http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java b/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java deleted file mode 100644 index 68ea92c..0000000 --- a/hdfs-agent/src/test/java/com/xasecure/authorization/hadoop/agent/TestXaSecureFSPermissionChecker.java +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package com.xasecure.authorization.hadoop.agent; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.fail; - -import java.util.Set; - -import org.apache.hadoop.fs.permission.FsAction; -import org.apache.hadoop.hdfs.server.namenode.INode; -import org.apache.hadoop.hdfs.server.namenode.XaSecureFSPermissionChecker; -import org.apache.hadoop.security.UserGroupInformation; -import org.junit.Test; - -import com.xasecure.authorization.hadoop.exceptions.XaSecureAccessControlException; - -public class TestXaSecureFSPermissionChecker { - - @Test - public void nullUgiToCheckReturnsFalse() { - - UserGroupInformation ugi = null; - INode inode = null; - FsAction access = null; - try { - boolean result = XaSecureFSPermissionChecker.check(ugi, inode, access); - assertFalse(result); - } catch (XaSecureAccessControlException e) { - fail("Unexpected exception!"); - } - } - - @Test - public void authorizeAccess() { - String aPathName = null; - String aPathOwnerName = null; - String user = null; - Set<String> groups = null; - FsAction access = null; - try { - // null access returns false! - assertFalse(XaSecureFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups)); - // None access type returns true! - access = FsAction.NONE; - assertFalse(XaSecureFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups)); - } catch (XaSecureAccessControlException e) { - e.printStackTrace(); - fail("Unexpected exception!"); - } - } -}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java b/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java new file mode 100644 index 0000000..1405bf3 --- /dev/null +++ b/hdfs-agent/src/test/java/org/apache/ranger/authorization/hadoop/agent/TestRangerFSPermissionChecker.java @@ -0,0 +1,67 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ranger.authorization.hadoop.agent; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.fail; + +import java.util.Set; + +import org.apache.hadoop.fs.permission.FsAction; +import org.apache.hadoop.hdfs.server.namenode.INode; +import org.apache.hadoop.hdfs.server.namenode.RangerFSPermissionChecker; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException; +import org.junit.Test; + +public class TestRangerFSPermissionChecker { + + @Test + public void nullUgiToCheckReturnsFalse() { + + UserGroupInformation ugi = null; + INode inode = null; + FsAction access = null; + try { + boolean result = RangerFSPermissionChecker.check(ugi, inode, access); + assertFalse(result); + } catch (RangerAccessControlException e) { + fail("Unexpected exception!"); + } + } + + @Test + public void authorizeAccess() { + String aPathName = null; + String aPathOwnerName = null; + String user = null; + Set<String> groups = null; + FsAction access = null; + try { + // null access returns false! + assertFalse(RangerFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups)); + // None access type returns true! + access = FsAction.NONE; + assertFalse(RangerFSPermissionChecker.AuthorizeAccessForUser(aPathName, aPathOwnerName, access, user, groups)); + } catch (RangerAccessControlException e) { + e.printStackTrace(); + fail("Unexpected exception!"); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/conf/hiveserver2-site-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/hiveserver2-site-changes.cfg b/hive-agent/conf/hiveserver2-site-changes.cfg index fed28df..e4aab8c 100644 --- a/hive-agent/conf/hiveserver2-site-changes.cfg +++ b/hive-agent/conf/hiveserver2-site-changes.cfg @@ -14,7 +14,7 @@ # limitations under the License. # hive.server2.authentication KERBEROS mod create-if-not-exists hive.security.authorization.enabled true mod create-if-not-exists -hive.security.authorization.manager com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory mod create-if-not-exists +hive.security.authorization.manager org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory mod create-if-not-exists hive.security.authenticator.manager org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator mod create-if-not-exists # hive.conf.restricted.list hive.server2.authentication append create-if-not-exists , http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/conf/xasecure-hive-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/xasecure-hive-security-changes.cfg b/hive-agent/conf/xasecure-hive-security-changes.cfg index 5c4b072..75fbdea 100644 --- a/hive-agent/conf/xasecure-hive-security-changes.cfg +++ b/hive-agent/conf/xasecure-hive-security-changes.cfg @@ -16,7 +16,7 @@ # Change the original policy parameter to work with policy manager based. # # -hive.authorization.verifier.classname com.xasecure.pdp.hive.XASecureAuthorizer mod create-if-not-exists +hive.authorization.verifier.classname org.apache.ranger.pdp.hive.RangerAuthorizer mod create-if-not-exists xasecure.hive.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists xasecure.hive.policymgr.url.saveAsFile /tmp/hive_%REPOSITORY_NAME%_json mod create-if-not-exists xasecure.hive.policymgr.url.laststoredfile %POLICY_CACHE_FILE_PATH%/hive_%REPOSITORY_NAME%_json mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/conf/xasecure-hive-security.xml ---------------------------------------------------------------------- diff --git a/hive-agent/conf/xasecure-hive-security.xml b/hive-agent/conf/xasecure-hive-security.xml index b8cca10..ebc0b92 100644 --- a/hive-agent/conf/xasecure-hive-security.xml +++ b/hive-agent/conf/xasecure-hive-security.xml @@ -22,7 +22,7 @@ <!-- The following property is used to select appropriate XASecure Authorizer Module (filebased, policymanager based) --> <property> <name>hive.authorization.verifier.classname</name> - <value>com.xasecure.pdp.hive.XASecureAuthorizer</value> + <value>org.apache.ranger.pdp.hive.RangerAuthorizer</value> <description> Class Name of the authorization Module </description> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/scripts/install.sh ---------------------------------------------------------------------- diff --git a/hive-agent/scripts/install.sh b/hive-agent/scripts/install.sh index 59b9cb9..9c6bb3a 100644 --- a/hive-agent/scripts/install.sh +++ b/hive-agent/scripts/install.sh @@ -297,7 +297,7 @@ do if [ $? -eq 0 ] then cp="${install_dir}/installer/lib/*:${hdp_dir}/*:${hdp_lib_dir}/*" - java -cp "${cp}" com.xasecure.utils.install.XmlConfigChanger -i ${archivefn} -o ${newfn} -c ${f} ${PROP_ARGS} + java -cp "${cp}" org.apache.ranger.utils.install.XmlConfigChanger -i ${archivefn} -o ${newfn} -c ${f} ${PROP_ARGS} if [ $? -eq 0 ] then diff -w ${newfn} ${fullpathorgfn} > /dev/null 2>&1 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java deleted file mode 100644 index 570456c..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessContext.java +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive; - -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; - - -public class XaHiveAccessContext { - private String mClientIpAddress; - private String mClientType; - private String mCommandString; - private String mSessionString; - - public XaHiveAccessContext(HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { - if(context != null) { - mClientIpAddress = context.getIpAddress(); - mCommandString = context.getCommandString(); - } - - if(sessionContext != null) { - mClientType = sessionContext.getClientType().name(); - mSessionString = sessionContext.getSessionString(); - } - } - - public String getClientIpAddress() { - return mClientIpAddress; - } - - public void setClientIpAddress(String clientIpAddress) { - this.mClientIpAddress = clientIpAddress; - } - - public String getClientType() { - return mClientType; - } - - public void setClientType(String clientType) { - this.mClientType = clientType; - } - - public String getCommandString() { - return mCommandString; - } - - public void setCommandString(String commandString) { - this.mCommandString = commandString; - } - - public String getSessionString() { - return mSessionString; - } - - public void setSessionString(String sessionString) { - this.mSessionString = sessionString; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java deleted file mode 100644 index 2dcf5f9..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifier.java +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive; - -import org.apache.hadoop.security.UserGroupInformation; - - -public interface XaHiveAccessVerifier { - public boolean isAccessAllowed(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo) ; - - public boolean isAudited(XaHiveObjectAccessInfo objAccessInfo) ; -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java deleted file mode 100644 index 057b930..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveAccessVerifierFactory.java +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants; - -public class XaHiveAccessVerifierFactory { - - private static final Log LOG = LogFactory.getLog(XaHiveAccessVerifierFactory.class) ; - - private static XaHiveAccessVerifier hiveAccessVerififer = null ; - - public static XaHiveAccessVerifier getInstance() { - if (hiveAccessVerififer == null) { - synchronized(XaHiveAccessVerifierFactory.class) { - XaHiveAccessVerifier temp = hiveAccessVerififer ; - if (temp == null) { - String hiveAccessVerifierClassName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP, XaSecureHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE ) ; - - if (hiveAccessVerifierClassName != null) { - LOG.info("Hive Access Verification class [" + hiveAccessVerifierClassName + "] - Being built"); - try { - hiveAccessVerififer = (XaHiveAccessVerifier) (Class.forName(hiveAccessVerifierClassName).newInstance()) ; - LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification."); - } catch (InstantiationException e) { - LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e); - } catch (IllegalAccessException e) { - LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e); - } catch (ClassNotFoundException e) { - LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e); - } catch (Throwable t) { - LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", t); - } - finally { - LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification. (" + hiveAccessVerififer + ")"); - } - } - } - else { - LOG.error("Unable to obtain hiveAccessVerifier [" + XaSecureHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP + "]"); - } - } - } - return hiveAccessVerififer ; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java deleted file mode 100644 index 36a6a42..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/XaHiveObjectAccessInfo.java +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive; - -import java.util.ArrayList; -import java.util.List; - -import com.xasecure.authorization.utils.StringUtil; - -public class XaHiveObjectAccessInfo { - public enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI }; - public enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, ALL, ADMIN }; - - private String mOperType = null; - private XaHiveAccessContext mContext = null; - private HiveAccessType mAccessType = HiveAccessType.NONE; - private HiveObjectType mObjectType = HiveObjectType.NONE; - private String mDatabase = null; - private String mTable = null; - private String mView = null; - private String mPartition = null; - private String mIndex = null; - private List<String> mColumns = null; - private String mFunction = null; - private String mUri = null; - private String mDeniedObjectName = null; - - public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName) { - this(operType, context, accessType, dbName, null, HiveObjectType.DATABASE, dbName); - } - - public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName) { - this(operType, context, accessType, dbName, tblName, HiveObjectType.TABLE, tblName); - } - - public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, HiveObjectType objType, String objName) { - this(operType, context, accessType, dbName, null, objType, objName); - } - - public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, HiveObjectType objType, String objName) { - this(operType, context, accessType, null, null, objType, objName); - } - - public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, String tblOrViewName, List<String> columns) { - mOperType = operType; - mContext = context; - mAccessType = accessType; - mObjectType = HiveObjectType.COLUMN; - mDatabase = dbName; - mTable = tblOrViewName; - mView = tblOrViewName; - mColumns = columns; - } - - public XaHiveObjectAccessInfo(String operType, XaHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName, HiveObjectType objType, String objName) { - mOperType = operType; - mContext = context; - mAccessType = accessType; - mObjectType = objType; - mDatabase = dbName; - mTable = tblName; - mView = tblName; - - if(objName != null && ! objName.trim().isEmpty()) { - switch(objType) { - case DATABASE: - mDatabase = objName; - break; - - case TABLE: - mTable = objName; - break; - - case VIEW: - mView = objName; - break; - - case PARTITION: - mPartition = objName; - break; - - case INDEX: - mIndex = objName; - break; - - case COLUMN: - mColumns = new ArrayList<String>(); - mColumns.add(objName); - break; - - case FUNCTION: - mFunction = objName; - break; - - case URI: - mUri = objName; - break; - - case NONE: - break; - } - } - } - - public String getOperType() { - return mOperType; - } - - public XaHiveAccessContext getContext() { - return mContext; - } - - public HiveAccessType getAccessType() { - return mAccessType; - } - - public HiveObjectType getObjectType() { - return mObjectType; - } - - public String getDatabase() { - return mDatabase; - } - - public String getTable() { - return mTable; - } - - public String getView() { - return mView; - } - - public String getPartition() { - return mPartition; - } - - public String getIndex() { - return mIndex; - } - - public List<String> getColumns() { - return mColumns; - } - - public String getFunction() { - return mFunction; - } - - public String getUri() { - return mUri; - } - - public void setDeinedObjectName(String deniedObjectName) { - mDeniedObjectName = deniedObjectName; - } - - public String getDeinedObjectName() { - return mDeniedObjectName; - } - - public String getObjectName() { - String objName = null; - - if(this.mObjectType == HiveObjectType.URI) { - objName = mUri; - } else { - String tblName = null; - String colName = null; - - if(! StringUtil.isEmpty(mTable)) - tblName = mTable; - else if(! StringUtil.isEmpty(mView)) - tblName = mView; - else if(! StringUtil.isEmpty(mFunction)) - tblName = mFunction; - - if(! StringUtil.isEmpty(mColumns)) - colName = StringUtil.toString(mColumns); - else if(! StringUtil.isEmpty(mIndex)) - colName = mIndex; - - objName = getObjectName(mDatabase, tblName, colName); - } - - return objName; - } - - public static String getObjectName(String dbName, String tblName, String colName) { - String objName = StringUtil.isEmpty(dbName) ? "" : dbName; - - if(!StringUtil.isEmpty(tblName)) { - objName += ("/" + tblName); - - if(!StringUtil.isEmpty(colName)) { - objName += ("/" + colName); - } - } - - return objName; - } - - @Override - public boolean equals(Object obj) { - boolean ret = false; - - if(obj != null && obj instanceof XaHiveObjectAccessInfo) { - XaHiveObjectAccessInfo that = (XaHiveObjectAccessInfo)obj; - - ret = StringUtil.equalsIgnoreCase(mOperType, that.mOperType) - && mAccessType == that.mAccessType - && mObjectType == that.mObjectType - && StringUtil.equalsIgnoreCase(mDatabase, that.mDatabase) - && StringUtil.equalsIgnoreCase(mTable, that.mTable) - && StringUtil.equalsIgnoreCase(mView, that.mView) - && StringUtil.equalsIgnoreCase(mPartition, that.mPartition) - && StringUtil.equalsIgnoreCase(mIndex, that.mIndex) - && StringUtil.equalsIgnoreCase(mColumns, that.mColumns) - ; - } - - return ret; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java deleted file mode 100644 index 2c2dd80..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java +++ /dev/null @@ -1,850 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive.authorizer; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.fs.FileStatus; -import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.fs.permission.FsAction; -import org.apache.hadoop.hive.common.FileUtils; -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.security.UserGroupInformation; - -import com.xasecure.admin.client.XaAdminRESTClient; -import com.xasecure.admin.client.datatype.GrantRevokeData; -import com.xasecure.audit.model.EnumRepositoryType; -import com.xasecure.audit.model.HiveAuditEvent; -import com.xasecure.audit.provider.AuditProviderFactory; -import com.xasecure.authorization.hadoop.config.XaSecureConfiguration; -import com.xasecure.authorization.hadoop.constants.XaSecureHadoopConstants; -import com.xasecure.authorization.hive.XaHiveAccessContext; -import com.xasecure.authorization.hive.XaHiveAccessVerifier; -import com.xasecure.authorization.hive.XaHiveAccessVerifierFactory; -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo; -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveAccessType; -import com.xasecure.authorization.hive.XaHiveObjectAccessInfo.HiveObjectType; -import com.xasecure.authorization.utils.StringUtil; - -public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase { - private static final Log LOG = LogFactory.getLog(XaSecureHiveAuthorizer.class) ; - - private static final String XaSecureModuleName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_XASECURE_MODULE_ACL_NAME_PROP , XaSecureHadoopConstants.DEFAULT_XASECURE_MODULE_ACL_NAME) ; - private static final String repositoryName = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP); - private static final boolean UpdateXaPoliciesOnGrantRevoke = XaSecureConfiguration.getInstance().getBoolean(XaSecureHadoopConstants.HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP, XaSecureHadoopConstants.HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE); - - private XaHiveAccessVerifier mHiveAccessVerifier = null ; - - - public XaSecureHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf hiveConf, - HiveAuthenticationProvider hiveAuthenticator, - HiveAuthzSessionContext sessionContext) { - super(metastoreClientFactory, hiveConf, hiveAuthenticator, sessionContext); - - LOG.debug("XaSecureHiveAuthorizer.XaSecureHiveAuthorizer()"); - - mHiveAccessVerifier = XaHiveAccessVerifierFactory.getInstance() ; - - if(!XaSecureConfiguration.getInstance().isAuditInitDone()) { - if(sessionContext != null) { - AuditProviderFactory.ApplicationType appType = AuditProviderFactory.ApplicationType.Unknown; - - switch(sessionContext.getClientType()) { - case HIVECLI: - appType = AuditProviderFactory.ApplicationType.HiveCLI; - break; - - case HIVESERVER2: - appType = AuditProviderFactory.ApplicationType.HiveServer2; - break; - } - - XaSecureConfiguration.getInstance().initAudit(appType); - } - } - } - - - /** - * Grant privileges for principals on the object - * @param hivePrincipals - * @param hivePrivileges - * @param hivePrivObject - * @param grantorPrincipal - * @param grantOption - * @throws HiveAuthzPluginException - * @throws HiveAccessControlException - */ - @Override - public void grantPrivileges(List<HivePrincipal> hivePrincipals, - List<HivePrivilege> hivePrivileges, - HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, - boolean grantOption) - throws HiveAuthzPluginException, HiveAccessControlException { - if(! UpdateXaPoliciesOnGrantRevoke) { - throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Argus HiveAuthorizer. Please use Argus Security Admin to setup access control."); - } - - boolean isSuccess = false; - XaHiveObjectAccessInfo objAccessInfo = getObjectAccessInfo(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, new XaHiveAccessContext(null, getHiveAuthzSessionContext()), true); - - try { - GrantRevokeData grData = createGrantRevokeData(objAccessInfo, hivePrincipals, hivePrivileges, getGrantorUsername(grantorPrincipal), grantOption); - - if(LOG.isDebugEnabled()) { - LOG.debug("grantPrivileges(): " + grData.toJson()); - } - - XaAdminRESTClient xaAdmin = new XaAdminRESTClient(); - - xaAdmin.grantPrivilege(grData); - - isSuccess = true; - } catch(Exception excp) { - throw new HiveAccessControlException(excp); - } finally { - if(mHiveAccessVerifier.isAudited(objAccessInfo)) { - UserGroupInformation ugi = this.getCurrentUserGroupInfo(); - - // Note: failed return from REST call will be logged as 'DENIED' - logAuditEvent(ugi, objAccessInfo, isSuccess); - } - } - } - - /** - * Revoke privileges for principals on the object - * @param hivePrincipals - * @param hivePrivileges - * @param hivePrivObject - * @param grantorPrincipal - * @param grantOption - * @throws HiveAuthzPluginException - * @throws HiveAccessControlException - */ - @Override - public void revokePrivileges(List<HivePrincipal> hivePrincipals, - List<HivePrivilege> hivePrivileges, - HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, - boolean grantOption) - throws HiveAuthzPluginException, HiveAccessControlException { - if(! UpdateXaPoliciesOnGrantRevoke) { - throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Argus HiveAuthorizer. Please use Argus Security Admin to setup access control."); - } - - boolean isSuccess = false; - XaHiveObjectAccessInfo objAccessInfo = getObjectAccessInfo(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, new XaHiveAccessContext(null, getHiveAuthzSessionContext()), true); - - try { - GrantRevokeData grData = createGrantRevokeData(objAccessInfo, hivePrincipals, hivePrivileges, getGrantorUsername(grantorPrincipal), grantOption); - - if(LOG.isDebugEnabled()) { - LOG.debug("revokePrivileges(): " + grData.toJson()); - } - - XaAdminRESTClient xaAdmin = new XaAdminRESTClient(); - - xaAdmin.revokePrivilege(grData); - - isSuccess = true; - } catch(Exception excp) { - throw new HiveAccessControlException(excp); - } finally { - if(mHiveAccessVerifier.isAudited(objAccessInfo)) { - UserGroupInformation ugi = this.getCurrentUserGroupInfo(); - - // Note: failed return from REST call will be logged as 'DENIED' - logAuditEvent(ugi, objAccessInfo, isSuccess); - } - } - } - - /** - * Check if user has privileges to do this action on these objects - * @param hiveOpType - * @param inputsHObjs - * @param outputHObjs - * @param context - * @throws HiveAuthzPluginException - * @throws HiveAccessControlException - */ - @Override - public void checkPrivileges(HiveOperationType hiveOpType, - List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, - HiveAuthzContext context) - throws HiveAuthzPluginException, HiveAccessControlException { - - UserGroupInformation ugi = this.getCurrentUserGroupInfo(); - - if(ugi == null) { - throw new HiveAccessControlException("Permission denied: user information not available"); - } - - XaHiveAccessContext hiveContext = this.getAccessContext(context); - - if(LOG.isDebugEnabled()) { - LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, hiveContext)); - } - - if(hiveOpType == HiveOperationType.DFS) { - handleDfsCommand(hiveOpType, inputHObjs, outputHObjs, hiveContext); - - return; - } - - List<XaHiveObjectAccessInfo> objAccessList = getObjectAccessInfo(hiveOpType, inputHObjs, outputHObjs, hiveContext); - - for(XaHiveObjectAccessInfo objAccessInfo : objAccessList) { - boolean ret = false; - - if(objAccessInfo.getObjectType() == HiveObjectType.URI) { - ret = isURIAccessAllowed(ugi, objAccessInfo.getAccessType(), objAccessInfo.getUri(), getHiveConf()); - } else if(objAccessInfo.getAccessType() != HiveAccessType.ADMIN) { - ret = mHiveAccessVerifier.isAccessAllowed(ugi, objAccessInfo); - } - - if(! ret) { - if(mHiveAccessVerifier.isAudited(objAccessInfo)) { - logAuditEvent(ugi, objAccessInfo, false); - } - - String deniedObjectName = objAccessInfo.getDeinedObjectName(); - - if(StringUtil.isEmpty(deniedObjectName)) { - deniedObjectName = objAccessInfo.getObjectName(); - } - - throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", - ugi.getShortUserName(), objAccessInfo.getAccessType().name(), deniedObjectName)); - } - } - - // access is allowed; audit all accesses - for(XaHiveObjectAccessInfo objAccessInfo : objAccessList) { - if(mHiveAccessVerifier.isAudited(objAccessInfo)) { - logAuditEvent(ugi, objAccessInfo, true); - } - } - } - - private List<XaHiveObjectAccessInfo> getObjectAccessInfo(HiveOperationType hiveOpType, - List<HivePrivilegeObject> inputsHObjs, - List<HivePrivilegeObject> outputHObjs, - XaHiveAccessContext context) { - List<XaHiveObjectAccessInfo> ret = new ArrayList<XaHiveObjectAccessInfo>(); - - if(inputsHObjs != null) { - for(HivePrivilegeObject hiveObj : inputsHObjs) { - XaHiveObjectAccessInfo hiveAccessObj = getObjectAccessInfo(hiveOpType, hiveObj, context, true); - - if( hiveAccessObj != null - && hiveAccessObj.getAccessType() != HiveAccessType.ADMIN // access check is performed at the Argus policy server, as a part of updating the permissions - && !ret.contains(hiveAccessObj)) { - ret.add(hiveAccessObj); - } - } - } - - if(outputHObjs != null) { - for(HivePrivilegeObject hiveObj : outputHObjs) { - XaHiveObjectAccessInfo hiveAccessObj = getObjectAccessInfo(hiveOpType, hiveObj, context, false); - - if( hiveAccessObj != null - && hiveAccessObj.getAccessType() != HiveAccessType.ADMIN // access check is performed at the Argus policy server, as a part of updating the permissions - && !ret.contains(hiveAccessObj)) { - ret.add(hiveAccessObj); - } - } - } - - if(ret.size() == 0 && LOG.isDebugEnabled()) { - LOG.debug("getObjectAccessInfo(): no objects found for access check! " + toString(hiveOpType, inputsHObjs, outputHObjs, context)); - } - - return ret; - } - - private XaHiveObjectAccessInfo getObjectAccessInfo(HiveOperationType hiveOpType, HivePrivilegeObject hiveObj, XaHiveAccessContext context, boolean isInput) { - XaHiveObjectAccessInfo ret = null; - - HiveObjectType objectType = getObjectType(hiveObj, hiveOpType); - HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, isInput); - String operType = hiveOpType.name(); - - switch(objectType) { - case DATABASE: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname()); - break; - - case TABLE: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.TABLE, hiveObj.getObjectName()); - break; - - case VIEW: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.VIEW, hiveObj.getObjectName()); - break; - - case PARTITION: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.PARTITION, hiveObj.getObjectName()); - break; - - case INDEX: - String indexName = "?"; // TODO: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), hiveObj.getObjectName(), HiveObjectType.INDEX, indexName); - break; - - case COLUMN: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), hiveObj.getObjectName(), hiveObj.getColumns()); - break; - - case FUNCTION: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, hiveObj.getDbname(), HiveObjectType.FUNCTION, hiveObj.getObjectName()); - break; - - case URI: - ret = new XaHiveObjectAccessInfo(operType, context, accessType, HiveObjectType.URI, hiveObj.getObjectName()); - break; - - case NONE: - break; - } - - return ret; - } - - private HiveObjectType getObjectType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType) { - HiveObjectType objType = HiveObjectType.NONE; - - switch(hiveObj.getType()) { - case DATABASE: - objType = HiveObjectType.DATABASE; - break; - - case PARTITION: - objType = HiveObjectType.PARTITION; - break; - - case TABLE_OR_VIEW: - String hiveOpTypeName = hiveOpType.name().toLowerCase(); - if(hiveOpTypeName.contains("index")) { - objType = HiveObjectType.INDEX; - } else if(! StringUtil.isEmpty(hiveObj.getColumns())) { - objType = HiveObjectType.COLUMN; - } else if(hiveOpTypeName.contains("view")) { - objType = HiveObjectType.VIEW; - } else { - objType = HiveObjectType.TABLE; - } - break; - - case FUNCTION: - objType = HiveObjectType.FUNCTION; - break; - - case DFS_URI: - case LOCAL_URI: - objType = HiveObjectType.URI; - break; - - case COMMAND_PARAMS: - case GLOBAL: - break; - - case COLUMN: - // Thejas: this value is unused in Hive; the case should not be hit. - break; - } - - return objType; - } - - private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType, boolean isInput) { - HiveAccessType accessType = HiveAccessType.NONE; - HivePrivObjectActionType objectActionType = hiveObj.getActionType(); - - switch(objectActionType) { - case INSERT: - case INSERT_OVERWRITE: - case UPDATE: - case DELETE: - accessType = HiveAccessType.UPDATE; - break; - case OTHER: - switch(hiveOpType) { - case CREATEDATABASE: - if(hiveObj.getType() == HivePrivilegeObjectType.DATABASE) { - accessType = HiveAccessType.CREATE; - } - break; - - case CREATEFUNCTION: - if(hiveObj.getType() == HivePrivilegeObjectType.FUNCTION) { - accessType = HiveAccessType.CREATE; - } - break; - - case CREATETABLE: - case CREATEVIEW: - case CREATETABLE_AS_SELECT: - if(hiveObj.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW) { - accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE; - } - break; - - case ALTERDATABASE: - case ALTERDATABASE_OWNER: - case ALTERINDEX_PROPS: - case ALTERINDEX_REBUILD: - case ALTERPARTITION_BUCKETNUM: - case ALTERPARTITION_FILEFORMAT: - case ALTERPARTITION_LOCATION: - case ALTERPARTITION_MERGEFILES: - case ALTERPARTITION_PROTECTMODE: - case ALTERPARTITION_SERDEPROPERTIES: - case ALTERPARTITION_SERIALIZER: - case ALTERTABLE_ADDCOLS: - case ALTERTABLE_ADDPARTS: - case ALTERTABLE_ARCHIVE: - case ALTERTABLE_BUCKETNUM: - case ALTERTABLE_CLUSTER_SORT: - case ALTERTABLE_COMPACT: - case ALTERTABLE_DROPPARTS: - case ALTERTABLE_FILEFORMAT: - case ALTERTABLE_LOCATION: - case ALTERTABLE_MERGEFILES: - case ALTERTABLE_PARTCOLTYPE: - case ALTERTABLE_PROPERTIES: - case ALTERTABLE_PROTECTMODE: - case ALTERTABLE_RENAME: - case ALTERTABLE_RENAMECOL: - case ALTERTABLE_RENAMEPART: - case ALTERTABLE_REPLACECOLS: - case ALTERTABLE_SERDEPROPERTIES: - case ALTERTABLE_SERIALIZER: - case ALTERTABLE_SKEWED: - case ALTERTABLE_TOUCH: - case ALTERTABLE_UNARCHIVE: - case ALTERTABLE_UPDATEPARTSTATS: - case ALTERTABLE_UPDATETABLESTATS: - case ALTERTBLPART_SKEWED_LOCATION: - case ALTERVIEW_AS: - case ALTERVIEW_PROPERTIES: - case ALTERVIEW_RENAME: - case DROPVIEW_PROPERTIES: - accessType = HiveAccessType.ALTER; - break; - - case DROPFUNCTION: - case DROPINDEX: - case DROPTABLE: - case DROPVIEW: - case DROPDATABASE: - accessType = HiveAccessType.DROP; - break; - - case CREATEINDEX: - accessType = HiveAccessType.INDEX; - break; - - case IMPORT: - case EXPORT: - case LOAD: - accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE; - break; - - case LOCKDB: - case LOCKTABLE: - case UNLOCKDB: - case UNLOCKTABLE: - accessType = HiveAccessType.LOCK; - break; - - case QUERY: - case SHOW_TABLESTATUS: - case SHOW_CREATETABLE: - case SHOWCOLUMNS: - case SHOWINDEXES: - case SHOWPARTITIONS: - case SHOW_TBLPROPERTIES: - case DESCTABLE: - case ANALYZE_TABLE: - accessType = HiveAccessType.SELECT; - break; - - case SWITCHDATABASE: - case DESCDATABASE: - accessType = HiveAccessType.USE; - break; - - case TRUNCATETABLE: - accessType = HiveAccessType.UPDATE; - break; - - case GRANT_PRIVILEGE: - case REVOKE_PRIVILEGE: - accessType = HiveAccessType.ADMIN; - break; - - case ADD: - case DELETE: - case COMPILE: - case CREATEMACRO: - case CREATEROLE: - case DESCFUNCTION: - case DFS: - case DROPMACRO: - case DROPROLE: - case EXPLAIN: - case GRANT_ROLE: - case MSCK: - case REVOKE_ROLE: - case RESET: - case SET: - case SHOWCONF: - case SHOWDATABASES: - case SHOWFUNCTIONS: - case SHOWLOCKS: - case SHOWTABLES: - case SHOW_COMPACTIONS: - case SHOW_GRANT: - case SHOW_ROLES: - case SHOW_ROLE_GRANT: - case SHOW_ROLE_PRINCIPALS: - case SHOW_TRANSACTIONS: - break; - } - break; - } - - return accessType; - } - - private boolean isURIAccessAllowed(UserGroupInformation ugi, HiveAccessType accessType, String uri, HiveConf conf) { - boolean ret = false; - - FsAction action = FsAction.NONE; - - switch(accessType) { - case ALTER: - case CREATE: - case UPDATE: - case DROP: - case INDEX: - case LOCK: - case ADMIN: - case ALL: - action = FsAction.WRITE; - break; - - case SELECT: - case USE: - action = FsAction.READ; - break; - - case NONE: - break; - } - - if(action == FsAction.NONE) { - ret = true; - } else { - try { - Path filePath = new Path(uri); - FileSystem fs = FileSystem.get(filePath.toUri(), conf); - Path path = FileUtils.getPathOrParentThatExists(fs, filePath); - FileStatus fileStatus = fs.getFileStatus(path); - String userName = ugi.getShortUserName(); - - if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) { - ret = true; - } else { - ret = FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, action); - } - } catch(Exception excp) { - LOG.error("Error getting permissions for " + uri, excp); - } - } - - return ret; - } - - private void handleDfsCommand(HiveOperationType hiveOpType, - List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, - XaHiveAccessContext context) - throws HiveAuthzPluginException, HiveAccessControlException { - - String dfsCommandParams = null; - - if(inputHObjs != null) { - for(HivePrivilegeObject hiveObj : inputHObjs) { - if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) { - dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams()); - - if(! StringUtil.isEmpty(dfsCommandParams)) { - break; - } - } - } - } - - UserGroupInformation ugi = this.getCurrentUserGroupInfo(); - - logAuditEventForDfs(ugi, dfsCommandParams, false); - - throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command", - ugi.getShortUserName(), hiveOpType.name())); - } - - private String getGrantorUsername(HivePrincipal grantorPrincipal) { - String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null; - - if(StringUtil.isEmpty(grantor)) { - UserGroupInformation ugi = this.getCurrentUserGroupInfo(); - - grantor = ugi != null ? ugi.getShortUserName() : null; - } - - return grantor; - } - - private GrantRevokeData createGrantRevokeData(XaHiveObjectAccessInfo objAccessInfo, - List<HivePrincipal> hivePrincipals, - List<HivePrivilege> hivePrivileges, - String grantor, - boolean grantOption) - throws HiveAccessControlException { - if(objAccessInfo == null || - ! ( objAccessInfo.getObjectType() == HiveObjectType.DATABASE - || objAccessInfo.getObjectType() == HiveObjectType.TABLE - || objAccessInfo.getObjectType() == HiveObjectType.VIEW - || objAccessInfo.getObjectType() == HiveObjectType.COLUMN - ) - ) { - throw new HiveAccessControlException("grantPrivileges(): unexpected object type '" + objAccessInfo.getObjectType().name()); - } - - String database = objAccessInfo.getDatabase(); - String table = objAccessInfo.getObjectType() == HiveObjectType.VIEW ? objAccessInfo.getView() : objAccessInfo.getTable(); - String columns = StringUtil.toString(objAccessInfo.getColumns()); - - GrantRevokeData.PermMap permMap = new GrantRevokeData.PermMap (); - - for(HivePrivilege privilege : hivePrivileges) { - String privName = privilege.getName(); - - if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.ALL.name())) { - permMap.addPerm(HiveAccessType.ALL.name()); - } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.ALTER.name())) { - permMap.addPerm(HiveAccessType.ALTER.name()); - } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.CREATE.name())) { - permMap.addPerm(HiveAccessType.CREATE.name()); - } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.DROP.name())) { - permMap.addPerm(HiveAccessType.DROP.name()); - } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.INDEX.name())) { - permMap.addPerm(HiveAccessType.INDEX.name()); - } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.LOCK.name())) { - permMap.addPerm(HiveAccessType.LOCK.name()); - } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.SELECT.name())) { - permMap.addPerm(HiveAccessType.SELECT.name()); - } else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.UPDATE.name())) { - permMap.addPerm(HiveAccessType.UPDATE.name()); - } - } - - if(grantOption) { - permMap.addPerm(HiveAccessType.ADMIN.name()); - } - - for(HivePrincipal principal : hivePrincipals) { - switch(principal.getType()) { - case USER: - permMap.addUser(principal.getName()); - break; - - case GROUP: - case ROLE: - permMap.addGroup(principal.getName()); - break; - - default: - break; - } - } - - GrantRevokeData grData = new GrantRevokeData(); - - grData.setHiveData(grantor, repositoryName, database, table, columns, permMap); - - return grData; - } - - private void logAuditEventForDfs(UserGroupInformation ugi, String dfsCommand, boolean accessGranted) { - HiveAuditEvent auditEvent = new HiveAuditEvent(); - - try { - auditEvent.setAclEnforcer(XaSecureModuleName); - auditEvent.setResourceType("@dfs"); // to be consistent with earlier release - auditEvent.setAccessType("DFS"); - auditEvent.setAction("DFS"); - auditEvent.setUser(ugi.getShortUserName()); - auditEvent.setAccessResult((short)(accessGranted ? 1 : 0)); - auditEvent.setEventTime(StringUtil.getUTCDate()); - auditEvent.setRepositoryType(EnumRepositoryType.HIVE); - auditEvent.setRepositoryName(repositoryName) ; - auditEvent.setRequestData(dfsCommand); - - auditEvent.setResourcePath(dfsCommand); - - if(LOG.isDebugEnabled()) { - LOG.debug("logAuditEvent [" + auditEvent + "] - START"); - } - - AuditProviderFactory.getAuditProvider().log(auditEvent); - - if(LOG.isDebugEnabled()) { - LOG.debug("logAuditEvent [" + auditEvent + "] - END"); - } - } - catch(Throwable t) { - LOG.error("ERROR logEvent [" + auditEvent + "]", t); - } - } - - private void logAuditEvent(UserGroupInformation ugi, XaHiveObjectAccessInfo objAccessInfo, boolean accessGranted) { - HiveAuditEvent auditEvent = new HiveAuditEvent(); - - try { - auditEvent.setAclEnforcer(XaSecureModuleName); - auditEvent.setSessionId(objAccessInfo.getContext().getSessionString()); - auditEvent.setResourceType("@" + StringUtil.toLower(objAccessInfo.getObjectType().name())); // to be consistent with earlier release - auditEvent.setAccessType(objAccessInfo.getAccessType().toString()); - auditEvent.setAction(objAccessInfo.getOperType()); - auditEvent.setUser(ugi.getShortUserName()); - auditEvent.setAccessResult((short)(accessGranted ? 1 : 0)); - auditEvent.setClientIP(objAccessInfo.getContext().getClientIpAddress()); - auditEvent.setClientType(objAccessInfo.getContext().getClientType()); - auditEvent.setEventTime(StringUtil.getUTCDate()); - auditEvent.setRepositoryType(EnumRepositoryType.HIVE); - auditEvent.setRepositoryName(repositoryName) ; - auditEvent.setRequestData(objAccessInfo.getContext().getCommandString()); - - if(! accessGranted && !StringUtil.isEmpty(objAccessInfo.getDeinedObjectName())) { - auditEvent.setResourcePath(objAccessInfo.getDeinedObjectName()); - } else { - auditEvent.setResourcePath(objAccessInfo.getObjectName()); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("logAuditEvent [" + auditEvent + "] - START"); - } - - AuditProviderFactory.getAuditProvider().log(auditEvent); - - if(LOG.isDebugEnabled()) { - LOG.debug("logAuditEvent [" + auditEvent + "] - END"); - } - } - catch(Throwable t) { - LOG.error("ERROR logEvent [" + auditEvent + "]", t); - } - } - - private String toString(HiveOperationType hiveOpType, - List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, - XaHiveAccessContext context) { - StringBuilder sb = new StringBuilder(); - - sb.append("'checkPrivileges':{"); - sb.append("'hiveOpType':").append(hiveOpType); - - sb.append(", 'inputHObjs':["); - toString(inputHObjs, sb); - sb.append("]"); - - sb.append(", 'outputHObjs':["); - toString(outputHObjs, sb); - sb.append("]"); - - sb.append(", 'context':{"); - if(context != null) { - sb.append("'clientType':").append(context.getClientType()); - sb.append(", 'commandString':").append(context.getCommandString()); - sb.append(", 'ipAddress':").append(context.getClientIpAddress()); - sb.append(", 'sessionString':").append(context.getSessionString()); - } - sb.append("}"); - - sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName()); - sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]"); - - sb.append("}"); - - return sb.toString(); - } - - private StringBuilder toString(List<HivePrivilegeObject> privObjs, StringBuilder sb) { - if(privObjs != null && privObjs.size() > 0) { - toString(privObjs.get(0), sb); - for(int i = 1; i < privObjs.size(); i++) { - sb.append(","); - toString(privObjs.get(i), sb); - } - } - - return sb; - } - - private StringBuilder toString(HivePrivilegeObject privObj, StringBuilder sb) { - sb.append("'HivePrivilegeObject':{"); - sb.append("'type':").append(privObj.getType().toString()); - sb.append(", 'dbName':").append(privObj.getDbname()); - sb.append(", 'objectType':").append(privObj.getType()); - sb.append(", 'objectName':").append(privObj.getObjectName()); - sb.append(", 'columns':[").append(StringUtil.toString(privObj.getColumns())).append("]"); - sb.append(", 'partKeys':[").append(StringUtil.toString(privObj.getPartKeys())).append("]"); - sb.append(", 'commandParams':[").append(StringUtil.toString(privObj.getCommandParams())).append("]"); - sb.append(", 'actionType':").append(privObj.getActionType().toString()); - sb.append("}"); - - return sb; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java deleted file mode 100644 index 8a63035..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java +++ /dev/null @@ -1,231 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive.authorizer; - -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; -import org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater; -import org.apache.hadoop.security.UserGroupInformation; - -import com.xasecure.authorization.hive.XaHiveAccessContext; -import com.xasecure.authorization.utils.StringUtil; - -public abstract class XaSecureHiveAuthorizerBase implements HiveAuthorizer { - - private static final Log LOG = LogFactory.getLog(XaSecureHiveAuthorizerBase.class); - - private HiveMetastoreClientFactory mMetastoreClientFactory; - private HiveConf mHiveConf; - private HiveAuthenticationProvider mHiveAuthenticator; - private HiveAuthzSessionContext mSessionContext; - private UserGroupInformation mUgi; - - public XaSecureHiveAuthorizerBase(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf hiveConf, - HiveAuthenticationProvider hiveAuthenticator, - HiveAuthzSessionContext context) { - mMetastoreClientFactory = metastoreClientFactory; - mHiveConf = hiveConf; - mHiveAuthenticator = hiveAuthenticator; - mSessionContext = context; - - String userName = mHiveAuthenticator == null ? null : mHiveAuthenticator.getUserName(); - - mUgi = userName == null ? null : UserGroupInformation.createRemoteUser(userName); - - if(mHiveAuthenticator == null) { - LOG.warn("XaSecureHiveAuthorizerBase.XaSecureHiveAuthorizerBase(): hiveAuthenticator is null"); - } else if(StringUtil.isEmpty(userName)) { - LOG.warn("XaSecureHiveAuthorizerBase.XaSecureHiveAuthorizerBase(): hiveAuthenticator.getUserName() returned null/empty"); - } else if(mUgi == null) { - LOG.warn(String.format("XaSecureHiveAuthorizerBase.XaSecureHiveAuthorizerBase(): UserGroupInformation.createRemoteUser(%s) returned null", userName)); - } - } - - public HiveMetastoreClientFactory getMetastoreClientFactory() { - return mMetastoreClientFactory; - } - - public HiveConf getHiveConf() { - return mHiveConf; - } - - public HiveAuthenticationProvider getHiveAuthenticator() { - return mHiveAuthenticator; - } - - public HiveAuthzSessionContext getHiveAuthzSessionContext() { - return mSessionContext; - } - - public UserGroupInformation getCurrentUserGroupInfo() { - return mUgi; - } - - public XaHiveAccessContext getAccessContext(HiveAuthzContext context) { - return new XaHiveAccessContext(context, mSessionContext); - } - - @Override - public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { - LOG.debug("XaSecureHiveAuthorizerBase.applyAuthorizationConfigPolicy()"); - - // from SQLStdHiveAccessController.applyAuthorizationConfigPolicy() - if (mSessionContext != null && mSessionContext.getClientType() == CLIENT_TYPE.HIVESERVER2) { - // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries - String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); - if (hooks.isEmpty()) { - hooks = DisallowTransformHook.class.getName(); - } else { - hooks = hooks + "," + DisallowTransformHook.class.getName(); - } - - hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); - - SettableConfigUpdater.setHiveConfWhiteList(hiveConf); - } - } - - /** - * Show privileges for given principal on given object - * @param principal - * @param privObj - * @return - * @throws HiveAuthzPluginException - * @throws HiveAccessControlException - */ - @Override - public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.showPrivileges()"); - - throwNotImplementedException("showPrivileges"); - - return null; - } - - @Override - public void createRole(String roleName, HivePrincipal adminGrantor) - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.createRole()"); - - throwNotImplementedException("createRole"); - } - - @Override - public void dropRole(String roleName) - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.dropRole()"); - - throwNotImplementedException("dropRole"); - } - - @Override - public List<String> getAllRoles() - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.getAllRoles()"); - - throwNotImplementedException("getAllRoles"); - - return null; - } - - @Override - public List<String> getCurrentRoleNames() throws HiveAuthzPluginException { - LOG.debug("XaSecureHiveAuthorizerBase.getCurrentRoleNames()"); - - throwNotImplementedException("getCurrentRoleNames"); - - return null; - } - - @Override - public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.getPrincipalGrantInfoForRole()"); - - throwNotImplementedException("getPrincipalGrantInfoForRole"); - - return null; - } - - @Override - public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.getRoleGrantInfoForPrincipal()"); - - throwNotImplementedException("getRoleGrantInfoForPrincipal"); - - return null; - } - - @Override - public VERSION getVersion() { - return VERSION.V1; - } - - @Override - public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, - boolean grantOption, HivePrincipal grantorPrinc) - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.grantRole()"); - - throwNotImplementedException("grantRole"); - } - - @Override - public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, - boolean grantOption, HivePrincipal grantorPrinc) - throws HiveAuthzPluginException, HiveAccessControlException { - LOG.debug("XaSecureHiveAuthorizerBase.revokeRole()"); - - throwNotImplementedException("revokeRole"); - } - - @Override - public void setCurrentRole(String roleName) - throws HiveAccessControlException, HiveAuthzPluginException { - LOG.debug("XaSecureHiveAuthorizerBase.setCurrentRole()"); - - throwNotImplementedException("setCurrentRole"); - } - - private void throwNotImplementedException(String method) throws HiveAuthzPluginException { - throw new HiveAuthzPluginException(method + "() not implemented in Argus HiveAuthorizer"); - } - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java deleted file mode 100644 index 50fd55c..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerFactory.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive.authorizer; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; - -public class XaSecureHiveAuthorizerFactory implements HiveAuthorizerFactory { - @Override - public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, - HiveAuthenticationProvider hiveAuthenticator, - HiveAuthzSessionContext sessionContext) - throws HiveAuthzPluginException { - return new XaSecureHiveAuthorizer(metastoreClientFactory, conf, hiveAuthenticator, sessionContext); - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java b/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java deleted file mode 100644 index 45fbce0..0000000 --- a/hive-agent/src/main/java/com/xasecure/authorization/hive/constants/XaSecureHiveConstants.java +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - package com.xasecure.authorization.hive.constants; - -public final class XaSecureHiveConstants { - public static final String WILDCARD_OBJECT = "*" ; - public static final String HAS_ANY_PERMISSION = "any" ; - public static final String SHOW_META_INFO_PERMISSION = "show" ; - public static final String PUBLIC_ACCESS_ROLE = "public" ; - -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java new file mode 100644 index 0000000..50b0aa0 --- /dev/null +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessContext.java @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.authorization.hive; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; + + +public class RangerHiveAccessContext { + private String mClientIpAddress; + private String mClientType; + private String mCommandString; + private String mSessionString; + + public RangerHiveAccessContext(HiveAuthzContext context, HiveAuthzSessionContext sessionContext) { + if(context != null) { + mClientIpAddress = context.getIpAddress(); + mCommandString = context.getCommandString(); + } + + if(sessionContext != null) { + mClientType = sessionContext.getClientType().name(); + mSessionString = sessionContext.getSessionString(); + } + } + + public String getClientIpAddress() { + return mClientIpAddress; + } + + public void setClientIpAddress(String clientIpAddress) { + this.mClientIpAddress = clientIpAddress; + } + + public String getClientType() { + return mClientType; + } + + public void setClientType(String clientType) { + this.mClientType = clientType; + } + + public String getCommandString() { + return mCommandString; + } + + public void setCommandString(String commandString) { + this.mCommandString = commandString; + } + + public String getSessionString() { + return mSessionString; + } + + public void setSessionString(String sessionString) { + this.mSessionString = sessionString; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java new file mode 100644 index 0000000..ef4ad56 --- /dev/null +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifier.java @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.authorization.hive; + +import org.apache.hadoop.security.UserGroupInformation; + + +public interface RangerHiveAccessVerifier { + public boolean isAccessAllowed(UserGroupInformation ugi, RangerHiveObjectAccessInfo objAccessInfo) ; + + public boolean isAudited(RangerHiveObjectAccessInfo objAccessInfo) ; +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java new file mode 100644 index 0000000..f02bfe8 --- /dev/null +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveAccessVerifierFactory.java @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.authorization.hive; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; +import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; + +public class RangerHiveAccessVerifierFactory { + + private static final Log LOG = LogFactory.getLog(RangerHiveAccessVerifierFactory.class) ; + + private static RangerHiveAccessVerifier hiveAccessVerififer = null ; + + public static RangerHiveAccessVerifier getInstance() { + if (hiveAccessVerififer == null) { + synchronized(RangerHiveAccessVerifierFactory.class) { + RangerHiveAccessVerifier temp = hiveAccessVerififer ; + if (temp == null) { + String hiveAccessVerifierClassName = RangerConfiguration.getInstance().get(RangerHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP, RangerHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE ) ; + + if (hiveAccessVerifierClassName != null) { + LOG.info("Hive Access Verification class [" + hiveAccessVerifierClassName + "] - Being built"); + try { + hiveAccessVerififer = (RangerHiveAccessVerifier) (Class.forName(hiveAccessVerifierClassName).newInstance()) ; + LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification."); + } catch (InstantiationException e) { + LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e); + } catch (IllegalAccessException e) { + LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e); + } catch (ClassNotFoundException e) { + LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", e); + } catch (Throwable t) { + LOG.error("Unable to create HiveAccess Verifier: [" + hiveAccessVerifierClassName + "]", t); + } + finally { + LOG.info("Created a new instance of class: [" + hiveAccessVerifierClassName + "] for Hive Access verification. (" + hiveAccessVerififer + ")"); + } + } + } + else { + LOG.error("Unable to obtain hiveAccessVerifier [" + RangerHadoopConstants.HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP + "]"); + } + } + } + return hiveAccessVerififer ; + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java new file mode 100644 index 0000000..73b5b57 --- /dev/null +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/RangerHiveObjectAccessInfo.java @@ -0,0 +1,240 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.authorization.hive; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.ranger.authorization.utils.StringUtil; + +public class RangerHiveObjectAccessInfo { + public enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI }; + public enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, ALL, ADMIN }; + + private String mOperType = null; + private RangerHiveAccessContext mContext = null; + private HiveAccessType mAccessType = HiveAccessType.NONE; + private HiveObjectType mObjectType = HiveObjectType.NONE; + private String mDatabase = null; + private String mTable = null; + private String mView = null; + private String mPartition = null; + private String mIndex = null; + private List<String> mColumns = null; + private String mFunction = null; + private String mUri = null; + private String mDeniedObjectName = null; + + public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName) { + this(operType, context, accessType, dbName, null, HiveObjectType.DATABASE, dbName); + } + + public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName) { + this(operType, context, accessType, dbName, tblName, HiveObjectType.TABLE, tblName); + } + + public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, HiveObjectType objType, String objName) { + this(operType, context, accessType, dbName, null, objType, objName); + } + + public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, HiveObjectType objType, String objName) { + this(operType, context, accessType, null, null, objType, objName); + } + + public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, String tblOrViewName, List<String> columns) { + mOperType = operType; + mContext = context; + mAccessType = accessType; + mObjectType = HiveObjectType.COLUMN; + mDatabase = dbName; + mTable = tblOrViewName; + mView = tblOrViewName; + mColumns = columns; + } + + public RangerHiveObjectAccessInfo(String operType, RangerHiveAccessContext context, HiveAccessType accessType, String dbName, String tblName, HiveObjectType objType, String objName) { + mOperType = operType; + mContext = context; + mAccessType = accessType; + mObjectType = objType; + mDatabase = dbName; + mTable = tblName; + mView = tblName; + + if(objName != null && ! objName.trim().isEmpty()) { + switch(objType) { + case DATABASE: + mDatabase = objName; + break; + + case TABLE: + mTable = objName; + break; + + case VIEW: + mView = objName; + break; + + case PARTITION: + mPartition = objName; + break; + + case INDEX: + mIndex = objName; + break; + + case COLUMN: + mColumns = new ArrayList<String>(); + mColumns.add(objName); + break; + + case FUNCTION: + mFunction = objName; + break; + + case URI: + mUri = objName; + break; + + case NONE: + break; + } + } + } + + public String getOperType() { + return mOperType; + } + + public RangerHiveAccessContext getContext() { + return mContext; + } + + public HiveAccessType getAccessType() { + return mAccessType; + } + + public HiveObjectType getObjectType() { + return mObjectType; + } + + public String getDatabase() { + return mDatabase; + } + + public String getTable() { + return mTable; + } + + public String getView() { + return mView; + } + + public String getPartition() { + return mPartition; + } + + public String getIndex() { + return mIndex; + } + + public List<String> getColumns() { + return mColumns; + } + + public String getFunction() { + return mFunction; + } + + public String getUri() { + return mUri; + } + + public void setDeinedObjectName(String deniedObjectName) { + mDeniedObjectName = deniedObjectName; + } + + public String getDeinedObjectName() { + return mDeniedObjectName; + } + + public String getObjectName() { + String objName = null; + + if(this.mObjectType == HiveObjectType.URI) { + objName = mUri; + } else { + String tblName = null; + String colName = null; + + if(! StringUtil.isEmpty(mTable)) + tblName = mTable; + else if(! StringUtil.isEmpty(mView)) + tblName = mView; + else if(! StringUtil.isEmpty(mFunction)) + tblName = mFunction; + + if(! StringUtil.isEmpty(mColumns)) + colName = StringUtil.toString(mColumns); + else if(! StringUtil.isEmpty(mIndex)) + colName = mIndex; + + objName = getObjectName(mDatabase, tblName, colName); + } + + return objName; + } + + public static String getObjectName(String dbName, String tblName, String colName) { + String objName = StringUtil.isEmpty(dbName) ? "" : dbName; + + if(!StringUtil.isEmpty(tblName)) { + objName += ("/" + tblName); + + if(!StringUtil.isEmpty(colName)) { + objName += ("/" + colName); + } + } + + return objName; + } + + @Override + public boolean equals(Object obj) { + boolean ret = false; + + if(obj != null && obj instanceof RangerHiveObjectAccessInfo) { + RangerHiveObjectAccessInfo that = (RangerHiveObjectAccessInfo)obj; + + ret = StringUtil.equalsIgnoreCase(mOperType, that.mOperType) + && mAccessType == that.mAccessType + && mObjectType == that.mObjectType + && StringUtil.equalsIgnoreCase(mDatabase, that.mDatabase) + && StringUtil.equalsIgnoreCase(mTable, that.mTable) + && StringUtil.equalsIgnoreCase(mView, that.mView) + && StringUtil.equalsIgnoreCase(mPartition, that.mPartition) + && StringUtil.equalsIgnoreCase(mIndex, that.mIndex) + && StringUtil.equalsIgnoreCase(mColumns, that.mColumns) + ; + } + + return ret; + } +}
