Repository: incubator-ranger Updated Branches: refs/heads/master 19c3744b1 -> ece9810f1
RANGER-909: Ranger Hive plugin updates to support row-filtering Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ece9810f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ece9810f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ece9810f Branch: refs/heads/master Commit: ece9810f1d38b57b0be6251e1693279053b88d5e Parents: 19c3744 Author: Madhan Neethiraj <[email protected]> Authored: Tue Apr 5 11:32:35 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Apr 5 13:15:24 2016 -0700 ---------------------------------------------------------------------- .../hive/authorizer/RangerHiveAuditHandler.java | 7 ++++-- .../hive/authorizer/RangerHiveAuthorizer.java | 26 ++++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ece9810f/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index a2a49ad..0745d1d 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -23,17 +23,18 @@ import java.util.*; import org.apache.commons.lang.StringUtils; import org.apache.ranger.audit.model.AuthzAuditEvent; -import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; +import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import com.google.common.collect.Lists; -import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { + public static final String ACCESS_TYPE_ROWFILTER = "ROW_FILTER"; Collection<AuthzAuditEvent> auditEvents = null; boolean deniedExists = false; @@ -63,6 +64,8 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { if(result instanceof RangerDataMaskResult) { accessType = ((RangerDataMaskResult)result).getMaskType(); + } else if(result instanceof RangerRowFilterResult) { + accessType = ACCESS_TYPE_ROWFILTER; } else { if (request instanceof RangerHiveAccessRequest) { RangerHiveAccessRequest hiveRequest = (RangerHiveAccessRequest) request; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ece9810f/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 9c57968..8988650 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -59,6 +59,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerDataMaskResult; +import org.apache.ranger.plugin.policyengine.RangerRowFilterResult; import org.apache.ranger.plugin.service.RangerBasePlugin; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.RangerAccessRequestUtil; @@ -469,12 +470,37 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { @Override public String getRowFilterExpression(String databaseName, String tableOrViewName) throws SemanticException { + UserGroupInformation ugi = getCurrentUserGroupInfo(); + + if(ugi == null) { + throw new SemanticException("user information not available"); + } + if(LOG.isDebugEnabled()) { LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")"); } String ret = null; + RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(); + + try { + HiveAuthzContext context = null; // TODO: this should be provided as an argument to this method + HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext(); + String user = ugi.getShortUserName(); + Set<String> groups = Sets.newHashSet(ugi.getGroupNames()); + HiveObjectType objectType = HiveObjectType.TABLE; + RangerHiveResource resource = new RangerHiveResource(objectType, databaseName, tableOrViewName); + RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, objectType.name(), HiveAccessType.SELECT, context, sessionContext); + + RangerRowFilterResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler); + + if(result != null && result.isRowFilterEnabled()) { + ret = result.getFilterExpr(); + } + } finally { + auditHandler.flushAudit(); + } if(LOG.isDebugEnabled()) { LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret);
