Repository: sentry Updated Branches: refs/heads/master 4643f988a -> 7a30c819c
http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java deleted file mode 100644 index 616d46c..0000000 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java +++ /dev/null @@ -1,622 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.binding.hive.authz; - -import java.security.CodeSource; -import java.sql.Connection; -import java.sql.DriverManager; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.Map; -import java.util.Set; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.GnuParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.OptionGroup; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.commons.cli.Parser; -import org.apache.commons.lang3.StringUtils; -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.hadoop.hive.ql.Driver; -import org.apache.hadoop.hive.ql.parse.SemanticException; -import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse; -import org.apache.hadoop.hive.ql.session.SessionState; -import org.apache.log4j.Level; -import org.apache.log4j.LogManager; -import org.apache.sentry.Command; -import org.apache.sentry.binding.hive.HiveAuthzBindingHook; -import org.apache.sentry.binding.hive.SentryPolicyFileFormatFactory; -import org.apache.sentry.binding.hive.SentryPolicyFileFormatter; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.provider.common.AuthorizationProvider; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.service.thrift.SentryServiceClientFactory; - -/** - * set the required system property to be read by HiveConf and AuthzConf - * - * @throws Exception - */ -// Hack, hiveConf doesn't provide a reliable way check if it found a valid -// hive-site -// load auth provider -// get the configured sentry provider -// validate policy files -// import policy files -public class SentryConfigTool { - private String sentrySiteFile = null; - private String policyFile = null; - private String query = null; - private String jdbcURL = null; - private String user = null; - private String passWord = null; - private String importPolicyFilePath = null; - private String exportPolicyFilePath = null; - private boolean listPrivs = false; - private boolean validate = false; - private boolean importOverwriteRole = false; - private HiveConf hiveConf = null; - private HiveAuthzConf authzConf = null; - private AuthorizationProvider sentryProvider = null; - - public SentryConfigTool() { - - } - - public AuthorizationProvider getSentryProvider() { - return sentryProvider; - } - - public void setSentryProvider(AuthorizationProvider sentryProvider) { - this.sentryProvider = sentryProvider; - } - - public HiveConf getHiveConf() { - return hiveConf; - } - - public void setHiveConf(HiveConf hiveConf) { - this.hiveConf = hiveConf; - } - - public HiveAuthzConf getAuthzConf() { - return authzConf; - } - - public void setAuthzConf(HiveAuthzConf authzConf) { - this.authzConf = authzConf; - } - - public boolean isValidate() { - return validate; - } - - public void setValidate(boolean validate) { - this.validate = validate; - } - - public String getImportPolicyFilePath() { - return importPolicyFilePath; - } - - public void setImportPolicyFilePath(String importPolicyFilePath) { - this.importPolicyFilePath = importPolicyFilePath; - } - - public String getExportPolicyFilePath() { - return exportPolicyFilePath; - } - - public void setExportPolicyFilePath(String exportPolicyFilePath) { - this.exportPolicyFilePath = exportPolicyFilePath; - } - - public String getSentrySiteFile() { - return sentrySiteFile; - } - - public void setSentrySiteFile(String sentrySiteFile) { - this.sentrySiteFile = sentrySiteFile; - } - - public String getPolicyFile() { - return policyFile; - } - - public void setPolicyFile(String policyFile) { - this.policyFile = policyFile; - } - - public String getQuery() { - return query; - } - - public void setQuery(String query) { - this.query = query; - } - - public String getJdbcURL() { - return jdbcURL; - } - - public void setJdbcURL(String jdbcURL) { - this.jdbcURL = jdbcURL; - } - - public String getUser() { - return user; - } - - public void setUser(String user) { - this.user = user; - } - - public String getPassWord() { - return passWord; - } - - public void setPassWord(String passWord) { - this.passWord = passWord; - } - - public boolean isListPrivs() { - return listPrivs; - } - - public void setListPrivs(boolean listPrivs) { - this.listPrivs = listPrivs; - } - - public boolean isImportOverwriteRole() { - return importOverwriteRole; - } - - public void setImportOverwriteRole(boolean importOverwriteRole) { - this.importOverwriteRole = importOverwriteRole; - } - - /** - * set the required system property to be read by HiveConf and AuthzConf - * @throws Exception - */ - public void setupConfig() throws Exception { - System.out.println("Configuration: "); - CodeSource src = SentryConfigTool.class.getProtectionDomain() - .getCodeSource(); - if (src != null) { - System.out.println("Sentry package jar: " + src.getLocation()); - } - - if (getPolicyFile() != null) { - System.setProperty(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), - getPolicyFile()); - } - System.setProperty(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "true"); - setHiveConf(new HiveConf(SessionState.class)); - getHiveConf().setVar(ConfVars.SEMANTIC_ANALYZER_HOOK, - HiveAuthzBindingHook.class.getName()); - try { - System.out.println("Hive config: " + HiveConf.getHiveSiteLocation()); - } catch (NullPointerException e) { - // Hack, hiveConf doesn't provide a reliable way check if it found a valid - // hive-site - throw new SentryConfigurationException("Didn't find a hive-site.xml"); - - } - - if (getSentrySiteFile() != null) { - getHiveConf() - .set(HiveAuthzConf.HIVE_SENTRY_CONF_URL, getSentrySiteFile()); - } - - setAuthzConf(HiveAuthzConf.getAuthzConf(getHiveConf())); - System.out.println("Sentry config: " - + getAuthzConf().getHiveAuthzSiteFile()); - System.out.println("Sentry Policy: " - + getAuthzConf().get(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar())); - System.out.println("Sentry server: " - + getAuthzConf().get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar())); - - setSentryProvider(getAuthorizationProvider()); - } - - // load auth provider - private AuthorizationProvider getAuthorizationProvider() - throws IllegalStateException, SentryConfigurationException { - String serverName = new Server(getAuthzConf().get( - AuthzConfVars.AUTHZ_SERVER_NAME.getVar())).getName(); - // get the configured sentry provider - AuthorizationProvider sentryProvider = null; - try { - sentryProvider = HiveAuthzBinding.getAuthProvider(getHiveConf(), - authzConf, serverName); - } catch (SentryConfigurationException eC) { - printConfigErrors(eC); - } catch (Exception e) { - throw new IllegalStateException("Couldn't load sentry provider ", e); - } - return sentryProvider; - } - - // validate policy files - public void validatePolicy() throws Exception { - try { - getSentryProvider().validateResource(true); - } catch (SentryConfigurationException e) { - printConfigErrors(e); - } - System.out.println("No errors found in the policy file"); - } - - // import the sentry mapping data to database - public void importPolicy() throws Exception { - String requestorUserName = System.getProperty("user.name", ""); - // get the FileFormatter according to the configuration - SentryPolicyFileFormatter sentryPolicyFileFormatter = SentryPolicyFileFormatFactory - .createFileFormatter(authzConf); - // parse the input file, get the mapping data in map structure - Map<String, Map<String, Set<String>>> policyFileMappingData = sentryPolicyFileFormatter.parse( - importPolicyFilePath, authzConf); - // todo: here should be an validator to check the data's value, format, hierarchy - SentryPolicyServiceClient client = SentryServiceClientFactory.create(getAuthzConf()); - // import the mapping data to database - client.importPolicy(policyFileMappingData, requestorUserName, importOverwriteRole); - } - - // export the sentry mapping data to file - public void exportPolicy() throws Exception { - String requestorUserName = System.getProperty("user.name", ""); - SentryPolicyServiceClient client = SentryServiceClientFactory.create(getAuthzConf()); - // export the sentry mapping data from database to map structure - Map<String, Map<String, Set<String>>> policyFileMappingData = client - .exportPolicy(requestorUserName); - // get the FileFormatter according to the configuration - SentryPolicyFileFormatter sentryPolicyFileFormatter = SentryPolicyFileFormatFactory - .createFileFormatter(authzConf); - // write the sentry mapping data to exportPolicyFilePath with the data in map structure - sentryPolicyFileFormatter.write(exportPolicyFilePath, policyFileMappingData); - } - - // list permissions for given user - public void listPrivs() throws Exception { - getSentryProvider().validateResource(true); - System.out.println("Available privileges for user " + getUser() + ":"); - Set<String> permList = getSentryProvider().listPrivilegesForSubject( - new Subject(getUser())); - for (String perms : permList) { - System.out.println("\t" + perms); - } - if (permList.isEmpty()) { - System.out.println("\t*** No permissions available ***"); - } - } - - // Verify the given query - public void verifyLocalQuery(String queryStr) throws Exception { - // setup Hive driver - SessionState session = new SessionState(getHiveConf()); - SessionState.start(session); - Driver driver = new Driver(session.getConf(), getUser()); - - // compile the query - CommandProcessorResponse compilerStatus = driver - .compileAndRespond(queryStr); - if (compilerStatus.getResponseCode() != 0) { - String errMsg = compilerStatus.getErrorMessage(); - if (errMsg.contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) { - printMissingPerms(getHiveConf().get( - HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS)); - } - throw new SemanticException("Compilation error: " - + compilerStatus.getErrorMessage()); - } - driver.close(); - System.out - .println("User " + getUser() + " has privileges to run the query"); - } - - // connect to remote HS2 and run mock query - public void verifyRemoteQuery(String queryStr) throws Exception { - Class.forName("org.apache.hive.jdbc.HiveDriver"); - Connection conn = DriverManager.getConnection(getJdbcURL(), getUser(), - getPassWord()); - Statement stmt = conn.createStatement(); - if (!isSentryEnabledOnHiveServer(stmt)) { - throw new IllegalStateException("Sentry is not enabled on HiveServer2"); - } - stmt.execute("set " + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION + "=true"); - try { - stmt.execute(queryStr); - } catch (SQLException e) { - String errMsg = e.getMessage(); - if (errMsg.contains(HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR)) { - System.out.println("User " - + readConfig(stmt, HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME) - + " has privileges to run the query"); - return; - } else if (errMsg - .contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) { - printMissingPerms(readConfig(stmt, - HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS)); - throw e; - } else { - throw e; - } - } finally { - if (!stmt.isClosed()) { - stmt.close(); - } - conn.close(); - } - - } - - // verify senty session hook is set - private boolean isSentryEnabledOnHiveServer(Statement stmt) - throws SQLException { - String bindingString = readConfig(stmt, HiveConf.ConfVars.HIVE_SERVER2_SESSION_HOOK.varname).toUpperCase(); - return bindingString.contains("org.apache.sentry.binding.hive".toUpperCase()) - && bindingString.contains("HiveAuthzBindingSessionHook".toUpperCase()); - } - - // read a config value using 'set' statement - private String readConfig(Statement stmt, String configKey) - throws SQLException { - ResultSet res = stmt.executeQuery("set " + configKey); - if (!res.next()) { - return null; - } - // parse key=value result format - String result = res.getString(1); - res.close(); - return result.substring(result.indexOf("=") + 1); - } - - // print configuration/policy file errors and warnings - private void printConfigErrors(SentryConfigurationException configException) - throws SentryConfigurationException { - System.out.println(" *** Found configuration problems *** "); - for (String errMsg : configException.getConfigErrors()) { - System.out.println("ERROR: " + errMsg); - } - for (String warnMsg : configException.getConfigWarnings()) { - System.out.println("Warning: " + warnMsg); - } - throw configException; - } - - // extract the authorization errors from config property and print - private void printMissingPerms(String errMsg) { - if (errMsg == null || errMsg.isEmpty()) { - return; - } - System.out.println("*** Query compilation failed ***"); - String perms[] = errMsg.replaceFirst( - ".*" + HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE, "") - .split(";"); - System.out.println("Required privileges for given query:"); - for (int count = 0; count < perms.length; count++) { - System.out.println(" \t " + perms[count]); - } - } - - // print usage - private void usage(Options sentryOptions) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("sentry --command config-tool", sentryOptions); - System.exit(-1); - } - - /** - * parse arguments - * - * <pre> - * -d,--debug Enable debug output - * -e,--query <arg> Query privilege verification, requires -u - * -h,--help Print usage - * -i,--policyIni <arg> Policy file path - * -j,--jdbcURL <arg> JDBC URL - * -l,--listPrivs,--listPerms List privilges for given user, requires -u - * -p,--password <arg> Password - * -s,--sentry-site <arg> sentry-site file path - * -u,--user <arg> user name - * -v,--validate Validate policy file - * -I,--import Import policy file - * -E,--export Export policy file - * -o,--overwrite Overwrite the exist role data when do the import - * </pre> - * - * @param args - */ - private void parseArgs(String[] args) { - boolean enableDebug = false; - - Options sentryOptions = new Options(); - - Option helpOpt = new Option("h", "help", false, "Print usage"); - helpOpt.setRequired(false); - - Option validateOpt = new Option("v", "validate", false, - "Validate policy file"); - validateOpt.setRequired(false); - - Option queryOpt = new Option("e", "query", true, - "Query privilege verification, requires -u"); - queryOpt.setRequired(false); - - Option listPermsOpt = new Option("l", "listPerms", false, - "list permissions for given user, requires -u"); - listPermsOpt.setRequired(false); - Option listPrivsOpt = new Option("listPrivs", false, - "list privileges for given user, requires -u"); - listPrivsOpt.setRequired(false); - - Option importOpt = new Option("I", "import", true, - "Import policy file"); - importOpt.setRequired(false); - - Option exportOpt = new Option("E", "export", true, "Export policy file"); - exportOpt.setRequired(false); - // required args - OptionGroup sentryOptGroup = new OptionGroup(); - sentryOptGroup.addOption(helpOpt); - sentryOptGroup.addOption(validateOpt); - sentryOptGroup.addOption(queryOpt); - sentryOptGroup.addOption(listPermsOpt); - sentryOptGroup.addOption(listPrivsOpt); - sentryOptGroup.addOption(importOpt); - sentryOptGroup.addOption(exportOpt); - sentryOptGroup.setRequired(true); - sentryOptions.addOptionGroup(sentryOptGroup); - - // optional args - Option jdbcArg = new Option("j", "jdbcURL", true, "JDBC URL"); - jdbcArg.setRequired(false); - sentryOptions.addOption(jdbcArg); - - Option sentrySitePath = new Option("s", "sentry-site", true, - "sentry-site file path"); - sentrySitePath.setRequired(false); - sentryOptions.addOption(sentrySitePath); - - Option globalPolicyPath = new Option("i", "policyIni", true, - "Policy file path"); - globalPolicyPath.setRequired(false); - sentryOptions.addOption(globalPolicyPath); - - Option userOpt = new Option("u", "user", true, "user name"); - userOpt.setRequired(false); - sentryOptions.addOption(userOpt); - - Option passWordOpt = new Option("p", "password", true, "Password"); - userOpt.setRequired(false); - sentryOptions.addOption(passWordOpt); - - Option debugOpt = new Option("d", "debug", false, "enable debug output"); - debugOpt.setRequired(false); - sentryOptions.addOption(debugOpt); - - Option overwriteOpt = new Option("o", "overwrite", false, "enable import overwrite"); - overwriteOpt.setRequired(false); - sentryOptions.addOption(overwriteOpt); - - try { - Parser parser = new GnuParser(); - CommandLine cmd = parser.parse(sentryOptions, args); - - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("s")) { - setSentrySiteFile(opt.getValue()); - } else if (opt.getOpt().equals("i")) { - setPolicyFile(opt.getValue()); - } else if (opt.getOpt().equals("e")) { - setQuery(opt.getValue()); - } else if (opt.getOpt().equals("j")) { - setJdbcURL(opt.getValue()); - } else if (opt.getOpt().equals("u")) { - setUser(opt.getValue()); - } else if (opt.getOpt().equals("p")) { - setPassWord(opt.getValue()); - } else if (opt.getOpt().equals("l") || opt.getOpt().equals("listPrivs")) { - setListPrivs(true); - } else if (opt.getOpt().equals("v")) { - setValidate(true); - } else if (opt.getOpt().equals("I")) { - setImportPolicyFilePath(opt.getValue()); - } else if (opt.getOpt().equals("E")) { - setExportPolicyFilePath(opt.getValue()); - } else if (opt.getOpt().equals("h")) { - usage(sentryOptions); - } else if (opt.getOpt().equals("d")) { - enableDebug = true; - } else if (opt.getOpt().equals("o")) { - setImportOverwriteRole(true); - } - } - - if (isListPrivs() && getUser() == null) { - throw new ParseException("Can't use -l without -u "); - } - if (getQuery() != null && getUser() == null) { - throw new ParseException("Must use -u with -e "); - } - } catch (ParseException e1) { - usage(sentryOptions); - } - - if (!enableDebug) { - // turn off log - LogManager.getRootLogger().setLevel(Level.OFF); - } - } - - public static class CommandImpl implements Command { - @Override - public void run(String[] args) throws Exception { - SentryConfigTool sentryTool = new SentryConfigTool(); - - try { - // parse arguments - sentryTool.parseArgs(args); - - // load configuration - sentryTool.setupConfig(); - - // validate configuration - if (sentryTool.isValidate()) { - sentryTool.validatePolicy(); - } - - if (!StringUtils.isEmpty(sentryTool.getImportPolicyFilePath())) { - sentryTool.importPolicy(); - } - - if (!StringUtils.isEmpty(sentryTool.getExportPolicyFilePath())) { - sentryTool.exportPolicy(); - } - - // list permissions for give user - if (sentryTool.isListPrivs()) { - sentryTool.listPrivs(); - } - - // verify given query - if (sentryTool.getQuery() != null) { - if (sentryTool.getJdbcURL() != null) { - sentryTool.verifyRemoteQuery(sentryTool.getQuery()); - } else { - sentryTool.verifyLocalQuery(sentryTool.getQuery()); - } - } - } catch (Exception e) { - System.out.println("Sentry tool reported Errors: " + e.getMessage()); - e.printStackTrace(System.out); - System.exit(1); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java deleted file mode 100644 index 5a89af2..0000000 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java +++ /dev/null @@ -1,269 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.binding.hive.conf; - -import java.net.MalformedURLException; -import java.net.URL; -import java.util.HashMap; -import java.util.Map; -import java.util.Map.Entry; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.hive.conf.HiveConf; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - - -public class HiveAuthzConf extends Configuration { - - /** - * Configuration key used in hive-site.xml to point at sentry-site.xml - */ - public static final String HIVE_ACCESS_CONF_URL = "hive.access.conf.url"; - public static final String HIVE_SENTRY_CONF_URL = "hive.sentry.conf.url"; - public static final String HIVE_ACCESS_SUBJECT_NAME = "hive.access.subject.name"; - public static final String HIVE_SENTRY_SUBJECT_NAME = "hive.sentry.subject.name"; - public static final String HIVE_SENTRY_AUTH_ERRORS = "sentry.hive.authorization.errors"; - public static final String HIVE_SENTRY_MOCK_COMPILATION = "sentry.hive.mock.compilation"; - public static final String HIVE_SENTRY_MOCK_ERROR = "sentry.hive.mock.error"; - public static final String HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE = "No valid privileges"; - /** - * Property used to persist the role set in the session. This is not public for now. - */ - public static final String SENTRY_ACTIVE_ROLE_SET = "hive.sentry.active.role.set"; - - public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST = - "hive.sentry.security.command.whitelist"; - public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT = - "set,reset,reload"; - - public static final String HIVE_SENTRY_SERDE_WHITELIST = "hive.sentry.serde.whitelist"; - public static final String HIVE_SENTRY_SERDE_WHITELIST_DEFAULT = "org.apache.hadoop.hive.serde2"; - - // Disable the serde Uri privileges by default for backward compatibilities. - public static final String HIVE_SENTRY_SERDE_URI_PRIVILIEGES_ENABLED = "hive.sentry.turn.on.serde.uri.privileges"; - public static final boolean HIVE_SENTRY_SERDE_URI_PRIVILIEGES_ENABLED_DEFAULT = false; - - public static final String HIVE_UDF_WHITE_LIST = - "concat,substr,substring,space,repeat,ascii,lpad,rpad,size,round,floor,sqrt,ceil," + - "ceiling,rand,abs,pmod,ln,log2,sin,asin,cos,acos,log10,log,exp,power,pow,sign,pi," + - "degrees,radians,atan,tan,e,conv,bin,hex,unhex,base64,unbase64,encode,decode,upper," + - "lower,ucase,lcase,trim,ltrim,rtrim,length,reverse,field,find_in_set,initcap,like," + - "rlike,regexp,regexp_replace,regexp_extract,parse_url,nvl,split,str_to_map,translate" + - ",positive,negative,day,dayofmonth,month,year,hour,minute,second,from_unixtime," + - "to_date,weekofyear,last_day,date_add,date_sub,datediff,add_months,get_json_object," + - "xpath_string,xpath_boolean,xpath_number,xpath_double,xpath_float,xpath_long," + - "xpath_int,xpath_short,xpath,+,-,*,/,%,div,&,|,^,~,current_database,isnull," + - "isnotnull,if,in,and,or,=,==,<=>,!=,<>,<,<=,>,>=,not,!,between,ewah_bitmap_and," + - "ewah_bitmap_or,ewah_bitmap_empty,boolean,tinyint,smallint,int,bigint,float,double," + - "string,date,timestamp,binary,decimal,varchar,char,max,min,sum,count,avg,std,stddev," + - "stddev_pop,stddev_samp,variance,var_pop,var_samp,covar_pop,covar_samp,corr," + - "histogram_numeric,percentile_approx,collect_set,collect_list,ngrams," + - "context_ngrams,ewah_bitmap,compute_stats,percentile," + - "array,assert_true,map,struct,named_struct,create_union,case,when,hash,coalesce," + - "index,in_file,instr,locate,elt,concat_ws,sort_array," + - "array_contains,sentences,map_keys,map_values,format_number,printf,greatest,least," + - "from_utc_timestamp,to_utc_timestamp,unix_timestamp,to_unix_timestamp,explode," + - "inline,json_tuple,parse_url_tuple,posexplode,stack,lead,lag,row_number,rank," + - "dense_rank,percent_rank,cume_dist,ntile,first_value,last_value,noop,noopwithmap," + - "noopstreaming,noopwithmapstreaming,windowingtablefunction,matchpath"; - - public static final String HIVE_UDF_BLACK_LIST = "reflect,reflect2,java_method"; - - /** - * Config setting definitions - */ - public static enum AuthzConfVars { - AUTHZ_PROVIDER("sentry.provider", - "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider"), - AUTHZ_PROVIDER_RESOURCE("sentry.hive.provider.resource", ""), - AUTHZ_PROVIDER_BACKEND("sentry.hive.provider.backend", "org.apache.sentry.provider.file.SimpleFileProviderBackend"), - AUTHZ_POLICY_ENGINE("sentry.hive.policy.engine", "org.apache.sentry.policy.db.SimpleDBPolicyEngine"), - AUTHZ_POLICY_FILE_FORMATTER( - "sentry.hive.policy.file.formatter", - "org.apache.sentry.binding.hive.SentryIniPolicyFileFormatter"), - AUTHZ_SERVER_NAME("sentry.hive.server", ""), - AUTHZ_RESTRICT_DEFAULT_DB("sentry.hive.restrict.defaultDB", "false"), - SENTRY_TESTING_MODE("sentry.hive.testing.mode", "false"), - AUTHZ_ALLOW_HIVE_IMPERSONATION("sentry.hive.allow.hive.impersonation", "false"), - AUTHZ_ONFAILURE_HOOKS("sentry.hive.failure.hooks", ""), - AUTHZ_METASTORE_SERVICE_USERS("sentry.metastore.service.users", null), - AUTHZ_SYNC_ALTER_WITH_POLICY_STORE("sentry.hive.sync.alter", "true"), - AUTHZ_SYNC_CREATE_WITH_POLICY_STORE("sentry.hive.sync.create", "false"), - AUTHZ_SYNC_DROP_WITH_POLICY_STORE("sentry.hive.sync.drop", "true"), - - AUTHZ_PROVIDER_DEPRECATED("hive.sentry.provider", - "org.apache.sentry.provider.file.ResourceAuthorizationProvider"), - AUTHZ_PROVIDER_RESOURCE_DEPRECATED("hive.sentry.provider.resource", ""), - AUTHZ_SERVER_NAME_DEPRECATED("hive.sentry.server", ""), - AUTHZ_RESTRICT_DEFAULT_DB_DEPRECATED("hive.sentry.restrict.defaultDB", "false"), - SENTRY_TESTING_MODE_DEPRECATED("hive.sentry.testing.mode", "false"), - AUTHZ_ALLOW_HIVE_IMPERSONATION_DEPRECATED("hive.sentry.allow.hive.impersonation", "false"), - AUTHZ_ONFAILURE_HOOKS_DEPRECATED("hive.sentry.failure.hooks", ""); - - private final String varName; - private final String defaultVal; - - AuthzConfVars(String varName, String defaultVal) { - this.varName = varName; - this.defaultVal = defaultVal; - } - - public String getVar() { - return varName; - } - - public String getDefault() { - return defaultVal; - } - - public static String getDefault(String varName) { - for (AuthzConfVars oneVar : AuthzConfVars.values()) { - if(oneVar.getVar().equalsIgnoreCase(varName)) { - return oneVar.getDefault(); - } - } - return null; - } - } - - // map of current property names - > deprecated property names. - // The binding layer code should work if the deprecated property names are provided, - // as long as the new property names aren't also provided. Since the binding code - // only calls the new property names, we require a map from current names to deprecated - // names in order to check if the deprecated name of a property was set. - private static final Map<String, AuthzConfVars> currentToDeprecatedProps = - new HashMap<String, AuthzConfVars>(); - static { - currentToDeprecatedProps.put(AuthzConfVars.AUTHZ_PROVIDER.getVar(), AuthzConfVars.AUTHZ_PROVIDER_DEPRECATED); - currentToDeprecatedProps.put(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), AuthzConfVars.AUTHZ_PROVIDER_RESOURCE_DEPRECATED); - currentToDeprecatedProps.put(AuthzConfVars.AUTHZ_SERVER_NAME.getVar(), AuthzConfVars.AUTHZ_SERVER_NAME_DEPRECATED); - currentToDeprecatedProps.put(AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB_DEPRECATED); - currentToDeprecatedProps.put(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), AuthzConfVars.SENTRY_TESTING_MODE_DEPRECATED); - currentToDeprecatedProps.put(AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION.getVar(), AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION_DEPRECATED); - currentToDeprecatedProps.put(AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), AuthzConfVars.AUTHZ_ONFAILURE_HOOKS_DEPRECATED); - }; - - private static final Logger LOG = LoggerFactory - .getLogger(HiveAuthzConf.class); - public static final String AUTHZ_SITE_FILE = "sentry-site.xml"; - private final String hiveAuthzSiteFile; - - public HiveAuthzConf(URL hiveAuthzSiteURL) { - super(); - LOG.info("DefaultFS: " + super.get("fs.defaultFS")); - addResource(hiveAuthzSiteURL); - applySystemProperties(); - LOG.info("DefaultFS: " + super.get("fs.defaultFS")); - this.hiveAuthzSiteFile = hiveAuthzSiteURL.toString(); - } - /** - * Apply system properties to this object if the property name is defined in ConfVars - * and the value is non-null and not an empty string. - */ - private void applySystemProperties() { - Map<String, String> systemProperties = getConfSystemProperties(); - for (Entry<String, String> systemProperty : systemProperties.entrySet()) { - this.set(systemProperty.getKey(), systemProperty.getValue()); - } - } - - /** - * This method returns a mapping from config variable name to its value for all config variables - * which have been set using System properties - */ - public static Map<String, String> getConfSystemProperties() { - Map<String, String> systemProperties = new HashMap<String, String>(); - - for (AuthzConfVars oneVar : AuthzConfVars.values()) { - String value = System.getProperty(oneVar.getVar()); - if (value != null && value.length() > 0) { - systemProperties.put(oneVar.getVar(), value); - } - } - return systemProperties; - } - - @Override - public String get(String varName) { - return get(varName, null); - } - - @Override - public String get(String varName, String defaultVal) { - String retVal = super.get(varName); - if (retVal == null) { - // check if the deprecated value is set here - if (currentToDeprecatedProps.containsKey(varName)) { - retVal = super.get(currentToDeprecatedProps.get(varName).getVar()); - } - if (retVal == null) { - retVal = AuthzConfVars.getDefault(varName); - } else { - LOG.warn("Using the deprecated config setting " + currentToDeprecatedProps.get(varName).getVar() + - " instead of " + varName); - } - } - if (retVal == null) { - retVal = defaultVal; - } - return retVal; - } - - public String getHiveAuthzSiteFile() { - return hiveAuthzSiteFile; - } - - /** - * Extract the authz config file path from given hive conf and load the authz config - * @param hiveConf - * @return - * @throws IllegalArgumentException - */ - public static HiveAuthzConf getAuthzConf(HiveConf hiveConf) - throws IllegalArgumentException { - boolean depreicatedConfigFile = false; - - String hiveAuthzConf = hiveConf.get(HiveAuthzConf.HIVE_SENTRY_CONF_URL); - if (hiveAuthzConf == null - || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) { - hiveAuthzConf = hiveConf.get(HiveAuthzConf.HIVE_ACCESS_CONF_URL); - depreicatedConfigFile = true; - } - - if (hiveAuthzConf == null - || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) { - throw new IllegalArgumentException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf - + "' is invalid."); - } - - try { - return new HiveAuthzConf(new URL(hiveAuthzConf)); - } catch (MalformedURLException e) { - if (depreicatedConfigFile) { - throw new IllegalArgumentException("Configuration key " - + HiveAuthzConf.HIVE_ACCESS_CONF_URL - + " specifies a malformed URL '" + hiveAuthzConf + "'", e); - } else { - throw new IllegalArgumentException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL - + " specifies a malformed URL '" + hiveAuthzConf + "'", e); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java deleted file mode 100644 index b658922..0000000 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/InvalidConfigurationException.java +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.binding.hive.conf; - -public class InvalidConfigurationException extends Exception -{ - private static final long serialVersionUID = 1L; - - //Parameterless Constructor - public InvalidConfigurationException() {} - - //Constructor that accepts a message - public InvalidConfigurationException(String message) - { - super(message); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java index 37781b9..9e08571 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java @@ -40,7 +40,7 @@ import org.apache.hadoop.hive.metastore.api.UnknownDBException; import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.plan.HiveOperation; import org.apache.hadoop.hive.shims.Utils; -import org.apache.sentry.binding.hive.HiveAuthzBindingHook; +import org.apache.sentry.binding.hive.HiveAuthzBindingHookBase; import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; @@ -285,7 +285,7 @@ public class AuthorizingObjectStore extends ObjectStore { throws MetaException { if (needsAuthorization(getUserName())) { try { - return HiveAuthzBindingHook.filterShowDatabases(getHiveAuthzBinding(), + return HiveAuthzBindingHookBase.filterShowDatabases(getHiveAuthzBinding(), dbList, HiveOperation.SHOWDATABASES, getUserName()); } catch (SemanticException e) { throw new MetaException("Error getting DB list " + e.getMessage()); @@ -306,7 +306,7 @@ public class AuthorizingObjectStore extends ObjectStore { throws MetaException { if (needsAuthorization(getUserName())) { try { - return HiveAuthzBindingHook.filterShowTables(getHiveAuthzBinding(), + return HiveAuthzBindingHookBase.filterShowTables(getHiveAuthzBinding(), tabList, HiveOperation.SHOWTABLES, getUserName(), dbName); } catch (SemanticException e) { throw new MetaException("Error getting Table list " + e.getMessage()); http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java index 14c31a4..d741c44 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java @@ -17,52 +17,20 @@ */ package org.apache.sentry.binding.metastore; -import java.io.File; import java.io.IOException; -import java.net.MalformedURLException; -import java.net.URISyntaxException; -import java.net.URL; -import java.util.ArrayList; import java.util.List; -import java.util.Set; import javax.security.auth.login.LoginException; -import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.MetaStorePreEventListener; import org.apache.hadoop.hive.metastore.api.InvalidOperationException; -import org.apache.hadoop.hive.metastore.api.MetaException; -import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; -import org.apache.hadoop.hive.metastore.api.Partition; -import org.apache.hadoop.hive.metastore.api.StorageDescriptor; -import org.apache.hadoop.hive.metastore.events.PreAddPartitionEvent; -import org.apache.hadoop.hive.metastore.events.PreAlterPartitionEvent; -import org.apache.hadoop.hive.metastore.events.PreAlterTableEvent; -import org.apache.hadoop.hive.metastore.events.PreCreateTableEvent; -import org.apache.hadoop.hive.metastore.events.PreDropDatabaseEvent; -import org.apache.hadoop.hive.metastore.events.PreDropPartitionEvent; -import org.apache.hadoop.hive.metastore.events.PreDropTableEvent; -import org.apache.hadoop.hive.metastore.events.PreEventContext; import org.apache.hadoop.hive.ql.metadata.AuthorizationException; import org.apache.hadoop.hive.ql.plan.HiveOperation; -import org.apache.hadoop.hive.shims.Utils; import org.apache.sentry.SentryUserException; import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.common.utils.PathUtils; -import org.apache.sentry.core.model.db.AccessURI; import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.core.model.db.Table; - -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; /** * Sentry binding for Hive Metastore. The binding is integrated into Metastore @@ -73,334 +41,16 @@ import com.google.common.collect.Sets; * passed down to the hive binding which handles the authorization. This ensures * that we follow the same privilege model and policies. */ -public class MetastoreAuthzBinding extends MetaStorePreEventListener { - - /** - * Build the set of object hierarchies ie fully qualified db model objects - */ - protected static class HierarcyBuilder { - private List<List<DBModelAuthorizable>> authHierarchy; - - public HierarcyBuilder() { - authHierarchy = new ArrayList<List<DBModelAuthorizable>>(); - } - - public HierarcyBuilder addServerToOutput(Server server) { - List<DBModelAuthorizable> serverHierarchy = new ArrayList<DBModelAuthorizable>(); - serverHierarchy.add(server); - authHierarchy.add(serverHierarchy); - return this; - } - - public HierarcyBuilder addDbToOutput(Server server, String dbName) { - List<DBModelAuthorizable> dbHierarchy = new ArrayList<DBModelAuthorizable>(); - addServerToOutput(server); - dbHierarchy.add(server); - dbHierarchy.add(new Database(dbName)); - authHierarchy.add(dbHierarchy); - return this; - } - - public HierarcyBuilder addUriToOutput(Server server, String uriPath, - String warehouseDirPath) throws MetaException { - List<DBModelAuthorizable> uriHierarchy = new ArrayList<DBModelAuthorizable>(); - addServerToOutput(server); - uriHierarchy.add(server); - try { - uriHierarchy.add(new AccessURI(PathUtils.parseDFSURI(warehouseDirPath, - uriPath))); - } catch (URISyntaxException e) { - throw new MetaException("Error paring the URI " + e.getMessage()); - } - authHierarchy.add(uriHierarchy); - return this; - } - - public HierarcyBuilder addTableToOutput(Server server, String dbName, - String tableName) { - List<DBModelAuthorizable> tableHierarchy = new ArrayList<DBModelAuthorizable>(); - addDbToOutput(server, dbName); - tableHierarchy.add(server); - tableHierarchy.add(new Database(dbName)); - tableHierarchy.add(new Table(tableName)); - authHierarchy.add(tableHierarchy); - return this; - } - - public List<List<DBModelAuthorizable>> build() { - return authHierarchy; - } - } - - private HiveAuthzConf authzConf; - private final Server authServer; - private final HiveConf hiveConf; - private final ImmutableSet<String> serviceUsers; - private HiveAuthzBinding hiveAuthzBinding; - private final String warehouseDir; - private static boolean sentryCacheOutOfSync = false; +public class MetastoreAuthzBinding extends MetastoreAuthzBindingBase { public MetastoreAuthzBinding(Configuration config) throws Exception { super(config); - String hiveAuthzConf = config.get(HiveAuthzConf.HIVE_SENTRY_CONF_URL); - if (hiveAuthzConf == null - || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) { - throw new IllegalArgumentException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf - + "' is invalid."); - } - try { - authzConf = new HiveAuthzConf(new URL(hiveAuthzConf)); - } catch (MalformedURLException e) { - throw new IllegalArgumentException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " specifies a malformed URL '" - + hiveAuthzConf + "'", e); - } - hiveConf = new HiveConf(config, this.getClass()); - this.authServer = new Server(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME - .getVar())); - serviceUsers = ImmutableSet.copyOf(toTrimedLower(Sets.newHashSet(authzConf - .getStrings(AuthzConfVars.AUTHZ_METASTORE_SERVICE_USERS.getVar(), - new String[] { "" })))); - warehouseDir = hiveConf.getVar(HiveConf.ConfVars.METASTOREWAREHOUSE); - } - /** - * Main listener callback which is the entry point for Sentry - */ @Override - public void onEvent(PreEventContext context) throws MetaException, - NoSuchObjectException, InvalidOperationException { - - if (!needsAuthorization(getUserName())) { - return; - } - switch (context.getEventType()) { - case CREATE_TABLE: - authorizeCreateTable((PreCreateTableEvent) context); - break; - case DROP_TABLE: - authorizeDropTable((PreDropTableEvent) context); - break; - case ALTER_TABLE: - authorizeAlterTable((PreAlterTableEvent) context); - break; - case ADD_PARTITION: - authorizeAddPartition((PreAddPartitionEvent) context); - break; - case DROP_PARTITION: - authorizeDropPartition((PreDropPartitionEvent) context); - break; - case ALTER_PARTITION: - authorizeAlterPartition((PreAlterPartitionEvent) context); - break; - case CREATE_DATABASE: - authorizeCreateDatabase(); - break; - case DROP_DATABASE: - authorizeDropDatabase((PreDropDatabaseEvent) context); - break; - case LOAD_PARTITION_DONE: - // noop for now - break; - default: - break; - } - } - - private void authorizeCreateDatabase() - throws InvalidOperationException, MetaException { - authorizeMetastoreAccess(HiveOperation.CREATEDATABASE, - new HierarcyBuilder().addServerToOutput(getAuthServer()).build(), - new HierarcyBuilder().addServerToOutput(getAuthServer()).build()); - } - - private void authorizeDropDatabase(PreDropDatabaseEvent context) - throws InvalidOperationException, MetaException { - authorizeMetastoreAccess(HiveOperation.DROPDATABASE, - new HierarcyBuilder() -.addDbToOutput(getAuthServer(), - context.getDatabase().getName()).build(), - new HierarcyBuilder().addDbToOutput(getAuthServer(), - context.getDatabase().getName()).build()); - } - - private void authorizeCreateTable(PreCreateTableEvent context) - throws InvalidOperationException, MetaException { - HierarcyBuilder inputBuilder = new HierarcyBuilder(); - inputBuilder.addDbToOutput(getAuthServer(), context.getTable().getDbName()); - HierarcyBuilder outputBuilder = new HierarcyBuilder(); - outputBuilder.addDbToOutput(getAuthServer(), context.getTable().getDbName()); - - if (!StringUtils.isEmpty(context.getTable().getSd().getLocation())) { - String uriPath; - try { - uriPath = PathUtils.parseDFSURI(warehouseDir, - getSdLocation(context.getTable().getSd())); - } catch(URISyntaxException e) { - throw new MetaException(e.getMessage()); - } - inputBuilder.addUriToOutput(getAuthServer(), uriPath, warehouseDir); - } - authorizeMetastoreAccess(HiveOperation.CREATETABLE, inputBuilder.build(), - outputBuilder.build()); - } - - private void authorizeDropTable(PreDropTableEvent context) - throws InvalidOperationException, MetaException { - authorizeMetastoreAccess( - HiveOperation.DROPTABLE, - new HierarcyBuilder().addTableToOutput(getAuthServer(), - context.getTable().getDbName(), context.getTable().getTableName()) - .build(), - new HierarcyBuilder().addTableToOutput(getAuthServer(), - context.getTable().getDbName(), context.getTable().getTableName()) - .build()); - } - - private void authorizeAlterTable(PreAlterTableEvent context) - throws InvalidOperationException, MetaException { - /* - * There are multiple alter table options and it's tricky to figure which is - * attempted here. Currently all alter table needs full level privilege - * except the for setting location which also needs a privile on URI. Hence - * we set initially set the operation to ALTERTABLE_ADDCOLS. If the client - * has specified the location, then change to ALTERTABLE_LOCATION - */ - HiveOperation operation = HiveOperation.ALTERTABLE_ADDCOLS; - HierarcyBuilder inputBuilder = new HierarcyBuilder(); - inputBuilder.addTableToOutput(getAuthServer(), context.getOldTable() - .getDbName(), context.getOldTable().getTableName()); - HierarcyBuilder outputBuilder = new HierarcyBuilder(); - outputBuilder.addTableToOutput(getAuthServer(), context.getOldTable() - .getDbName(), context.getOldTable().getTableName()); - - // if the operation requires location change, then add URI privilege check - String oldLocationUri; - String newLocationUri; - try { - oldLocationUri = PathUtils.parseDFSURI(warehouseDir, - getSdLocation(context.getOldTable().getSd())); - newLocationUri = PathUtils.parseDFSURI(warehouseDir, - getSdLocation(context.getNewTable().getSd())); - } catch (URISyntaxException e) { - throw new MetaException(e.getMessage()); - } - if (oldLocationUri.compareTo(newLocationUri) != 0) { - outputBuilder.addUriToOutput(getAuthServer(), newLocationUri, - warehouseDir); - operation = HiveOperation.ALTERTABLE_LOCATION; - } - authorizeMetastoreAccess( - operation, - inputBuilder.build(), outputBuilder.build()); - - } - - private void authorizeAddPartition(PreAddPartitionEvent context) - throws InvalidOperationException, MetaException, NoSuchObjectException { - for (Partition mapiPart : context.getPartitions()) { - HierarcyBuilder inputBuilder = new HierarcyBuilder(); - inputBuilder.addTableToOutput(getAuthServer(), mapiPart - .getDbName(), mapiPart.getTableName()); - HierarcyBuilder outputBuilder = new HierarcyBuilder(); - outputBuilder.addTableToOutput(getAuthServer(), mapiPart - .getDbName(), mapiPart.getTableName()); - // check if we need to validate URI permissions when storage location is - // non-default, ie something not under the parent table - - String partitionLocation = null; - if (mapiPart.isSetSd()) { - partitionLocation = mapiPart.getSd().getLocation(); - } - if (!StringUtils.isEmpty(partitionLocation)) { - String tableLocation = context - .getHandler() - .get_table(mapiPart.getDbName(), - mapiPart.getTableName()).getSd().getLocation(); - String uriPath; - try { - uriPath = PathUtils.parseDFSURI(warehouseDir, mapiPart - .getSd().getLocation()); - } catch (URISyntaxException e) { - throw new MetaException(e.getMessage()); - } - if (!partitionLocation.equals(tableLocation) && - !partitionLocation.startsWith(tableLocation + File.separator)) { - outputBuilder.addUriToOutput(getAuthServer(), uriPath, warehouseDir); - } - } - authorizeMetastoreAccess(HiveOperation.ALTERTABLE_ADDPARTS, - inputBuilder.build(), outputBuilder.build()); - } - } - - protected void authorizeDropPartition(PreDropPartitionEvent context) - throws InvalidOperationException, MetaException { - authorizeMetastoreAccess( - HiveOperation.ALTERTABLE_DROPPARTS, - new HierarcyBuilder().addTableToOutput(getAuthServer(), - context.getPartition().getDbName(), - context.getPartition().getTableName()).build(), - new HierarcyBuilder().addTableToOutput(getAuthServer(), - context.getPartition().getDbName(), - context.getPartition().getTableName()).build()); - } - - private void authorizeAlterPartition(PreAlterPartitionEvent context) - throws InvalidOperationException, MetaException, NoSuchObjectException { - /* - * There are multiple alter partition options and it's tricky to figure out - * which is attempted here. Currently all alter partition need full level - * privilege except the for setting location which also needs a privilege on - * URI. Currently we don't try to distinguish the operation type. All alter - * partitions are treated as set-location - */ - HierarcyBuilder inputBuilder = new HierarcyBuilder().addTableToOutput( - getAuthServer(), context.getDbName(), context.getTableName()); - HierarcyBuilder outputBuilder = new HierarcyBuilder().addTableToOutput( - getAuthServer(), context.getDbName(), context.getTableName()); - - Partition partition = context.getNewPartition(); - String partitionLocation = getSdLocation(partition.getSd()); - if (!StringUtils.isEmpty(partitionLocation)) { - String tableLocation = context.getHandler().get_table( - partition.getDbName(), partition.getTableName()).getSd().getLocation(); - - String uriPath; - try { - uriPath = PathUtils.parseDFSURI(warehouseDir, partitionLocation); - } catch (URISyntaxException e) { - throw new MetaException(e.getMessage()); - } - if (!partitionLocation.startsWith(tableLocation + File.separator)) { - outputBuilder.addUriToOutput(getAuthServer(), uriPath, warehouseDir); - } - } - authorizeMetastoreAccess( - HiveOperation.ALTERPARTITION_LOCATION, - inputBuilder.build(), outputBuilder.build()); - } - - private InvalidOperationException invalidOperationException(Exception e) { - InvalidOperationException ex = new InvalidOperationException(e.getMessage()); - ex.initCause(e.getCause()); - return ex; - } - - /** - * Assemble the required privileges and requested privileges. Validate using - * Hive bind auth provider - * @param hiveOp - * @param inputHierarchy - * @param outputHierarchy - * @throws InvalidOperationException - */ protected void authorizeMetastoreAccess(HiveOperation hiveOp, List<List<DBModelAuthorizable>> inputHierarchy, - List<List<DBModelAuthorizable>> outputHierarchy) - throws InvalidOperationException { + List<List<DBModelAuthorizable>> outputHierarchy) throws InvalidOperationException { if (isSentryCacheOutOfSync()) { throw invalidOperationException(new SentryUserException( "Metastore/Sentry cache is out of sync")); @@ -419,56 +69,6 @@ public class MetastoreAuthzBinding extends MetaStorePreEventListener { } catch (Exception e) { throw invalidOperationException(e); } - - } - - public Server getAuthServer() { - return authServer; - } - - private boolean needsAuthorization(String userName) { - return !serviceUsers.contains(userName); - } - - private static Set<String> toTrimedLower(Set<String> s) { - Set<String> result = Sets.newHashSet(); - for (String v : s) { - result.add(v.trim().toLowerCase()); - } - return result; - } - - private HiveAuthzBinding getHiveAuthzBinding() throws Exception { - if (hiveAuthzBinding == null) { - hiveAuthzBinding = new HiveAuthzBinding(HiveAuthzBinding.HiveHook.HiveMetaStore, hiveConf, authzConf); - } - return hiveAuthzBinding; - } - - private String getUserName() throws MetaException { - try { - return Utils.getUGI().getShortUserName(); - } catch (LoginException e) { - throw new MetaException("Failed to get username " + e.getMessage()); - } catch (IOException e) { - throw new MetaException("Failed to get username " + e.getMessage()); - } - } - - private String getSdLocation(StorageDescriptor sd) { - if (sd == null) { - return ""; - } else { - return sd.getLocation(); - } - } - - public static boolean isSentryCacheOutOfSync() { - return sentryCacheOutOfSync; - } - - public static void setSentryCacheOutOfSync(boolean sentryCacheOutOfSync) { - MetastoreAuthzBinding.sentryCacheOutOfSync = sentryCacheOutOfSync; } } http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java deleted file mode 100644 index 0330db9..0000000 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java +++ /dev/null @@ -1,161 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.binding.metastore; - -import java.net.MalformedURLException; -import java.net.URL; -import java.util.List; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.HiveMetaHookLoader; -import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; -import org.apache.hadoop.hive.metastore.IMetaStoreClient; -import org.apache.hadoop.hive.metastore.api.InvalidOperationException; -import org.apache.hadoop.hive.metastore.api.MetaException; -import org.apache.hadoop.hive.metastore.api.UnknownDBException; -import org.apache.hadoop.hive.ql.parse.SemanticException; -import org.apache.hadoop.hive.ql.plan.HiveOperation; -import org.apache.hadoop.hive.ql.session.SessionState; -import org.apache.sentry.binding.hive.HiveAuthzBindingHook; -import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.thrift.TException; - -public class SentryHiveMetaStoreClient extends HiveMetaStoreClient implements - IMetaStoreClient { - - private HiveAuthzBinding hiveAuthzBinding; - private HiveAuthzConf authzConf; - - public SentryHiveMetaStoreClient(HiveConf conf) throws MetaException { - super(conf); - } - - public SentryHiveMetaStoreClient(HiveConf conf, HiveMetaHookLoader hookLoader) - throws MetaException { - super(conf, hookLoader); - } - - @Override - public List<String> getDatabases(String databasePattern) throws MetaException { - return filterDatabases(super.getDatabases(databasePattern)); - } - - @Override - public List<String> getAllDatabases() throws MetaException { - return filterDatabases(super.getAllDatabases()); - } - - @Override - public List<String> getTables(String dbName, String tablePattern) - throws MetaException { - return filterTables(dbName, super.getTables(dbName, tablePattern)); - } - - @Override - public List<String> getAllTables(String dbName) throws MetaException { - return filterTables(dbName, super.getAllTables(dbName)); - } - - @Override - public List<String> listTableNamesByFilter(String dbName, String filter, - short maxTables) throws InvalidOperationException, UnknownDBException, - TException { - return filterTables(dbName, - super.listTableNamesByFilter(dbName, filter, maxTables)); - } - - /** - * Invoke Hive database filtering that removes the entries which use has no - * privileges to access - * - * @param dbList - * @return - * @throws MetaException - */ - private List<String> filterDatabases(List<String> dbList) - throws MetaException { - try { - return HiveAuthzBindingHook.filterShowDatabases(getHiveAuthzBinding(), - dbList, HiveOperation.SHOWDATABASES, getUserName()); - } catch (SemanticException e) { - throw new MetaException("Error getting DB list " + e.getMessage()); - } - } - - /** - * Invoke Hive table filtering that removes the entries which use has no - * privileges to access - * - * @param dbList - * @return - * @throws MetaException - */ - private List<String> filterTables(String dbName, List<String> tabList) - throws MetaException { - try { - return HiveAuthzBindingHook.filterShowTables(getHiveAuthzBinding(), - tabList, HiveOperation.SHOWTABLES, getUserName(), dbName); - } catch (SemanticException e) { - throw new MetaException("Error getting Table list " + e.getMessage()); - } - } - - private String getUserName() { - return getConf().get(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME); - } - - /** - * load Hive auth provider - * - * @return - * @throws MetaException - */ - private HiveAuthzBinding getHiveAuthzBinding() throws MetaException { - if (hiveAuthzBinding == null) { - String hiveAuthzConf = getConf().get(HiveAuthzConf.HIVE_SENTRY_CONF_URL); - if (hiveAuthzConf == null - || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf - + "' is invalid."); - } - try { - authzConf = new HiveAuthzConf(new URL(hiveAuthzConf)); - } catch (MalformedURLException e) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL - + " specifies a malformed URL '" + hiveAuthzConf + "' " - + e.getMessage()); - } - try { - hiveAuthzBinding = new HiveAuthzBinding( - HiveAuthzBinding.HiveHook.HiveMetaStore, getConf(), authzConf); - } catch (Exception e) { - throw new MetaException("Failed to load Hive binding " + e.getMessage()); - } - } - return hiveAuthzBinding; - } - - private HiveConf getConf() { - return SessionState.get().getConf(); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java deleted file mode 100644 index b551788..0000000 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java +++ /dev/null @@ -1,201 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.binding.metastore; - -import java.net.MalformedURLException; -import java.net.URL; -import java.util.ArrayList; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.MetaStoreFilterHook; -import org.apache.hadoop.hive.metastore.api.Database; -import org.apache.hadoop.hive.metastore.api.Index; -import org.apache.hadoop.hive.metastore.api.MetaException; -import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; -import org.apache.hadoop.hive.metastore.api.Partition; -import org.apache.hadoop.hive.metastore.api.PartitionSpec; -import org.apache.hadoop.hive.metastore.api.Table; -import org.apache.hadoop.hive.ql.plan.HiveOperation; -import org.apache.hadoop.hive.ql.session.SessionState; -import org.apache.sentry.binding.hive.HiveAuthzBindingHook; -import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; - -public class SentryMetaStoreFilterHook implements MetaStoreFilterHook { - - static final protected Log LOG = LogFactory.getLog(SentryMetaStoreFilterHook.class); - - private HiveAuthzBinding hiveAuthzBinding; - private HiveAuthzConf authzConf; - - public SentryMetaStoreFilterHook(HiveConf hiveConf) { //NOPMD - } - - @Override - public List<String> filterDatabases(List<String> dbList) { - return filterDb(dbList); - } - - @Override - public Database filterDatabase(Database dataBase) - throws NoSuchObjectException { - return dataBase; - } - - @Override - public List<String> filterTableNames(String dbName, List<String> tableList) { - return filterTab(dbName, tableList); - } - - @Override - public Table filterTable(Table table) throws NoSuchObjectException { - return table; - } - - @Override - public List<Table> filterTables(List<Table> tableList) { - return tableList; - } - - @Override - public List<Partition> filterPartitions(List<Partition> partitionList) { - return partitionList; - } - - @Override - public List<PartitionSpec> filterPartitionSpecs( - List<PartitionSpec> partitionSpecList) { - return partitionSpecList; - } - - @Override - public Partition filterPartition(Partition partition) - throws NoSuchObjectException { - return partition; - } - - @Override - public List<String> filterPartitionNames(String dbName, String tblName, - List<String> partitionNames) { - return partitionNames; - } - - @Override - public Index filterIndex(Index index) throws NoSuchObjectException { - return index; - } - - @Override - public List<String> filterIndexNames(String dbName, String tblName, - List<String> indexList) { - return indexList; - } - - @Override - public List<Index> filterIndexes(List<Index> indexeList) { - return indexeList; - } - - /** - * Invoke Hive database filtering that removes the entries which use has no - * privileges to access - * @param dbList - * @return - * @throws MetaException - */ - private List<String> filterDb(List<String> dbList) { - try { - return HiveAuthzBindingHook.filterShowDatabases(getHiveAuthzBinding(), - dbList, HiveOperation.SHOWDATABASES, getUserName()); - } catch (Exception e) { - LOG.warn("Error getting DB list ", e); - return new ArrayList<String>(); - } finally { - close(); - } - } - - /** - * Invoke Hive table filtering that removes the entries which use has no - * privileges to access - * @param tabList - * @return - * @throws MetaException - */ - private List<String> filterTab(String dbName, List<String> tabList) { - try { - return HiveAuthzBindingHook.filterShowTables(getHiveAuthzBinding(), - tabList, HiveOperation.SHOWTABLES, getUserName(), dbName); - } catch (Exception e) { - LOG.warn("Error getting Table list ", e); - return new ArrayList<String>(); - } finally { - close(); - } - } - - private String getUserName() { - return getConf().get(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME); - } - - /** - * load Hive auth provider - * @return - * @throws MetaException - */ - private HiveAuthzBinding getHiveAuthzBinding() throws MetaException { - if (hiveAuthzBinding == null) { - String hiveAuthzConf = getConf().get(HiveAuthzConf.HIVE_SENTRY_CONF_URL); - if (hiveAuthzConf == null - || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf - + "' is invalid."); - } - try { - authzConf = new HiveAuthzConf(new URL(hiveAuthzConf)); - } catch (MalformedURLException e) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL - + " specifies a malformed URL '" + hiveAuthzConf + "' " - + e.getMessage()); - } - try { - hiveAuthzBinding = new HiveAuthzBinding( - HiveAuthzBinding.HiveHook.HiveMetaStore, getConf(), authzConf); - } catch (Exception e) { - throw new MetaException("Failed to load Hive binding " + e.getMessage()); - } - } - return hiveAuthzBinding; - } - - private HiveConf getConf() { - return SessionState.get().getConf(); - } - - private void close() { - if (hiveAuthzBinding != null) { - hiveAuthzBinding.close(); - hiveAuthzBinding = null; - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java index 8b716c3..c7ac070 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java @@ -48,29 +48,29 @@ public class TestURI { @Test public void testParseURIIncorrectFilePrefix() throws SemanticException { Assert.assertEquals("file:///some/path", - HiveAuthzBindingHook.parseURI("file:/some/path").getName()); + HiveAuthzBindingHookBase.parseURI("file:/some/path").getName()); } @Test public void testParseURICorrectFilePrefix() throws SemanticException { Assert.assertEquals("file:///some/path", - HiveAuthzBindingHook.parseURI("file:///some/path").getName()); + HiveAuthzBindingHookBase.parseURI("file:///some/path").getName()); } @Test public void testParseURINoFilePrefix() throws SemanticException { conf.set(ConfVars.METASTOREWAREHOUSE.varname, "file:///path/to/warehouse"); Assert.assertEquals("file:///some/path", - HiveAuthzBindingHook.parseURI("/some/path").getName()); + HiveAuthzBindingHookBase.parseURI("/some/path").getName()); } @Test public void testParseURINoHDFSPrefix() throws SemanticException { conf.set(ConfVars.METASTOREWAREHOUSE.varname, "hdfs://namenode:8080/path/to/warehouse"); Assert.assertEquals("hdfs://namenode:8080/some/path", - HiveAuthzBindingHook.parseURI("/some/path").getName()); + HiveAuthzBindingHookBase.parseURI("/some/path").getName()); } @Test public void testParseURICorrectHDFSPrefix() throws SemanticException { Assert.assertEquals("hdfs:///some/path", - HiveAuthzBindingHook.parseURI("hdfs:///some/path").getName()); + HiveAuthzBindingHookBase.parseURI("hdfs:///some/path").getName()); } @Test @@ -78,7 +78,7 @@ public class TestURI { conf.set(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY, "hdfs://localhost:8020"); conf.set(ConfVars.METASTOREWAREHOUSE.varname, "/path/to/warehouse"); Assert.assertEquals("hdfs://localhost:8020/some/path", - HiveAuthzBindingHook.parseURI("/some/path").getName()); + HiveAuthzBindingHookBase.parseURI("/some/path").getName()); } @AfterClass http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-hdfs/sentry-hdfs-service/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/pom.xml b/sentry-hdfs/sentry-hdfs-service/pom.xml index 8553685..78f9da7 100644 --- a/sentry-hdfs/sentry-hdfs-service/pom.xml +++ b/sentry-hdfs/sentry-hdfs-service/pom.xml @@ -30,7 +30,7 @@ limitations under the License. <dependencies> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-binding-hive</artifactId> + <artifactId>sentry-binding-hive-common</artifactId> </dependency> <dependency> <groupId>org.mockito</groupId> @@ -109,5 +109,4 @@ limitations under the License. </dependency> </dependencies> - </project> http://git-wip-us.apache.org/repos/asf/sentry/blob/7a30c819/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/MetastorePluginWithHA.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/MetastorePluginWithHA.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/MetastorePluginWithHA.java index 4f6d7ca..6476a01 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/MetastorePluginWithHA.java +++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/MetastorePluginWithHA.java @@ -23,7 +23,7 @@ import org.apache.curator.framework.recipes.cache.PathChildrenCacheListener; import org.apache.hadoop.conf.Configuration; import org.apache.sentry.hdfs.ServiceConstants.ServerConfig; import org.apache.sentry.provider.db.SentryPolicyStorePlugin.SentryPluginException; -import org.apache.sentry.binding.metastore.MetastoreAuthzBinding; +import org.apache.sentry.binding.metastore.MetastoreAuthzBindingBase; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -51,11 +51,11 @@ public class MetastorePluginWithHA extends MetastorePlugin { case CHILD_REMOVED: break; case CONNECTION_RECONNECTED: - MetastoreAuthzBinding.setSentryCacheOutOfSync(false); + MetastoreAuthzBindingBase.setSentryCacheOutOfSync(false); break; case CONNECTION_SUSPENDED: case CONNECTION_LOST: - MetastoreAuthzBinding.setSentryCacheOutOfSync(true); + MetastoreAuthzBindingBase.setSentryCacheOutOfSync(true); break; default: break;
