This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 3b6583a RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
3b6583a is described below
commit 3b6583a2beb96c40c647f415bff01d97f0923bec
Author: Ramesh Mani <[email protected]>
AuthorDate: Sat Jun 5 00:45:52 2021 -0700
RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
Signed-off-by: Ramesh Mani <[email protected]>
---
.../hadoop/config/RangerPluginConfig.java | 9 +
.../plugin/policyengine/RangerPolicyEngine.java | 5 +
.../policyengine/RangerPolicyEngineImpl.java | 31 +++
.../ranger/plugin/service/RangerAuthContext.java | 4 +
.../ranger/plugin/service/RangerBasePlugin.java | 75 ++++++
.../apache/ranger/plugin/util/RangerRolesUtil.java | 55 +++-
.../hive/authorizer/RangerHiveAuthorizer.java | 279 ++++++++++++---------
.../hive/authorizer/RangerHiveAuthorizerBase.java | 11 -
8 files changed, 337 insertions(+), 132 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
index 10a2a83..f7478c6 100644
---
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
+++
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
@@ -53,6 +53,7 @@ public class RangerPluginConfig extends RangerConfiguration {
private Set<String> auditExcludedRoles =
Collections.emptySet();
private Set<String> superUsers =
Collections.emptySet();
private Set<String> superGroups =
Collections.emptySet();
+ private Set<String> serviceAdmins =
Collections.emptySet();
public RangerPluginConfig(String serviceType, String serviceName, String
appId, String clusterName, String clusterType, RangerPolicyEngineOptions
policyEngineOptions) {
@@ -198,6 +199,10 @@ public class RangerPluginConfig extends
RangerConfiguration {
}
}
+ public void setServiceAdmins(Set<String> users) {
+ serviceAdmins = CollectionUtils.isEmpty(users) ?
Collections.emptySet() : new HashSet<>(users);
+ }
+
public boolean isAuditExcludedUser(String userName) {
return auditExcludedUsers.contains(userName);
}
@@ -218,6 +223,10 @@ public class RangerPluginConfig extends
RangerConfiguration {
return userGroups != null && userGroups.size() > 0 &&
superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups);
}
+ public boolean isServiceAdmin(String userName) {
+ return serviceAdmins.contains(userName);
+ }
+
private void addResourcesForServiceType(String serviceType) {
String auditCfg = "ranger-" + serviceType + "-audit.xml";
String securityCfg = "ranger-" + serviceType + "-security.xml";
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
index 71f8dae..7a4bb12 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
@@ -45,6 +45,7 @@ public interface RangerPolicyEngine {
String PLUGIN_SUPER_USERS = "ranger.plugin.super.users";
String PLUGIN_SUPER_GROUPS = "ranger.plugin.super.groups";
String PLUGIN_AUDIT_FILTER = "ranger.plugin.audit.filters";
+ String PLUGIN_SERVICE_ADMINS = "ranger.plugin.service.admins";
String USER_CURRENT = "{" + RangerAccessRequestUtil.KEY_USER + "}";
String RESOURCE_OWNER = "{OWNER}";
@@ -71,6 +72,10 @@ public interface RangerPolicyEngine {
Set<String> getRolesFromUserAndGroups(String user, Set<String> groups);
+ RangerRoles getRangerRoles();
+
+ RangerPluginContext getPluginContext();
+
String getUniquelyMatchedZoneName(GrantRevokeRequest
grantRevokeRequest);
// Helpers
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 5ffd38f..3c0e32c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -422,6 +422,16 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
@Override
+ public RangerRoles getRangerRoles() {
+ return
policyEngine.getPluginContext().getAuthContext().getRangerRolesUtil().getRoles();
+ }
+
+ @Override
+ public RangerPluginContext getPluginContext() {
+ return policyEngine.getPluginContext();
+ }
+
+ @Override
public String getUniquelyMatchedZoneName(GrantRevokeRequest
grantRevokeRequest) {
if (LOG.isDebugEnabled()) {
LOG.debug("==>
RangerPolicyEngineImpl.getUniquelyMatchedZoneName(" + grantRevokeRequest + ")");
@@ -548,6 +558,19 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
+ public boolean isServiceAdmin(String userName) {
+ boolean ret = serviceConfig.isServiceAdmin(userName);
+
+ if (!ret) {
+
+ RangerPluginConfig pluginConfig =
policyEngine.getPluginContext().getConfig();
+
+ ret = pluginConfig.isServiceAdmin(userName);
+ }
+
+ return ret;
+ }
+
PolicyEngine getPolicyEngine() {
return policyEngine;
}
@@ -1189,6 +1212,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
private final Set<String> auditExcludedRoles;
private final Set<String> superUsers;
private final Set<String> superGroups;
+ private final Set<String> serviceAdmins;
public ServiceConfig(Map<String, String> svcConfig) {
if (svcConfig != null) {
@@ -1197,12 +1221,14 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
auditExcludedRoles =
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_AUDIT_EXCLUDE_ROLES));
superUsers =
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_USERS));
superGroups =
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SUPER_GROUPS));
+ serviceAdmins =
StringUtil.toSet(svcConfig.get(RangerPolicyEngine.PLUGIN_SERVICE_ADMINS));
} else {
auditExcludedUsers = Collections.emptySet();
auditExcludedGroups = Collections.emptySet();
auditExcludedRoles = Collections.emptySet();
superUsers = Collections.emptySet();
superGroups = Collections.emptySet();
+ serviceAdmins = Collections.emptySet();
}
}
@@ -1212,6 +1238,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
auditExcludedRoles = other == null ||
CollectionUtils.isEmpty(other.auditExcludedRoles) ? Collections.emptySet() :
new HashSet<>(other.auditExcludedRoles);
superUsers = other == null ||
CollectionUtils.isEmpty(other.superUsers) ? Collections.emptySet() : new
HashSet<>(other.superUsers);
superGroups = other == null ||
CollectionUtils.isEmpty(other.superGroups) ? Collections.emptySet() : new
HashSet<>(other.superGroups);
+ serviceAdmins = other == null ||
CollectionUtils.isEmpty(other.serviceAdmins) ? Collections.emptySet() : new
HashSet<>(other.serviceAdmins);
}
public boolean isAuditExcludedUser(String userName) {
@@ -1233,5 +1260,9 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
public boolean hasSuperGroup(Set<String> userGroups) {
return userGroups != null && userGroups.size() > 0 &&
superGroups.size() > 0 && CollectionUtils.containsAny(userGroups, superGroups);
}
+
+ public boolean isServiceAdmin(String userName) {
+ return serviceAdmins.contains(userName);
+ }
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index 81b1971..78bd423 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -97,4 +97,8 @@ public class RangerAuthContext {
}
public long getRoleVersion() { return this.rolesUtil.getRoleVersion(); }
+
+ public RangerRolesUtil getRangerRolesUtil() {
+ return this.rolesUtil;
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 115a576..82b0481 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -86,10 +86,12 @@ public class RangerBasePlugin {
Set<String> auditExcludeUsers =
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() +
".audit.exclude.users"));
Set<String> auditExcludeGroups =
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() +
".audit.exclude.groups"));
Set<String> auditExcludeRoles =
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() +
".audit.exclude.roles"));
+ Set<String> serviceAdmins =
toSet(pluginConfig.get(pluginConfig.getPropertyPrefix() + ".service.admins"));
setSuperUsersAndGroups(superUsers, superGroups);
setAuditExcludedUsersGroupsRoles(auditExcludeUsers,
auditExcludeGroups, auditExcludeRoles);
setIsFallbackSupported(pluginConfig.getBoolean(pluginConfig.getPropertyPrefix()
+ ".is.fallback.supported", false));
+ setServiceAdmins(serviceAdmins);
RangerScriptExecutionContext.init(pluginConfig);
@@ -171,6 +173,10 @@ public class RangerBasePlugin {
pluginConfig.setIsFallbackSupported(isFallbackSupported);
}
+ public void setServiceAdmins(Set<String> users) {
+ pluginConfig.setServiceAdmins(users);
+ }
+
public RangerServiceDef getServiceDef() {
RangerPolicyEngine policyEngine = this.policyEngine;
@@ -548,6 +554,75 @@ public class RangerBasePlugin {
return null;
}
+ public RangerRoles getRangerRoles() {
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ return policyEngine.getRangerRoles();
+ }
+
+ return null;
+ }
+
+ public Set<RangerRole> getRangerRoleForPrincipal(String principal,
String type) {
+ Set<RangerRole> ret = new
HashSet<>();
+ Set<RangerRole> rangerRoles = null;
+ Map<String, Set<String>> roleMapping = null;
+ RangerRoles roles
= getRangerRoles();
+ if (roles != null) {
+ rangerRoles = roles.getRangerRoles();
+ }
+
+ if (rangerRoles != null) {
+ RangerPluginContext rangerPluginContext =
policyEngine.getPluginContext();
+ if (rangerPluginContext != null) {
+ RangerAuthContext rangerAuthContext =
rangerPluginContext.getAuthContext();
+ if (rangerAuthContext != null) {
+ RangerRolesUtil rangerRolesUtil =
rangerAuthContext.getRangerRolesUtil();
+ if (rangerRolesUtil != null) {
+ switch (type) {
+ case "USER":
+ roleMapping =
rangerRolesUtil.getUserRoleMapping();
+ break;
+ case "GROUP":
+ roleMapping =
rangerRolesUtil.getGroupRoleMapping();
+ break;
+ case "ROLE":
+ roleMapping =
rangerRolesUtil.getRoleRoleMapping();
+ break;
+ }
+ }
+ }
+ }
+ if (roleMapping != null) {
+ Set<String> principalRoles =
roleMapping.get(principal);
+ if (CollectionUtils.isNotEmpty(principalRoles))
{
+ for (String role : principalRoles) {
+ for (RangerRole rangerRole :
rangerRoles) {
+ if
(rangerRole.getName().equals(role)) {
+
ret.add(rangerRole);
+ }
+ }
+ }
+ }
+ }
+ }
+ return ret;
+ }
+
+ public boolean isServiceAdmin(String userName) {
+ boolean ret = false;
+
+ RangerPolicyEngine policyEngine = this.policyEngine;
+
+ if(policyEngine != null) {
+ RangerPolicyEngineImpl rangerPolicyEngine =
(RangerPolicyEngineImpl) policyEngine;
+ ret = rangerPolicyEngine.isServiceAdmin(userName);
+ }
+
+ return ret;
+ }
+
public RangerRole createRole(RangerRole request,
RangerAccessResultProcessor resultProcessor) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.createRole(" + request
+ ")");
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
index 0268e2f..a6e461c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
@@ -33,17 +33,22 @@ public class RangerRolesUtil {
private final long roleVersion;
private final Map<String, Set<String>> userRoleMapping = new HashMap<>();
private final Map<String, Set<String>> groupRoleMapping = new HashMap<>();
+ private final Map<String, Set<String>> roleRoleMapping = new HashMap<>();
+ private RangerRoles roles = null;
+ private enum ROLES_FOR {USER, GROUP, ROLE};
public RangerRolesUtil(RangerRoles roles) {
if (roles != null) {
+ this.roles = roles;
roleVersion = roles.getRoleVersion();
if (CollectionUtils.isNotEmpty(roles.getRangerRoles())) {
for (RangerRole role : roles.getRangerRoles()) {
Set<RangerRole> containedRoles =
getAllContainedRoles(roles.getRangerRoles(), role);
- buildMap(userRoleMapping, role, containedRoles, true);
- buildMap(groupRoleMapping, role, containedRoles, false);
+ buildMap(userRoleMapping, role, containedRoles,
ROLES_FOR.USER);
+ buildMap(groupRoleMapping, role, containedRoles,
ROLES_FOR.GROUP);
+ buildMap(roleRoleMapping, role, containedRoles,
ROLES_FOR.ROLE);
}
}
} else {
@@ -53,6 +58,10 @@ public class RangerRolesUtil {
public long getRoleVersion() { return roleVersion; }
+ public RangerRoles getRoles() {
+ return this.roles;
+ }
+
public Map<String, Set<String>> getUserRoleMapping() {
return this.userRoleMapping;
}
@@ -61,6 +70,10 @@ public class RangerRolesUtil {
return this.groupRoleMapping;
}
+ public Map<String, Set<String>> getRoleRoleMapping() {
+ return this.roleRoleMapping;
+ }
+
private Set<RangerRole> getAllContainedRoles(Set<RangerRole> roles,
RangerRole role) {
Set<RangerRole> allRoles = new HashSet<>();
@@ -83,11 +96,11 @@ public class RangerRolesUtil {
}
}
- private void buildMap(Map<String, Set<String>> map, RangerRole role,
Set<RangerRole> containedRoles, boolean isUser) {
- buildMap(map, role, role.getName(), isUser);
+ private void buildMap(Map<String, Set<String>> map, RangerRole role,
Set<RangerRole> containedRoles, ROLES_FOR roleFor) {
+ buildMap(map, role, role.getName(), roleFor);
for (RangerRole containedRole : containedRoles) {
- buildMap(map, containedRole, role.getName(), isUser);
+ buildMap(map, containedRole, role.getName(), roleFor);
}
}
@@ -107,6 +120,38 @@ public class RangerRolesUtil {
}
}
+ private void buildMap(Map<String, Set<String>> map, RangerRole role,
String roleName, ROLES_FOR roles_for) {
+ List<RangerRole.RoleMember> userOrGroupOrRole = null;
+ switch(roles_for) {
+ case USER:
+ userOrGroupOrRole = role.getUsers();
+ break;
+ case GROUP:
+ userOrGroupOrRole = role.getGroups();
+ break;
+ case ROLE:
+ userOrGroupOrRole = role.getRoles();
+ break;
+ }
+ if (CollectionUtils.isNotEmpty(userOrGroupOrRole)) {
+ getRoleMap(map, roleName, userOrGroupOrRole);
+ }
+ }
+
+ private void getRoleMap(Map<String, Set<String>> map, String roleName,
List<RangerRole.RoleMember> userOrGroupOrRole) {
+ for (RangerRole.RoleMember roleMember : userOrGroupOrRole) {
+ if (StringUtils.isNotEmpty(roleMember.getName())) {
+ Set<String> roleNames = map.get(roleMember.getName());
+ if (roleNames == null) {
+ roleNames = new HashSet<>();
+
+ map.put(roleMember.getName(), roleNames);
+ }
+ roleNames.add(roleName);
+ }
+ }
+ }
+
private RangerRole getContainedRole(Set<RangerRole> roles, String role) {
return (roles
.stream()
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index e145ea2..6df0bed 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -45,7 +45,6 @@ import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
@@ -86,6 +85,7 @@ import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import com.google.common.collect.Sets;
import org.apache.ranger.plugin.util.RangerPerfTracer;
+import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerRequestedResources;
public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
@@ -107,7 +107,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
private static final String CMD_CREATE_ROLE = "create role %s";
private static final String CMD_DROP_ROLE = "drop role %s";
private static final String CMD_SHOW_ROLES = "show roles";
- private static final String CMD_SHOW_ROLE_GRANT = "show role grant
%s %s";
+ private static final String CMD_SHOW_ROLE_GRANT = "show role grant
%s";
private static final String CMD_SHOW_PRINCIPALS = "show principals
%s";
private static final String CMD_GRANT_ROLE = "grant role %s to
%s ";
private static final String CMD_REVOKE_ROLE = "revoke role %s
from %s";
@@ -340,107 +340,182 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
@Override
public List<String> getAllRoles()
throws HiveAuthzPluginException,
HiveAccessControlException {
- LOG.debug("RangerHiveAuthorizer.getAllRoles()");
- boolean result = false;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHiveAuthorizer.getAllRoles()");
+ }
+ List<String> ret = null;
RangerHiveAuditHandler auditHandler = new
RangerHiveAuditHandler();
- UserGroupInformation ugi = getCurrentUserGroupInfo();
+ List<String> userNames = null;
+ boolean result = false;
- if(ugi == null) {
- throw new HiveAccessControlException("Permission
denied: user information not available");
+ if (hivePlugin == null) {
+ throw new
HiveAuthzPluginException("RangerHiveAuthorizer.getAllRoles(): HivePlugin
initialization failed...");
}
- List<String> ret = null;
+ UserGroupInformation ugi = getCurrentUserGroupInfo();
+ if(ugi == null) {
+ throw new
HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User
information not available...");
+ }
String currentUserName = ugi.getShortUserName();
- Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
- List<String> userNames = Arrays.asList(currentUserName);
try {
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== getAllRoles()");
+ if (!hivePlugin.isServiceAdmin(currentUserName)) {
+ throw new
HiveAccessControlException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole():
User information not available...");
}
- if ( hivePlugin != null) {
- Set<String> roles =
hivePlugin.getRolesFromUserAndGroups(currentUserName, groups);
- ret = new ArrayList<>(roles);
- result = true;
- }
+ Set<String> groups =
Sets.newHashSet(ugi.getGroupNames());
+ userNames = Arrays.asList(currentUserName);
+ Set<String> roles =
hivePlugin.getRolesFromUserAndGroups(currentUserName, groups);
+ ret = new ArrayList<>(roles);
+ result = true;
} catch(Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
RangerAccessResult accessResult =
createAuditEvent(hivePlugin, currentUserName, userNames,
HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
+ hivePlugin.evalAuditPolicies(accessResult);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHiveAuthorizer.getAllRoles()
roles: " + ret);
+ }
+
return ret;
}
@Override
public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
throws HiveAuthzPluginException,
HiveAccessControlException {
-
LOG.debug("RangerHiveAuthorizer.getPrincipalGrantInfoForRole()");
- boolean result = false;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for RoleName: " + roleName);
+ }
+
+ List<HiveRoleGrant> ret = new ArrayList<>();
List<String> roleNames = Arrays.asList(roleName);
+ List<String> userNames = null;
RangerHiveAuditHandler auditHandler = new
RangerHiveAuditHandler();
- UserGroupInformation ugi = getCurrentUserGroupInfo();
+ boolean result = false;
- if(ugi == null) {
- throw new HiveAccessControlException("Permission
denied: user information not available");
+ if (hivePlugin == null) {
+ throw new
HiveAuthzPluginException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole():
HivePlugin initialization failed...");
}
- List<HiveRoleGrant> ret = new ArrayList<>();
+ UserGroupInformation ugi = getCurrentUserGroupInfo();
+ if(ugi == null) {
+ throw new
HiveAccessControlException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole():
User information not available...");
+ }
String currentUserName = ugi.getShortUserName();
- List<String> userNames = Arrays.asList(currentUserName);
try {
- RangerRole role =
hivePlugin.getRole(ugi.getShortUserName(), roleName, auditHandler);
-
- for (RangerRole.RoleMember roleMember :
role.getRoles()) {
- HiveRoleGrant hiveRoleGrant = new
HiveRoleGrant();
-
hiveRoleGrant.setGrantOption(roleMember.getIsAdmin());
-
hiveRoleGrant.setGrantor(role.getCreatedByUser());
-
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
-
hiveRoleGrant.setPrincipalName(roleMember.getName());
-
hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.ROLE.toString());
- hiveRoleGrant.setGrantTime((int)
(role.getUpdateTime().getTime()/1000));
- ret.add(hiveRoleGrant);
+ if (!hivePlugin.isServiceAdmin(currentUserName)) {
+ throw new
HiveAccessControlException("Permission denied: User not authorized to perform
this operation!");
}
- for (RangerRole.RoleMember group : role.getGroups()) {
- HiveRoleGrant hiveRoleGrant = new
HiveRoleGrant();
-
hiveRoleGrant.setGrantOption(group.getIsAdmin());
-
hiveRoleGrant.setGrantor(role.getCreatedByUser());
-
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
- hiveRoleGrant.setPrincipalName(group.getName());
-
hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.GROUP.toString());
- hiveRoleGrant.setGrantTime((int)
(role.getUpdateTime().getTime()/1000));
- ret.add(hiveRoleGrant);
- }
+ userNames = Arrays.asList(currentUserName);
+
+ if (StringUtils.isNotEmpty(roleName)) {
+ RangerRole rangerRole =
getRangerRoleForRoleName(roleName);
+ if (rangerRole != null) {
+ for (RangerRole.RoleMember roleMember :
rangerRole.getRoles()) {
+ HiveRoleGrant hiveRoleGrant =
getHiveRoleGrant(rangerRole, roleMember,
HivePrincipal.HivePrincipalType.ROLE.name());
+ ret.add(hiveRoleGrant);
+ }
- for (RangerRole.RoleMember user : role.getUsers()) {
- HiveRoleGrant hiveRoleGrant = new
HiveRoleGrant();
- hiveRoleGrant.setGrantOption(user.getIsAdmin());
-
hiveRoleGrant.setGrantor(role.getCreatedByUser());
-
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
- hiveRoleGrant.setPrincipalName(user.getName());
-
hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.USER.toString());
- hiveRoleGrant.setGrantTime((int)
(role.getUpdateTime().getTime()/1000));
- ret.add(hiveRoleGrant);
+ for (RangerRole.RoleMember group :
rangerRole.getGroups()) {
+ HiveRoleGrant hiveRoleGrant =
getHiveRoleGrant(rangerRole, group,
HivePrincipal.HivePrincipalType.GROUP.name());
+ ret.add(hiveRoleGrant);
+ }
+
+ for (RangerRole.RoleMember user :
rangerRole.getUsers()) {
+ HiveRoleGrant hiveRoleGrant =
getHiveRoleGrant(rangerRole, user, HivePrincipal.HivePrincipalType.USER.name());
+ ret.add(hiveRoleGrant);
+ }
+ result = true;
+ }
}
- result = true;
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== getPrincipalGrantInfoForRole()
for role " + role);
+ } catch(Exception excp) {
+ throw new HiveAuthzPluginException(excp);
+ } finally {
+ RangerAccessResult accessResult =
createAuditEvent(hivePlugin, currentUserName, userNames,
HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames,
result);
+ hivePlugin.evalAuditPolicies(accessResult);
+ auditHandler.processResult(accessResult);
+ auditHandler.flushAudit();
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for Rolename: " + roleName
+ " Roles: " + ret);
+ }
+
+ return ret;
+ }
+
+ @Override
+ public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal
principal)
+ throws HiveAuthzPluginException,
HiveAccessControlException {
+ LOG.debug("==>
RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() for Principal: " +
principal);
+
+ List<HiveRoleGrant> ret = new ArrayList<>();
+ List<String> principalInfo = null;
+ List<String> userNames = null;
+ RangerHiveAuditHandler auditHandler = new
RangerHiveAuditHandler();
+ boolean result = false;
+
+ if (hivePlugin == null) {
+ throw new
HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal():
HivePlugin initialization failed...");
+ }
+
+ UserGroupInformation ugi = getCurrentUserGroupInfo();
+ if(ugi == null) {
+ throw new
HiveAccessControlException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal():
User information not available...");
+ }
+ String currentUserName = ugi.getShortUserName();
+
+ try {
+ String principalName = principal.getName();
+ String type =
principal.getType().name();
+ userNames =
Arrays.asList(currentUserName);
+ principalInfo =
Collections.singletonList(principal.getType() + " " + principalName);
+
+ if (!hivePlugin.isServiceAdmin(currentUserName)
+ &&
!principalName.equals(currentUserName)) {
+ throw new
HiveAccessControlException("Permission denied: user information not available");
}
+ Set<RangerRole> roles =
hivePlugin.getRangerRoleForPrincipal(principalName, type);
+ if (CollectionUtils.isNotEmpty(roles)) {
+ for (RangerRole rangerRole : roles) {
+ switch(type) {
+ case "USER":
+ RangerRole.RoleMember
userRoleMember = new RangerRole.RoleMember(principalName,false);
+
ret.add(getHiveRoleGrant(rangerRole, userRoleMember,type));
+ break;
+ case "GROUP":
+ RangerRole.RoleMember
groupRoleMember = new RangerRole.RoleMember(principalName,false);
+
ret.add(getHiveRoleGrant(rangerRole, groupRoleMember,type));
+ break;
+ case "ROLE":
+ RangerRole.RoleMember
roleRoleMember = new RangerRole.RoleMember(principalName,false);
+
ret.add(getHiveRoleGrant(rangerRole, roleRoleMember,type));
+ break;
+ }
+ }
+ result = true;
+ }
} catch(Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
- RangerAccessResult accessResult =
createAuditEvent(hivePlugin, currentUserName, userNames,
HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames,
result);
+ RangerAccessResult accessResult =
createAuditEvent(hivePlugin, currentUserName, userNames,
HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, principalInfo,
result);
+ hivePlugin.evalAuditPolicies(accessResult);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== getRoleGrantInfoForPrincipal():
Principal: " + principal + " Roles: " + ret);
+ }
+
return ret;
}
@@ -2285,54 +2360,6 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
return ret;
}
- @Override
- public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal
principal)
- throws HiveAuthzPluginException,
HiveAccessControlException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerHiveAuthorizer.getRoleGrantInfoForPrincipal ==> principal: " +
principal);
- }
- boolean result = false;
- RangerHiveAuditHandler auditHandler = new
RangerHiveAuditHandler();
- UserGroupInformation ugi = getCurrentUserGroupInfo();
-
- if(ugi == null) {
- throw new HiveAccessControlException("Permission
denied: user information not available");
- }
-
- List<HiveRoleGrant> ret = new ArrayList<>();
- String currentUserName = ugi.getShortUserName();
- List<String> userNames = Arrays.asList(currentUserName);
-
- try {
- List<String> roleStringList =
hivePlugin.getUserRoles(principal.getName(), auditHandler);
-
- for (String roleName : roleStringList) {
- RangerRole role =
hivePlugin.getRole(ugi.getShortUserName(), roleName, auditHandler);
- HiveRoleGrant hiveRoleGrant = new
HiveRoleGrant();
- hiveRoleGrant.setGrantOption(true);
- hiveRoleGrant.setGrantor(role.getCreatedBy());
-
hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
- hiveRoleGrant.setGrantTime((int)
(role.getUpdateTime().getTime()/1000));
- hiveRoleGrant.setRoleName(roleName);
- ret.add(hiveRoleGrant);
- }
- result = true;
- } catch (Exception e) {
-
LOG.error("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() error", e);
- throw new
HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal()
error: " + e.getMessage(), e);
- } finally {
- RangerAccessResult accessResult =
createAuditEvent(hivePlugin, currentUserName, userNames,
HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, null, result);
- auditHandler.processResult(accessResult);
- auditHandler.flushAudit();
- }
-
- if(LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() Result: " + ret);
- }
-
- return ret;
- }
-
private HivePrivilegeObjectType getPluginPrivilegeObjType(
org.apache.hadoop.hive.metastore.api.HiveObjectType
objectType) {
switch (objectType) {
@@ -2345,15 +2372,6 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
}
}
- static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
- throws HiveAuthzPluginException {
- try {
- return
AuthorizationUtils.getThriftHiveObjectRef(privObj);
- } catch (HiveException e) {
- throw new HiveAuthzPluginException(e);
- }
- }
-
private RangerRequestedResources
buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest>
requests) {
RangerRequestedResources requestedResources = new
RangerRequestedResources();
@@ -2843,7 +2861,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
ret = CMD_SHOW_ROLES;
break;
case SHOW_ROLE_GRANT:
- ret = String.format(CMD_SHOW_ROLE_GRANT, user);
+ ret = String.format(CMD_SHOW_ROLE_GRANT,
roleName);
break;
case SHOW_ROLE_PRINCIPALS:
ret = String.format(CMD_SHOW_PRINCIPALS,
roleName);
@@ -3005,6 +3023,35 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
return ret != null ? ret : Collections.emptySet();
}
+
+ private HiveRoleGrant getHiveRoleGrant(RangerRole role,
RangerRole.RoleMember roleMember, String type) {
+ HiveRoleGrant ret = new HiveRoleGrant();
+ ret.setRoleName(role.getName());
+ ret.setGrantOption(roleMember.getIsAdmin());
+ ret.setGrantor(role.getCreatedByUser());
+ ret.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
+ ret.setPrincipalName(roleMember.getName());
+ ret.setPrincipalType(type);
+ if ( role.getUpdateTime() != null) {
+ ret.setGrantTime((int) (role.getUpdateTime().getTime()
/ 1000));
+ }
+ return ret;
+ }
+
+ private RangerRole getRangerRoleForRoleName(String roleName) {
+ RangerRole ret = null;
+ RangerRoles rangerRoles = hivePlugin.getRangerRoles();
+ if (rangerRoles != null) {
+ Set<RangerRole> roles = rangerRoles.getRangerRoles();
+ for(RangerRole role:roles) {
+ if (roleName.equals(role.getName())) {
+ ret = role;
+ break;
+ }
+ }
+ }
+ return ret;
+ }
}
enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN,
FUNCTION, URI, SERVICE_NAME, GLOBAL };
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
index e06f135..5f6a7b9 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java
@@ -37,7 +37,6 @@ import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvide
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.utils.StringUtil;
@@ -133,16 +132,6 @@ public abstract class RangerHiveAuthorizerBase extends
AbstractHiveAuthorizer {
}
@Override
- public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal
principal)
- throws HiveAuthzPluginException,
HiveAccessControlException {
-
LOG.debug("RangerHiveAuthorizerBase.getRoleGrantInfoForPrincipal()");
-
- throwNotImplementedException("getRoleGrantInfoForPrincipal");
-
- return null;
- }
-
- @Override
public VERSION getVersion() {
return VERSION.V1;
}