Repository: incubator-ranger Updated Branches: refs/heads/master 4937bfea8 -> e4229e8af
RANGER-1070: Hive authorizer should allow 'export table' only when masking or row-filtering are not specified Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e4229e8a Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e4229e8a Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e4229e8a Branch: refs/heads/master Commit: e4229e8af4f13d4d72ee913d61ff4b27e3274a4e Parents: 4937bfe Author: Madhan Neethiraj <[email protected]> Authored: Tue Jun 28 23:10:07 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Jun 30 09:07:59 2016 -0700 ---------------------------------------------------------------------- .../hive/authorizer/RangerHiveAuthorizer.java | 75 ++++++++++++++++++-- 1 file changed, 70 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e4229e8a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 307602a..86a6418 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -359,6 +359,37 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } } else { result = hivePlugin.isAccessAllowed(request, auditHandler); + + if(hiveOpType == HiveOperationType.EXPORT && result != null && result.getIsAllowed()) { + RangerHiveResource res = (RangerHiveResource)request.getResource(); + + if(res.getObjectType() == HiveObjectType.TABLE || res.getObjectType() == HiveObjectType.VIEW) { + RangerRowFilterResult rowFilterResult = getRowFilterResult(request); + + if (isRowFilterEnabled(rowFilterResult)) { + result.setIsAllowed(false); + result.setPolicyId(rowFilterResult.getPolicyId()); + result.setReason("User does not have acces to all rows of the table"); + + auditHandler.processResult(result); + } + + if(result.getIsAllowed()) { + // check if masking is enabled for any column in the table/view + request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS); + + RangerDataMaskResult dataMaskResult = getDataMaskResult(request); + + if (isDataMaskEnabled(dataMaskResult)) { + result.setIsAllowed(false); + result.setPolicyId(dataMaskResult.getPolicyId()); + result.setReason("User does not have acces to unmasked column values"); + + auditHandler.processResult(result); + } + } + } + } } if(result != null && !result.getIsAllowed()) { @@ -533,6 +564,42 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return true; // TODO: derive from the policies } + private RangerDataMaskResult getDataMaskResult(RangerHiveAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> getDataMaskResult(request=" + request + ")"); + } + + RangerDataMaskResult ret = hivePlugin.evalDataMaskPolicies(request, null); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" + ret); + } + + return ret; + } + + private RangerRowFilterResult getRowFilterResult(RangerHiveAccessRequest request) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> getRowFilterResult(request=" + request + ")"); + } + + RangerRowFilterResult ret = hivePlugin.evalRowFilterPolicies(request, null); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== getRowFilterResult(request=" + request + "): ret=" + ret); + } + + return ret; + } + + private boolean isDataMaskEnabled(RangerDataMaskResult result) { + return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), MASK_TYPE_NONE); + } + + private boolean isRowFilterEnabled(RangerRowFilterResult result) { + return result != null && result.isRowFilterEnabled() && StringUtils.isNotEmpty(result.getFilterExpr()); + } + private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException { UserGroupInformation ugi = getCurrentUserGroupInfo(); @@ -558,7 +625,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { RangerRowFilterResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler); - if(result != null && result.isRowFilterEnabled()) { + if(isRowFilterEnabled(result)) { ret = result.getFilterExpr(); } } finally { @@ -597,14 +664,12 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { RangerDataMaskResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler); - if(result != null && result.isMaskEnabled()) { + if(isDataMaskEnabled(result)) { String maskType = result.getMaskType(); RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef(); String transformer = maskTypeDef.getTransformer(); - if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_NONE)) { - ret = columnName; - } else if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_NULL)) { + if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_NULL)) { ret = "NULL"; } else if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_CUSTOM)) { String maskedValue = result.getMaskedValue();
