInformation ugi = getCurrentUserGroupInfo();
+               List<String>               userNames    = null;
+               boolean                result       = false;
 
-               if(ugi == null) {
-                       throw new HiveAccessControlException("Permission 
denied: user information not available");
+               if (hivePlugin == null) {
+                       throw new 
HiveAuthzPluginException("RangerHiveAuthorizer.getAllRoles(): HivePlugin 
initialization failed...");
                }
-               List<String> ret = null;
 
+               UserGroupInformation ugi = getCurrentUserGroupInfo();
+               if(ugi == null) {
+                       throw new 
HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User 
information not available...");
+               }
                String currentUserName = ugi.getShortUserName();
-               Set<String> groups     = Sets.newHashSet(ugi.getGroupNames());
-               List<String> userNames = Arrays.asList(currentUserName);
 
                try {
-                       if(LOG.isDebugEnabled()) {
-                               LOG.debug("<== getAllRoles()");
+                       if (!hivePlugin.isServiceAdmin(currentUserName)) {
+                               throw new 
HiveAccessControlException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole():
 User information not available...");
                        }
 
-                       if ( hivePlugin != null) {
-                               Set<String> roles = 
hivePlugin.getRolesFromUserAndGroups(currentUserName, groups);
-                               ret = new ArrayList<>(roles);
-                               result = true;
-                       }
+                       Set<String> groups = 
Sets.newHashSet(ugi.getGroupNames());
+                       userNames          = Arrays.asList(currentUserName);
+                       Set<String> roles  = 
hivePlugin.getRolesFromUserAndGroups(currentUserName, groups);
+                       ret = new ArrayList<>(roles);
+                       result = true;
 
                } catch(Exception excp) {
                        throw new HiveAuthzPluginException(excp);
                } finally {
                        RangerAccessResult accessResult = 
createAuditEvent(hivePlugin, currentUserName, userNames, 
HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
+                       hivePlugin.evalAuditPolicies(accessResult);
                        auditHandler.processResult(accessResult);
                        auditHandler.flushAudit();
                }
 
+               if (LOG.isDebugEnabled()) {
+                       LOG.debug("<== RangerHiveAuthorizer.getAllRoles() 
roles: " + ret);
+               }
+
                return ret;
        }
 
        @Override
        public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
                        throws HiveAuthzPluginException, 
HiveAccessControlException {
-               
LOG.debug("RangerHiveAuthorizer.getPrincipalGrantInfoForRole()");
-               boolean                result       = false;
+               if (LOG.isDebugEnabled()) {
+                       LOG.debug("==> 
RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for RoleName: " + roleName);
+               }
+
+               List<HiveRoleGrant>    ret          = new ArrayList<>();
                List<String>           roleNames    = Arrays.asList(roleName);
+               List<String>           userNames    = null;
                RangerHiveAuditHandler auditHandler = new 
RangerHiveAuditHandler();
-               UserGroupInformation ugi = getCurrentUserGroupInfo();
+               boolean                result       = false;
 
-               if(ugi == null) {
-                       throw new HiveAccessControlException("Permission 
denied: user information not available");
+               if (hivePlugin == null) {
+                       throw new 
HiveAuthzPluginException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole(): 
HivePlugin initialization failed...");
                }
-               List<HiveRoleGrant> ret = new ArrayList<>();
 
+               UserGroupInformation ugi = getCurrentUserGroupInfo();
+               if(ugi == null) {
+                       throw new 
HiveAccessControlException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole():
 User information not available...");
+               }
                String currentUserName = ugi.getShortUserName();
-               List<String> userNames = Arrays.asList(currentUserName);
 
                try {
-                       RangerRole role = 
hivePlugin.getRole(ugi.getShortUserName(), roleName, auditHandler);
-
-                       for (RangerRole.RoleMember roleMember : 
role.getRoles()) {
-                               HiveRoleGrant hiveRoleGrant = new 
HiveRoleGrant();
-                               
hiveRoleGrant.setGrantOption(roleMember.getIsAdmin());
-                               
hiveRoleGrant.setGrantor(role.getCreatedByUser());
-                               
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
-                               
hiveRoleGrant.setPrincipalName(roleMember.getName());
-                               
hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.ROLE.toString());
-                               hiveRoleGrant.setGrantTime((int) 
(role.getUpdateTime().getTime()/1000));
-                               ret.add(hiveRoleGrant);
+                       if (!hivePlugin.isServiceAdmin(currentUserName)) {
+                               throw new 
HiveAccessControlException("Permission denied: User not authorized to perform 
this operation!");
                        }
 
-                       for (RangerRole.RoleMember group : role.getGroups()) {
-                               HiveRoleGrant hiveRoleGrant = new 
HiveRoleGrant();
-                               
hiveRoleGrant.setGrantOption(group.getIsAdmin());
-                               
hiveRoleGrant.setGrantor(role.getCreatedByUser());
-                               
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
-                               hiveRoleGrant.setPrincipalName(group.getName());
-                               
hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.GROUP.toString());
-                               hiveRoleGrant.setGrantTime((int) 
(role.getUpdateTime().getTime()/1000));
-                               ret.add(hiveRoleGrant);
-                       }
+                       userNames = Arrays.asList(currentUserName);
+
+                       if (StringUtils.isNotEmpty(roleName)) {
+                               RangerRole rangerRole = 
getRangerRoleForRoleName(roleName);
+                               if (rangerRole != null) {
+                                       for (RangerRole.RoleMember roleMember : 
rangerRole.getRoles()) {
+                                               HiveRoleGrant hiveRoleGrant = 
getHiveRoleGrant(rangerRole, roleMember, 
HivePrincipal.HivePrincipalType.ROLE.name());
+                                               ret.add(hiveRoleGrant);
+                                       }
 
-                       for (RangerRole.RoleMember user : role.getUsers()) {
-                               HiveRoleGrant hiveRoleGrant = new 
HiveRoleGrant();
-                               hiveRoleGrant.setGrantOption(user.getIsAdmin());
-                               
hiveRoleGrant.setGrantor(role.getCreatedByUser());
-                               
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
-                               hiveRoleGrant.setPrincipalName(user.getName());
-                               
hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.USER.toString());
-                               hiveRoleGrant.setGrantTime((int) 
(role.getUpdateTime().getTime()/1000));
-                               ret.add(hiveRoleGrant);
+                                       for (RangerRole.RoleMember group : 
rangerRole.getGroups()) {
+                                               HiveRoleGrant hiveRoleGrant = 
getHiveRoleGrant(rangerRole, group, 
HivePrincipal.HivePrincipalType.GROUP.name());
+                                               ret.add(hiveRoleGrant);
+                                       }
+
+                                       for (RangerRole.RoleMember user : 
rangerRole.getUsers()) {
+                                               HiveRoleGrant hiveRoleGrant = 
getHiveRoleGrant(rangerRole, user, HivePrincipal.HivePrincipalType.USER.name());
+                                               ret.add(hiveRoleGrant);
+                                       }
+                                       result = true;
+                               }
                        }
-                       result = true;
-                       if(LOG.isDebugEnabled()) {
-                               LOG.debug("<== getPrincipalGrantInfoForRole() 
for role " + role);
+               } catch(Exception excp) {
+                       throw new HiveAuthzPluginException(excp);
+               } finally {
+                       RangerAccessResult accessResult = 
createAuditEvent(hivePlugin, currentUserName, userNames, 
HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames, 
result);
+                       hivePlugin.evalAuditPolicies(accessResult);
+                       auditHandler.processResult(accessResult);
+                       auditHandler.flushAudit();
+               }
+
+               if (LOG.isDebugEnabled()) {
+                       LOG.debug("<== 
RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for Rolename: " + roleName 
+ " Roles: " + ret);
+               }
+
+               return ret;
+       }
+
+       @Override
+       public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal 
principal)
+                       throws HiveAuthzPluginException, 
HiveAccessControlException {
+               LOG.debug("==> 
RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() for Principal: " + 
principal);
+
+               List<HiveRoleGrant>     ret           = new ArrayList<>();
+               List<String>                    principalInfo = null;
+               List<String>            userNames     = null;
+               RangerHiveAuditHandler  auditHandler  = new 
RangerHiveAuditHandler();
+               boolean                     result        = false;
+
+               if (hivePlugin == null) {
+                       throw new 
HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal(): 
HivePlugin initialization failed...");
+               }
+
+               UserGroupInformation ugi = getCurrentUserGroupInfo();
+               if(ugi == null) {
+                       throw new 
HiveAccessControlException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal():
 User information not available...");
+               }
+               String currentUserName = ugi.getShortUserName();
+
+               try {
+                       String            principalName = principal.getName();
+                       String        type          = 
principal.getType().name();
+                       userNames                   = 
Arrays.asList(currentUserName);
+                       principalInfo               = 
Collections.singletonList(principal.getType() + " " + principalName);
+
+                       if (!hivePlugin.isServiceAdmin(currentUserName)
+                                       && 
!principalName.equals(currentUserName)) {
+                               throw new 
HiveAccessControlException("Permission denied: user information not available");
                        }
 
+                       Set<RangerRole> roles = 
hivePlugin.getRangerRoleForPrincipal(principalName, type);
+                       if (CollectionUtils.isNotEmpty(roles)) {
+                               for (RangerRole rangerRole : roles) {
+                                       switch(type) {
+                                               case "USER":
+                                                       RangerRole.RoleMember 
userRoleMember = new RangerRole.RoleMember(principalName,false);
+                                                       
ret.add(getHiveRoleGrant(rangerRole, userRoleMember,type));
+                                                       break;
+                                               case "GROUP":
+                                                       RangerRole.RoleMember 
groupRoleMember = new RangerRole.RoleMember(principalName,false);
+                                                       
ret.add(getHiveRoleGrant(rangerRole, groupRoleMember,type));
+                                                       break;
+                                               case "ROLE":
+                                                       RangerRole.RoleMember 
roleRoleMember = new RangerRole.RoleMember(principalName,false);
+                                                       
ret.add(getHiveRoleGrant(rangerRole, roleRoleMember,type));
+                                                       break;
+                                       }
+                               }
+                               result = true;
+                       }
                } catch(Exception excp) {
                        throw new HiveAuthzPluginException(excp);
                } finally {
-                       RangerAccessResult accessResult = 
createAuditEvent(hivePlugin, currentUserName, userNames, 
HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames, 
result);
+                       RangerAccessResult accessResult = 
createAuditEvent(hivePlugin, currentUserName, userNames, 
HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, principalInfo, 
result);
+                       hivePlugin.evalAuditPolicies(accessResult);
                        auditHandler.processResult(accessResult);
                        auditHandler.flushAudit();
                }
 
+               if(LOG.isDebugEnabled()) {
+                       LOG.debug("<== getRoleGrantInfoForPrincipal(): 
Principal: " + principal + " Roles: " + ret);
+               }
+
                return ret;
        }
 
@@ -2285,54 +2360,6 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                return ret;
        }
 
-       @Override
-       public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal 
principal)
-                       throws HiveAuthzPluginException, 
HiveAccessControlException {
-               if (LOG.isDebugEnabled()) {
-                       LOG.debug("==> 
RangerHiveAuthorizer.getRoleGrantInfoForPrincipal ==>  principal: " +  
principal);
-               }
-               boolean result = false;
-               RangerHiveAuditHandler auditHandler = new 
RangerHiveAuditHandler();
-               UserGroupInformation ugi = getCurrentUserGroupInfo();
-
-               if(ugi == null) {
-                       throw new HiveAccessControlException("Permission 
denied: user information not available");
-               }
-
-               List<HiveRoleGrant> ret = new ArrayList<>();
-               String currentUserName = ugi.getShortUserName();
-               List<String> userNames = Arrays.asList(currentUserName);
-
-               try {
-                       List<String> roleStringList = 
hivePlugin.getUserRoles(principal.getName(), auditHandler);
-
-                       for (String roleName : roleStringList) {
-                               RangerRole role = 
hivePlugin.getRole(ugi.getShortUserName(), roleName, auditHandler);
-                               HiveRoleGrant hiveRoleGrant = new 
HiveRoleGrant();
-                               hiveRoleGrant.setGrantOption(true);
-                               hiveRoleGrant.setGrantor(role.getCreatedBy());
-                               
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
-                               hiveRoleGrant.setGrantTime((int) 
(role.getUpdateTime().getTime()/1000));
-                               hiveRoleGrant.setRoleName(roleName);
-                               ret.add(hiveRoleGrant);
-                       }
-                       result = true;
-               } catch (Exception e) {
-                       
LOG.error("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() error", e);
-                       throw new 
HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() 
error: " + e.getMessage(), e);
-               } finally {
-                       RangerAccessResult accessResult = 
createAuditEvent(hivePlugin, currentUserName, userNames, 
HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, null, result);
-                       auditHandler.processResult(accessResult);
-                       auditHandler.flushAudit();
-               }
-
-               if(LOG.isDebugEnabled()) {
-                       LOG.debug("<== 
RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() Result: " + ret);
-               }
-
-               return ret;
-       }
-
        private HivePrivilegeObjectType getPluginPrivilegeObjType(
                        org.apache.hadoop.hive.metastore.api.HiveObjectType 
objectType) {
                switch (objectType) {
@@ -2345,15 +2372,6 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                }
        }
 
-       static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
-                       throws HiveAuthzPluginException {
-               try {
-                       return 
AuthorizationUtils.getThriftHiveObjectRef(privObj);
-               } catch (HiveException e) {
-                       throw new HiveAuthzPluginException(e);
-               }
-       }
-
        private RangerRequestedResources 
buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> 
requests) {
 
                RangerRequestedResources requestedResources = new 
RangerRequestedResources();
@@ -2843,7 +2861,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                                ret = CMD_SHOW_ROLES;
                                break;
                        case SHOW_ROLE_GRANT:
-                               ret = String.format(CMD_SHOW_ROLE_GRANT, user);
+                               ret = String.format(CMD_SHOW_ROLE_GRANT, 
roleName);
                                break;
                        case SHOW_ROLE_PRINCIPALS:
                                ret = String.format(CMD_SHOW_PRINCIPALS, 
roleName);
@@ -3005,6 +3023,35 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
 
                return ret != null ? ret : Collections.emptySet();
        }
+
+       private HiveRoleGrant getHiveRoleGrant(RangerRole role, 
RangerRole.RoleMember roleMember, String type) {
+               HiveRoleGrant ret = new HiveRoleGrant();
+               ret.setRoleName(role.getName());
+               ret.setGrantOption(roleMember.getIsAdmin());
+               ret.setGrantor(role.getCreatedByUser());
+               ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
+               ret.setPrincipalName(roleMember.getName());
+               ret.setPrincipalType(type);
+               if ( role.getUpdateTime() != null) {
+                       ret.setGrantTime((int) (role.getUpdateTime().getTime() 
/ 1000));
+               }
+               return ret;
+       }
+
+       private RangerRole getRangerRoleForRoleName(String roleName) {
+               RangerRole  ret         = null;
+               RangerRoles rangerRoles = hivePlugin.getRangerRoles();
+               if (rangerRoles != null) {
+                       Set<RangerRole> roles = rangerRoles.getRangerRoles();
+                       for(RangerRole role:roles) {
+                               if (roleName.equals(role.getName())) {
+                                       ret = role;
+                                       break;
+                               }
+                       }
+               }
+               return ret;
+       }
 }
 
 enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, 
FUNCTION, URI, SERVICE_NAME, GLOBAL };
diff --git 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
index e06f135..5f6a7b9 100644
--- 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
+++ 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
@@ -37,7 +37,6 @@ import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvide
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
 import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
 import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
 import 
org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.authorization.utils.StringUtil;
@@ -133,16 +132,6 @@ public abstract class RangerHiveAuthorizerBase extends 
AbstractHiveAuthorizer {
        }
 
        @Override
-       public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal 
principal)
-                       throws HiveAuthzPluginException, 
HiveAccessControlException {
-               
LOG.debug("RangerHiveAuthorizerBase.getRoleGrantInfoForPrincipal()");
-
-               throwNotImplementedException("getRoleGrantInfoForPrincipal");
-
-               return null;
-       }
-
-       @Override
        public VERSION getVersion() {
                return VERSION.V1;
        }

Reply via email to