SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module (Sergio Pena, reviewed by kalyan kumar kalvagadda, Na Li)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e901041d Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e901041d Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e901041d Branch: refs/heads/akolb-cli Commit: e901041d810635e5f8e36ae0438e43017012e274 Parents: ce04971 Author: Sergio Pena <[email protected]> Authored: Mon Oct 16 15:10:28 2017 -0500 Committer: Sergio Pena <[email protected]> Committed: Mon Oct 16 15:10:28 2017 -0500 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 16 - .../hive/HiveAuthzBindingSessionHook.java | 21 +- .../SentryHiveAuthorizationTaskFactoryImpl.java | 12 +- .../binding/hive/SentryHivePrivilegeObject.java | 32 ++ .../authz/DefaultSentryAccessController.java | 561 +++++++++++++++++++ .../hive/authz/SentryHiveAccessController.java | 199 +++++++ .../hive/authz/SentryHiveAuthorizerFactory.java | 27 +- .../hive/authz/SentryHiveAuthorizerImpl.java | 86 ++- .../binding/util/SentryAuthorizerUtil.java | 360 ++++++++++++ .../e2e/dbprovider/TestDatabaseProvider.java | 12 +- .../tests/e2e/hdfs/TestHDFSIntegrationBase.java | 2 +- .../e2e/hive/hiveserver/HiveServerFactory.java | 6 +- .../e2e/metastore/TestMetastoreEndToEnd.java | 2 +- 13 files changed, 1281 insertions(+), 55 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 3454910..f1531ed 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -21,12 +21,10 @@ import java.net.MalformedURLException; import java.net.URL; import java.security.CodeSource; import java.util.List; -import java.util.Set; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.exec.DDLTask; import org.apache.hadoop.hive.ql.exec.SentryFilterDDLTask; -import org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask; import org.apache.hadoop.hive.ql.exec.Task; import org.apache.hadoop.hive.ql.exec.Utilities; import org.apache.hadoop.hive.ql.lib.Node; @@ -297,21 +295,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase { stmtAuthObject = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(stmtOperation); - // must occur above the null check on stmtAuthObject - // since GRANT/REVOKE/etc are not authorized by binding layer at present Subject subject = getCurrentSubject(context); - Set<String> subjectGroups = hiveAuthzBinding.getGroups(subject); - for (Task<? extends Serializable> task : rootTasks) { - if (task instanceof SentryGrantRevokeTask) { - SentryGrantRevokeTask sentryTask = (SentryGrantRevokeTask)task; - sentryTask.setHiveAuthzBinding(hiveAuthzBinding); - sentryTask.setAuthzConf(authzConf); - sentryTask.setSubject(subject); - sentryTask.setSubjectGroups(subjectGroups); - sentryTask.setIpAddress(context.getIpAddress()); - sentryTask.setOperation(stmtOperation); - } - } try { if (stmtAuthObject == null) { http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java index 994ae7a..7250891 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java @@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; import org.apache.hadoop.mapreduce.JobContext; import org.apache.hive.service.cli.HiveSQLException; import org.apache.hive.service.cli.session.HiveSessionHookContext; @@ -29,10 +30,7 @@ import com.google.common.base.Joiner; public class HiveAuthzBindingSessionHook implements org.apache.hive.service.cli.session.HiveSessionHook { - public static final String SEMANTIC_HOOK = - "org.apache.sentry.binding.hive.HiveAuthzBindingHook"; - public static final String FILTER_HOOK = - "org.apache.sentry.binding.hive.HiveAuthzBindingHook"; + public static final String SEMANTIC_HOOK = HiveAuthzBindingHook.class.getName(); public static final String SCRATCH_DIR_PERMISSIONS = "700"; public static final String ACCESS_RESTRICT_LIST = Joiner.on(",").join( ConfVars.SEMANTIC_ANALYZER_HOOK.varname, @@ -70,20 +68,26 @@ public class HiveAuthzBindingSessionHook // Add sentry hooks to the session configuration HiveConf sessionConf = sessionHookContext.getSessionConf(); + // set semantic hooks to request authorization permissions to sentry appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname, SEMANTIC_HOOK); + + // set security command list HiveAuthzConf authzConf = HiveAuthzBindingHookBase.loadAuthzConf(sessionConf); String commandWhitelist = authzConf.get(HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST, HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT); sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, commandWhitelist); + + // set additional configuration properties required for auth sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS); + + // Enable compiler to capture transform URI referred in the query sessionConf.setBoolVar(ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY, true); // set user name sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser()); sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser()); - sessionConf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, SentryHiveAuthorizerFactory.class.getName()); // Set MR ACLs to session user appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB, @@ -93,6 +97,13 @@ public class HiveAuthzBindingSessionHook // setup restrict list sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST); + + // enable hive authorization V2 + sessionConf.setBoolean(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, true); + sessionConf.set(HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER.varname, + SessionStateUserAuthenticator.class.getName()); + sessionConf.set(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, + SentryHiveAuthorizerFactory.class.getName()); } // Setup given sentry hooks http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java index ceb3b17..1e520c0 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java @@ -25,7 +25,6 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.SentryHiveConstants; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.api.PrincipalType; -import org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask; import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc; import org.apache.hadoop.hive.ql.exec.Task; import org.apache.hadoop.hive.ql.exec.TaskFactory; @@ -60,8 +59,10 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization private static final Logger LOG = LoggerFactory.getLogger(SentryHiveAuthorizationTaskFactoryImpl.class); - public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD + private final HiveConf conf; + public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD + this.conf = conf; } @Override @@ -377,11 +378,8 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization return ret; } - private static Task<? extends Serializable> createTask(DDLWork work) { - SentryGrantRevokeTask task = new SentryGrantRevokeTask(); - task.setId("Stage-" + Integer.toString(TaskFactory.getAndIncrementId())); - task.setWork(work); - return task; + private Task<? extends Serializable> createTask(DDLWork work) { + return TaskFactory.get(work, conf); } //TODO temp workaround and copied from HiveAuthorizationTaskFactoryImpl and modified http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java new file mode 100644 index 0000000..f5402f6 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.sentry.binding.hive; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; + +public class SentryHivePrivilegeObject extends HivePrivilegeObject { + + boolean isServer = false; + + boolean isUri = false; + + String objectName = ""; + + public SentryHivePrivilegeObject(HivePrivilegeObjectType type, String objectName) { + super(type, null, objectName); + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java new file mode 100644 index 0000000..0bfa52b --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java @@ -0,0 +1,561 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.sentry.binding.hive.authz; + +import com.google.common.base.Preconditions; +import com.google.common.collect.Sets; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import org.apache.hadoop.hive.SentryHiveConstants; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.metadata.AuthorizationException; +import org.apache.hadoop.hive.ql.plan.HiveOperation; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; +import org.apache.sentry.binding.hive.SentryOnFailureHookContext; +import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl; +import org.apache.sentry.binding.hive.authz.HiveAuthzBinding.HiveHook; +import org.apache.sentry.binding.hive.conf.HiveAuthzConf; +import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; +import org.apache.sentry.binding.util.SentryAuthorizerUtil; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.exception.SentryAccessDeniedException; +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.service.thrift.SentryServiceClientFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class DefaultSentryAccessController extends SentryHiveAccessController { + + public static final Logger LOG = LoggerFactory.getLogger(DefaultSentryAccessController.class); + + public static final String REQUIRED_AUTHZ_SERVER_NAME = "Config " + + AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required"; + + private HiveAuthenticationProvider authenticator; + private String serverName; + private HiveConf conf; + private HiveAuthzConf authzConf; + private HiveAuthzSessionContext ctx; + + private HiveHook hiveHook; + private HiveAuthzBinding hiveAuthzBinding; + protected SentryPolicyServiceClient sentryClient; + + + public DefaultSentryAccessController(HiveConf conf, HiveAuthzConf authzConf, + HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception { + initilize(conf, authzConf, authenticator, ctx); + this.hiveHook = HiveHook.HiveServer2; + } + + public DefaultSentryAccessController(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf, + HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception { + initilize(conf, authzConf, authenticator, ctx); + this.hiveHook = hiveHook; + } + + /** + * initialize authenticator and hiveAuthzBinding. + */ + protected void initilize(HiveConf conf, HiveAuthzConf authzConf, + HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception { + Preconditions.checkNotNull(conf, "HiveConf cannot be null"); + Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null"); + Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null"); + Preconditions.checkNotNull(ctx, "HiveAuthzSessionContext cannot be null"); + + this.conf = conf; + this.authzConf = authzConf; + this.authenticator = authenticator; + this.ctx = ctx; + this.serverName = + Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()), + REQUIRED_AUTHZ_SERVER_NAME); + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor) + throws HiveAuthzPluginException, HiveAccessControlException { + if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) { + String msg = + "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES; + throw new HiveAccessControlException(msg); + } + try { + sentryClient = getSentryClient(); + sentryClient.createRole(authenticator.getUserName(), roleName); + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = HiveOperation.CREATEROLE; + executeOnFailureHooks(hiveOp, e); + } catch (SentryUserException e) { + String msg = "Error occurred when Sentry client creating role: " + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + } + } + + @Override + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) { + String msg = + "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES; + throw new HiveAccessControlException(msg); + } + try { + sentryClient = getSentryClient(); + sentryClient.dropRole(authenticator.getUserName(), roleName); + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = HiveOperation.DROPROLE; + executeOnFailureHooks(hiveOp, e); + } catch (SentryUserException e) { + String msg = "Error occurred when Sentry client creating role: " + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + } + } + + @Override + public List<String> getAllRoles() throws HiveAccessControlException, HiveAuthzPluginException { + List<String> roles = new ArrayList<String>(); + try { + sentryClient = getSentryClient(); + roles = convert2RoleList(sentryClient.listRoles(authenticator.getUserName())); + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = HiveOperation.SHOW_ROLES; + executeOnFailureHooks(hiveOp, e); + } catch (SentryUserException e) { + String msg = "Error when sentryClient listRoles: " + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + } + return roles; + } + + @Override + public void grantPrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException { + grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true); + } + + @Override + public void revokePrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException { + grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false); + } + + @Override + public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, true); + } + + @Override + public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, false); + } + + + @Override + public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + throws HiveAuthzPluginException, HiveAccessControlException { + if (principal.getType() != HivePrincipalType.ROLE) { + String msg = + SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); + throw new HiveAuthzPluginException(msg); + } + List<HivePrivilegeInfo> infoList = new ArrayList<HivePrivilegeInfo>(); + try { + sentryClient = getSentryClient(); + List<List<DBModelAuthorizable>> authorizables = + SentryAuthorizerUtil.getAuthzHierarchy(new Server(serverName), privObj); + Set<TSentryPrivilege> tPrivilges = new HashSet<TSentryPrivilege>(); + if (authorizables != null && !authorizables.isEmpty()) { + for (List<? extends Authorizable> authorizable : authorizables) { + tPrivilges.addAll(sentryClient.listPrivilegesByRoleName(authenticator.getUserName(), + principal.getName(), authorizable)); + } + } else { + tPrivilges.addAll(sentryClient.listPrivilegesByRoleName(authenticator.getUserName(), + principal.getName(), null)); + } + + if (tPrivilges != null && !tPrivilges.isEmpty()) { + for (TSentryPrivilege privilege : tPrivilges) { + infoList.add(SentryAuthorizerUtil.convert2HivePrivilegeInfo(privilege, principal)); + } + } + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = HiveOperation.SHOW_GRANT; + executeOnFailureHooks(hiveOp, e); + } catch (SentryUserException e) { + String msg = "Error when sentryClient listPrivilegesByRoleName: " + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + } + return infoList; + } + + @Override + public void setCurrentRole(String roleName) throws HiveAccessControlException, + HiveAuthzPluginException { + try { + sentryClient = getSentryClient(); + hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf); + hiveAuthzBinding.setActiveRoleSet(roleName, + sentryClient.listUserRoles(authenticator.getUserName())); + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = HiveOperation.GRANT_ROLE; + executeOnFailureHooks(hiveOp, e); + } catch (Exception e) { + String msg = "Error when sentryClient setCurrentRole: " + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + if (hiveAuthzBinding != null) { + hiveAuthzBinding.close(); + } + } + } + + @Override + public List<String> getCurrentRoleNames() throws HiveAuthzPluginException { + List<String> roles = new ArrayList<String>(); + try { + sentryClient = getSentryClient(); + hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf); + ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet(); + if (roleSet.isAll()) { + roles = convert2RoleList(sentryClient.listUserRoles(authenticator.getUserName())); + } else { + roles.addAll(roleSet.getRoles()); + } + } catch (Exception e) { + String msg = "Error when sentryClient listUserRoles: " + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + if (hiveAuthzBinding != null) { + hiveAuthzBinding.close(); + } + } + return roles; + } + + @Override + public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) + throws HiveAuthzPluginException { + // TODO we will support in future + throw new HiveAuthzPluginException("Not supported of SHOW_ROLE_PRINCIPALS in Sentry"); + } + + @Override + public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) + throws HiveAccessControlException, HiveAuthzPluginException { + List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(); + try { + sentryClient = getSentryClient(); + Set<TSentryRole> roles = null; + if (principal.getType() == HivePrincipalType.GROUP) { + roles = sentryClient.listRolesByGroupName(authenticator.getUserName(), principal.getName()); + } else if (principal.getType() == HivePrincipalType.USER) { + roles = sentryClient.listRolesByUserName(authenticator.getUserName(), principal.getName()); + } else { + String msg = + SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); + throw new HiveAuthzPluginException(msg); + } + if (roles != null && !roles.isEmpty()) { + for (TSentryRole role : roles) { + hiveRoleGrants.add(SentryAuthorizerUtil.convert2HiveRoleGrant(role)); + } + } + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = HiveOperation.SHOW_ROLE_GRANT; + executeOnFailureHooks(hiveOp, e); + } catch (SentryUserException e) { + String msg = "Error when sentryClient listRolesByGroupName: " + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + } + return hiveRoleGrants; + } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { + // Apply rest of the configuration only to HiveServer2 + if (ctx.getClientType() != CLIENT_TYPE.HIVESERVER2 + || !hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + throw new HiveAuthzPluginException("Sentry only supports hiveserver2"); + } + } + + /** + * Grant(isGrant is true) or revoke(isGrant is false) db privileges to/from role via sentryClient, + * which is a instance of SentryPolicyServiceClientV2 + * + * @param hivePrincipals + * @param hivePrivileges + * @param hivePrivObject + * @param grantOption + * @param isGrant + */ + private void grantOrRevokePrivlegeOnRole(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, boolean grantOption, + boolean isGrant) throws HiveAuthzPluginException, HiveAccessControlException { + try { + sentryClient = getSentryClient(); + + for (HivePrincipal principal : hivePrincipals) { + // Sentry only support grant privilege to ROLE + if (principal.getType() != HivePrincipalType.ROLE) { + String msg = + SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); + throw new HiveAuthzPluginException(msg); + } + for (HivePrivilege privilege : hivePrivileges) { + String grantorName = authenticator.getUserName(); + String roleName = principal.getName(); + String action = SentryAuthorizerUtil.convert2SentryAction(privilege); + List<String> columnNames = privilege.getColumns(); + Boolean grantOp = null; + if (isGrant) { + grantOp = grantOption; + } + + switch (hivePrivObject.getType()) { + case GLOBAL: + if (isGrant) { + sentryClient.grantServerPrivilege(grantorName, roleName, + hivePrivObject.getObjectName(), action, grantOp); + } else { + sentryClient.revokeServerPrivilege(grantorName, roleName, + hivePrivObject.getObjectName(), action, grantOp); + } + break; + case DATABASE: + if (isGrant) { + sentryClient.grantDatabasePrivilege(grantorName, roleName, serverName, + hivePrivObject.getDbname(), action, grantOp); + } else { + sentryClient.revokeDatabasePrivilege(grantorName, roleName, serverName, + hivePrivObject.getDbname(), action, grantOp); + } + break; + case TABLE_OR_VIEW: + // For column level security + if (columnNames != null && !columnNames.isEmpty()) { + if (action.equalsIgnoreCase(AccessConstants.INSERT) + || action.equalsIgnoreCase(AccessConstants.ALL)) { + String msg = + SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privilege.getName() + + " on Column"; + throw new HiveAuthzPluginException(msg); + } + if (isGrant) { + sentryClient.grantColumnsPrivileges(grantorName, roleName, serverName, + hivePrivObject.getDbname(), hivePrivObject.getObjectName(), columnNames, + action, grantOp); + } else { + sentryClient.revokeColumnsPrivilege(grantorName, roleName, serverName, + hivePrivObject.getDbname(), hivePrivObject.getObjectName(), columnNames, + action, grantOp); + } + } else { + if (isGrant) { + sentryClient.grantTablePrivilege(grantorName, roleName, serverName, + hivePrivObject.getDbname(), hivePrivObject.getObjectName(), action, grantOp); + } else { + sentryClient.revokeTablePrivilege(grantorName, roleName, serverName, + hivePrivObject.getDbname(), hivePrivObject.getObjectName(), action, grantOp); + } + } + break; + case LOCAL_URI: + case DFS_URI: + String uRIString = hivePrivObject.getObjectName().replace("'", "").replace("\"", ""); + if (isGrant) { + sentryClient.grantURIPrivilege(grantorName, roleName, serverName, + uRIString, grantOp); + } else { + sentryClient.revokeURIPrivilege(grantorName, roleName, serverName, + uRIString, grantOp); + } + break; + case FUNCTION: + case PARTITION: + case COLUMN: + case COMMAND_PARAMS: + // not support these type + throw new HiveAuthzPluginException(hivePrivObject.getType().name() + + " are not supported in sentry"); + default: + break; + } + } + } + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = + isGrant ? HiveOperation.GRANT_PRIVILEGE : HiveOperation.REVOKE_PRIVILEGE; + executeOnFailureHooks(hiveOp, e); + } catch (SentryUserException e) { + String msg = "Error when sentryClient grant/revoke privilege:" + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + } + } + /** + * Grant(isGrant is true) or revoke(isGrant is false) role to/from group via sentryClient, which + * is a instance of SentryPolicyServiceClientV2 + * + * @param hivePrincipals + * @param roles + * @param grantorPrinc + * @param isGrant + */ + private void grantOrRevokeRoleOnGroup(List<HivePrincipal> hivePrincipals, List<String> roles, + HivePrincipal grantorPrinc, boolean isGrant) throws HiveAuthzPluginException, + HiveAccessControlException { + try { + sentryClient = getSentryClient(); + // get principals + Set<String> groups = Sets.newHashSet(); + Set<String> users = Sets.newHashSet(); + for (HivePrincipal principal : hivePrincipals) { + if (principal.getType() == HivePrincipalType.GROUP) { + groups.add(principal.getName()); + } else if (principal.getType() == HivePrincipalType.USER) { + users.add(principal.getName()); + } else { + String msg = + SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); + throw new HiveAuthzPluginException(msg); + + } + } + + // grant/revoke role to/from principals + for (String roleName : roles) { + if (isGrant) { + if (groups.size() > 0) { + sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups); + } + if (users.size() > 0) { + sentryClient.grantRoleToUsers(grantorPrinc.getName(), roleName, users); + } + } else { + if (groups.size() > 0) { + sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups); + } + if (users.size() > 0) { + sentryClient.revokeRoleFromUsers(grantorPrinc.getName(), roleName, users); + } + } + } + + } catch (SentryAccessDeniedException e) { + HiveOperation hiveOp = isGrant ? HiveOperation.GRANT_ROLE : HiveOperation.REVOKE_ROLE; + executeOnFailureHooks(hiveOp, e); + } catch (SentryUserException e) { + String msg = "Error when sentryClient grant/revoke role:" + e.getMessage(); + executeOnErrorHooks(msg, e); + } finally { + closeClient(); + } + } + + private void executeOnFailureHooks(HiveOperation hiveOp, SentryAccessDeniedException e) + throws HiveAccessControlException { + + // With Hive 2.x cmd information is not available from SessionState. More over cmd information + // is not used in SentryOnFailureHookContextImpl. If this information is really needed an issue + // should be raised with Hive community to update HiveAccessController interface to pass + // HiveSemanticAnalyzerHookContext, which has cmd information. For now, empty string is used for + // cmd. + SentryOnFailureHookContext hookCtx = + new SentryOnFailureHookContextImpl("", null, null, hiveOp, null, + null, null, null, authenticator.getUserName(), null, new AuthorizationException(e), + authzConf); + SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf); + throw new HiveAccessControlException(e.getMessage(), e); + } + + private void executeOnErrorHooks(String msg, Exception e) throws HiveAuthzPluginException { + LOG.error(msg, e); + throw new HiveAuthzPluginException(msg, e); + } + + private List<String> convert2RoleList(Set<TSentryRole> roleSet) { + List<String> roles = new ArrayList<String>(); + if (roleSet != null && !roleSet.isEmpty()) { + for (TSentryRole tRole : roleSet) { + roles.add(tRole.getRoleName()); + } + } + return roles; + } + + private SentryPolicyServiceClient getSentryClient() throws HiveAuthzPluginException { + try { + Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null"); + return SentryServiceClientFactory.create(authzConf); + } catch (Exception e) { + String msg = "Error occurred when creating Sentry client: " + e.getMessage(); + throw new HiveAuthzPluginException(msg, e); + } + } + private void closeClient() { + if (sentryClient != null) { + try { + sentryClient.close(); + } catch (Exception e) { + LOG.error("Error while closing the connection with sentry server", e); + } + } + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java new file mode 100644 index 0000000..f206bfe --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java @@ -0,0 +1,199 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.sentry.binding.hive.authz; + +import java.util.List; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; + +/** + * Abstract class to do access control commands, e.g. grant/revoke privileges, grant/revoke role, + * create/drop role. + */ +public abstract class SentryHiveAccessController implements HiveAccessController { + + /** + * Hive statement: Grant privilege GRANT priv_type [, priv_type ] ... ON table_or_view_name TO + * principal_specification [, principal_specification] ... [WITH GRANT OPTION]; + * principal_specification : USER user | ROLE role + * + * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL + * + * @param hivePrincipals + * @param hivePrivileges + * @param hivePrivObject + * @param grantorPrincipal + * @param grantOption + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void grantPrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Revoke privilege REVOKE priv_type [, priv_type ] ... ON table_or_view_name FROM + * principal_specification [, principal_specification] ... ; + * + * principal_specification : USER user | ROLE role + * + * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL + * + * @param hivePrincipals + * @param hivePrivileges + * @param hivePrivObject + * @param grantorPrincipal + * @param grantOption + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void revokePrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Create role CREATE ROLE role_name; + * + * @param roleName + * @param adminGrantor + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void createRole(String roleName, HivePrincipal adminGrantor) + throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Hive statement: Drop role DROP ROLE role_name; + * + * @param roleName + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void dropRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Grant role GRANT role_name [, role_name] ... TO principal_specification [, + * principal_specification] ... [ WITH ADMIN OPTION ]; + * + * principal_specification : USER user | ROLE role + * + * @param hivePrincipals + * @param roles + * @param grantOption + * @param grantorPrinc + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException; + + + /** + * Hive statement: Revoke role REVOKE [ADMIN OPTION FOR] role_name [, role_name] ... FROM + * principal_specification [, principal_specification] ... ; + * + * principal_specification : USER user | ROLE role + * + * @param hivePrincipals + * @param roles + * @param grantOption + * @param grantorPrinc + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Show roles SHOW ROLES; + * + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<String> getAllRoles() throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Show grant SHOW GRANT [principal_name] ON (ALL| ([TABLE] table_or_view_name); + * + * @param principal + * @param privObj + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, + HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Hive statement: Set role SET ROLE (role_name|ALL); + * + * @param roleName + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void setCurrentRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Show current roles SHOW CURRENT ROLES; + * + * @throws HiveAuthzPluginException + */ + @Override + public abstract List<String> getCurrentRoleNames() throws HiveAuthzPluginException; + + /** + * Hive statement: Set role privileges SHOW PRINCIPALS role_name; + * + * @param roleName + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Hive statement: Set role grant SHOW ROLE GRANT (USER|ROLE) principal_name; + * + * @param principal + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) + throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Apply configuration files for authorization V2 + * + * @param hiveConf + * @throws HiveAuthzPluginException + */ + @Override + public abstract void applyAuthorizationConfigPolicy(HiveConf hiveConf) + throws HiveAuthzPluginException; + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java index f6297e9..76a757a 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java @@ -17,12 +17,15 @@ package org.apache.sentry.binding.hive.authz; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.sentry.binding.hive.conf.HiveAuthzConf; /** * Factory class that creates a HiveAuthorizer implementation for the Hive authorization V2 @@ -40,6 +43,28 @@ public class SentryHiveAuthorizerFactory implements HiveAuthorizerFactory { public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { - return new SentryHiveAuthorizerImpl(); + HiveAuthzConf authzConf = HiveAuthzBindingHookBase.loadAuthzConf(conf); + HiveAuthzSessionContext sessionContext = applyTestSettings(ctx, conf); + + SentryHiveAccessController accessController; + try { + accessController = + new DefaultSentryAccessController(conf, authzConf, hiveAuthenticator, sessionContext); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + + return new SentryHiveAuthorizerImpl(accessController); + } + + private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { + if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) + && ctx.getClientType() == CLIENT_TYPE.HIVECLI) { + // create new session ctx object with HS2 as client type + HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); + ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); + return ctxBuilder.build(); + } + return ctx; } } http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java index 9c72876..4aff76f 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java @@ -19,8 +19,13 @@ package org.apache.sentry.binding.hive.authz; import java.util.ArrayList; import java.util.List; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; +import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationTranslator; import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; @@ -30,6 +35,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; +import org.apache.sentry.binding.hive.SentryHivePrivilegeObject; import org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook; /** @@ -37,19 +43,25 @@ import org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook; * of an object, execute GRANT/REVOKE DDL statements and filter HMS metadata. This class is * part of the Hive authorization V2. * <p> - * NOTE: For this first version of the class, only the HMS metadata filtering is implemented. + * NOTE: For this first version of the class, only the HMS metadata filtering + * and grant/revoke privileges are implemented. * The rest of the authorization is still using Hive authorization V1 API. */ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer { + private SentryHiveAccessController accessController; + static private HiveAuthorizationTranslator hiveTranslator = + new SentryHiveAuthorizationTranslator(); + private SentryMetaStoreFilterHook filterHook; - public SentryHiveAuthorizerImpl() { - filterHook = new SentryMetaStoreFilterHook(null); + public SentryHiveAuthorizerImpl(SentryHiveAccessController accessController) { + this.accessController = accessController; + this.filterHook = new SentryMetaStoreFilterHook(null); } @Override public VERSION getVersion() { - throw new UnsupportedOperationException(); + return VERSION.V1; } @Override @@ -57,7 +69,8 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer { List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, + grantorPrincipal, grantOption); } @Override @@ -65,51 +78,52 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer { List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, + grantorPrincipal, grantOption); } @Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + accessController.createRole(roleName, adminGrantor); } @Override public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + accessController.dropRole(roleName); } @Override public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + return accessController.getPrincipalGrantInfoForRole(roleName); } @Override public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + return accessController.getRoleGrantInfoForPrincipal(principal); } @Override public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc); } @Override public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc); } @Override public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs, List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + // Nothing to do there. Privileges are checked on the Semantic hooks } @Override @@ -131,29 +145,34 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer { @Override public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + return accessController.getAllRoles(); } @Override public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException { - throw new UnsupportedOperationException(); + return accessController.showPrivileges(principal, privObj); } @Override public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { - throw new UnsupportedOperationException(); + accessController.setCurrentRole(roleName); } @Override public List<String> getCurrentRoleNames() throws HiveAuthzPluginException { - throw new UnsupportedOperationException(); + return accessController.getCurrentRoleNames(); } @Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { + accessController.applyAuthorizationConfigPolicy(hiveConf); + } + @Override + public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveAuthzPluginException { + return hiveTranslator; } private List<HivePrivilegeObject> filterDbs(List<HivePrivilegeObject> listObjs) { @@ -193,4 +212,37 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer { return filterObjs; } + + protected static HivePrivilegeObjectType getPrivObjectType( + SentryHivePrivilegeObjectDesc privSubjectDesc) { + if (privSubjectDesc.getObject() == null) { + return null; + } + if (privSubjectDesc.getServer()) { + return HivePrivilegeObjectType.GLOBAL; + } else if (privSubjectDesc.getUri()) { + return HivePrivilegeObjectType.LOCAL_URI; + } else { + return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW + : HivePrivilegeObjectType.DATABASE; + } + } + + private static class SentryHiveAuthorizationTranslator extends + DefaultHiveAuthorizationTranslator { + + @Override + public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) + throws HiveException { + if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) { + SentryHivePrivilegeObjectDesc sPrivSubjectDesc = + (SentryHivePrivilegeObjectDesc) privSubjectDesc; + if (sPrivSubjectDesc.isSentryPrivObjectDesc()) { + HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc); + return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject()); + } + } + return super.getHivePrivilegeObject(privSubjectDesc); + } + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java new file mode 100644 index 0000000..b536283 --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java @@ -0,0 +1,360 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.sentry.binding.util; + +import com.google.common.base.Splitter; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.List; +import java.util.Set; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hive.common.JavaUtils; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.metastore.api.PrincipalType; +import org.apache.hadoop.hive.ql.hooks.Hook; +import org.apache.hadoop.hive.ql.metadata.AuthorizationException; +import org.apache.hadoop.hive.ql.parse.SemanticException; +import org.apache.hadoop.hive.ql.plan.HiveOperation; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.sentry.binding.hive.SentryOnFailureHook; +import org.apache.sentry.binding.hive.SentryOnFailureHookContext; +import org.apache.sentry.binding.hive.conf.HiveAuthzConf; +import org.apache.sentry.core.common.utils.PathUtils; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.Column; +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; +import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class SentryAuthorizerUtil { + public static final Logger LOG = LoggerFactory.getLogger(SentryAuthorizerUtil.class); + public static String UNKONWN_GRANTOR = "--"; + + /** + * Convert string to URI + * + * @param uri + * @param isLocal + * @throws SemanticException + * @throws URISyntaxException + */ + public static AccessURI parseURI(String uri, boolean isLocal) throws URISyntaxException { + HiveConf conf = SessionState.get().getConf(); + String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE); + return new AccessURI(PathUtils.parseURI(warehouseDir, uri, isLocal)); + } + + /** + * Convert HivePrivilegeObject to DBModelAuthorizable list Now hive 0.13 don't support column + * level + * + * @param server + * @param privilege + */ + public static List<List<DBModelAuthorizable>> getAuthzHierarchy(Server server, + HivePrivilegeObject privilege) { + List<DBModelAuthorizable> baseHierarchy = new ArrayList<DBModelAuthorizable>(); + List<List<DBModelAuthorizable>> objectHierarchy = new ArrayList<List<DBModelAuthorizable>>(); + boolean isLocal = false; + if (privilege.getType() != null) { + switch (privilege.getType()) { + case GLOBAL: + baseHierarchy.add(new Server(privilege.getObjectName())); + objectHierarchy.add(baseHierarchy); + break; + case DATABASE: + baseHierarchy.add(server); + baseHierarchy.add(new Database(privilege.getDbname())); + objectHierarchy.add(baseHierarchy); + break; + case TABLE_OR_VIEW: + baseHierarchy.add(server); + baseHierarchy.add(new Database(privilege.getDbname())); + baseHierarchy.add(new Table(privilege.getObjectName())); + if (privilege.getColumns() != null) { + for (String columnName : privilege.getColumns()) { + List<DBModelAuthorizable> columnHierarchy = + new ArrayList<DBModelAuthorizable>(baseHierarchy); + columnHierarchy.add(new Column(columnName)); + objectHierarchy.add(columnHierarchy); + } + } else { + objectHierarchy.add(baseHierarchy); + } + break; + case LOCAL_URI: + isLocal = true; + case DFS_URI: + if (privilege.getObjectName() == null) { + break; + } + try { + baseHierarchy.add(server); + baseHierarchy.add(parseURI(privilege.getObjectName(), isLocal)); + objectHierarchy.add(baseHierarchy); + } catch (Exception e) { + throw new AuthorizationException("Failed to get File URI", e); + } + break; + case FUNCTION: + case PARTITION: + case COLUMN: + case COMMAND_PARAMS: + // not support these type + break; + default: + break; + } + } + return objectHierarchy; + } + + /** + * Convert HivePrivilegeObject list to List<List<DBModelAuthorizable>> + * + * @param server + * @param privilges + */ + public static List<List<DBModelAuthorizable>> convert2SentryPrivilegeList(Server server, + List<HivePrivilegeObject> privilges) { + List<List<DBModelAuthorizable>> hierarchyList = new ArrayList<List<DBModelAuthorizable>>(); + if (privilges != null && !privilges.isEmpty()) { + for (HivePrivilegeObject p : privilges) { + hierarchyList.addAll(getAuthzHierarchy(server, p)); + } + } + return hierarchyList; + } + + /** + * Convert HiveOperationType to HiveOperation + * + * @param type + */ + public static HiveOperation convert2HiveOperation(String typeName) { + try { + return HiveOperation.valueOf(typeName); + } catch (Exception e) { + return null; + } + } + + /** + * Convert HivePrivilege to Sentry Action + * + * @param hivePrivilege + */ + public static String convert2SentryAction(HivePrivilege hivePrivilege) { + if (PrivilegeType.ALL.name().equals(hivePrivilege.getName())) { + return AccessConstants.ALL; + } else { + return hivePrivilege.getName(); + } + } + + /** + * Convert Sentry Action to HivePrivilege + * + * @param hivePrivilege + */ + public static HivePrivilege convert2HivePrivilege(String action) { + return new HivePrivilege(action, null); + } + + /** + * Convert TSentryRole Set to String List + * + * @param roleSet + */ + public static List<String> convert2RoleList(Set<TSentryRole> roleSet) { + List<String> roles = new ArrayList<String>(); + if (roleSet != null && !roleSet.isEmpty()) { + for (TSentryRole tRole : roleSet) { + roles.add(tRole.getRoleName()); + } + } + return roles; + } + + /** + * Convert TSentryPrivilege to HivePrivilegeInfo + * + * @param tPrivilege + * @param principal + */ + public static HivePrivilegeInfo convert2HivePrivilegeInfo(TSentryPrivilege tPrivilege, + HivePrincipal principal) { + HivePrivilege hivePrivilege = convert2HivePrivilege(tPrivilege.getAction()); + HivePrivilegeObject hivePrivilegeObject = convert2HivePrivilegeObject(tPrivilege); + // now sentry don't show grantor of a privilege + HivePrincipal grantor = new HivePrincipal(UNKONWN_GRANTOR, HivePrincipalType.ROLE); + boolean grantOption = + tPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; + return new HivePrivilegeInfo(principal, hivePrivilege, hivePrivilegeObject, grantor, + grantOption, (int) tPrivilege.getCreateTime()); + } + + /** + * Convert TSentryPrivilege to HivePrivilegeObject + * + * @param tSentryPrivilege + */ + public static HivePrivilegeObject convert2HivePrivilegeObject(TSentryPrivilege tSentryPrivilege) { + HivePrivilegeObject privilege = null; + switch (PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())) { + case SERVER: + privilege = new HivePrivilegeObject(HivePrivilegeObjectType.GLOBAL, "*", null); + break; + case DATABASE: + privilege = + new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, tSentryPrivilege.getDbName(), + null); + break; + case TABLE: + privilege = + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, + tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName()); + break; + case COLUMN: + privilege = + new HivePrivilegeObject(HivePrivilegeObjectType.COLUMN, tSentryPrivilege.getDbName(), + tSentryPrivilege.getTableName(), null, tSentryPrivilege.getColumnName()); + break; + case URI: + String uriString = tSentryPrivilege.getURI(); + try { + uriString = uriString.replace("'", "").replace("\"", ""); + HivePrivilegeObjectType type = + isLocalUri(uriString) ? HivePrivilegeObjectType.LOCAL_URI + : HivePrivilegeObjectType.DFS_URI; + privilege = new HivePrivilegeObject(type, uriString, null); + } catch (URISyntaxException e1) { + throw new RuntimeException(uriString + "is not a URI"); + } + default: + LOG.warn("Unknown PrivilegeScope: " + + PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())); + break; + } + return privilege; + } + + public static boolean isLocalUri(String uriString) throws URISyntaxException { + URI uri = new URI(uriString); + if (uri.getScheme().equalsIgnoreCase("file")) { + return true; + } + + return false; + } + + /** + * Convert TSentryRole to HiveRoleGrant + * + * @param role + */ + public static HiveRoleGrant convert2HiveRoleGrant(TSentryRole role) { + HiveRoleGrant hiveRoleGrant = new HiveRoleGrant(); + hiveRoleGrant.setRoleName(role.getRoleName()); + hiveRoleGrant.setPrincipalName(role.getRoleName()); + hiveRoleGrant.setPrincipalType(PrincipalType.ROLE.name()); + hiveRoleGrant.setGrantOption(false); + hiveRoleGrant.setGrantor(role.getGrantorPrincipal()); + hiveRoleGrant.setGrantorType(PrincipalType.USER.name()); + return hiveRoleGrant; + } + + /** + * Execute on failure hooks for e2e tests + * + * @param context + * @param conf + * @param hiveOp + */ + public static void executeOnFailureHooks(SentryOnFailureHookContext hookCtx, Configuration conf) { + String csHooks = + conf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "").trim(); + + try { + for (Hook aofh : SentryAuthorizerUtil.getHooks(csHooks)) { + ((SentryOnFailureHook) aofh).run(hookCtx); + } + } catch (Exception ex) { + LOG.error("Error executing hook:", ex); + } + } + + /** + * Returns a set of hooks specified in a configuration variable. + * + * See getHooks(HiveAuthzConf.AuthzConfVars hookConfVar, Class<T> clazz) + * + * @param hookConfVar + * @return + * @throws Exception + */ + public static List<Hook> getHooks(String csHooks) throws Exception { + return getHooks(csHooks, Hook.class); + } + + /** + * Returns the hooks specified in a configuration variable. The hooks are returned in a list in + * the order they were specified in the configuration variable. + * + * @param hookConfVar The configuration variable specifying a comma separated list of the hook + * class names. + * @param clazz The super type of the hooks. + * @return A list of the hooks cast as the type specified in clazz, in the order they are listed + * in the value of hookConfVar + * @throws Exception + */ + public static <T extends Hook> List<T> getHooks(String csHooks, Class<T> clazz) throws Exception { + + List<T> hooks = new ArrayList<T>(); + if (csHooks.isEmpty()) { + return hooks; + } + for (String hookClass : Splitter.on(",").omitEmptyStrings().trimResults().split(csHooks)) { + try { + @SuppressWarnings("unchecked") + T hook = (T) Class.forName(hookClass, true, JavaUtils.getClassLoader()).newInstance(); + hooks.add(hook); + } catch (ClassNotFoundException e) { + LOG.error(hookClass + " Class not found:" + e.getMessage()); + throw e; + } + } + + return hooks; + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java index a62a0a6..ae13164 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java @@ -1566,7 +1566,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { assertThat(resultSet.getString(1), equalToIgnoringCase("default")); assertThat(resultSet.getString(2), equalToIgnoringCase("t1")); assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition - assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column + assertThat(resultSet.getString(4), equalToIgnoringCase("[c1]"));//column assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType assertThat(resultSet.getString(7), equalToIgnoringCase("select")); @@ -1583,7 +1583,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { assertThat(resultSet.getString(1), equalToIgnoringCase("default")); assertThat(resultSet.getString(2), equalToIgnoringCase("t2")); assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition - assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column + assertThat(resultSet.getString(4), equalToIgnoringCase("[c2]"));//column assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType assertThat(resultSet.getString(7), equalToIgnoringCase("select")); @@ -1600,7 +1600,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { assertThat(resultSet.getString(1), equalToIgnoringCase("default")); assertThat(resultSet.getString(2), equalToIgnoringCase("t3")); assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition - assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column + assertThat(resultSet.getString(4), equalToIgnoringCase("[c1]"));//column assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType assertThat(resultSet.getString(7), equalToIgnoringCase("select")); @@ -1617,7 +1617,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { assertThat(resultSet.getString(1), equalToIgnoringCase("default")); assertThat(resultSet.getString(2), equalToIgnoringCase("t3")); assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition - assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column + assertThat(resultSet.getString(4), equalToIgnoringCase("[c2]"));//column assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType assertThat(resultSet.getString(7), equalToIgnoringCase("select")); @@ -1634,7 +1634,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { assertThat(resultSet.getString(1), equalToIgnoringCase("default")); assertThat(resultSet.getString(2), equalToIgnoringCase("t4")); assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition - assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column + assertThat(resultSet.getString(4), equalToIgnoringCase("[c1]"));//column assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType assertThat(resultSet.getString(7), equalToIgnoringCase("select")); @@ -1651,7 +1651,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration { assertThat(resultSet.getString(1), equalToIgnoringCase("default")); assertThat(resultSet.getString(2), equalToIgnoringCase("t4")); assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition - assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column + assertThat(resultSet.getString(4), equalToIgnoringCase("[c2]"));//column assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType assertThat(resultSet.getString(7), equalToIgnoringCase("select")); http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java index 27cfba9..3c96d55 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java @@ -564,7 +564,7 @@ public abstract class TestHDFSIntegrationBase { hiveConf.set("datanucleus.autoStartMechanism", "SchemaTable"); hiveConf.set("datanucleus.schema.autoCreateTables", "true"); - hiveConf.set(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "false"); + hiveConf.set(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "true"); hiveConf.set(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, SentryHiveAuthorizerFactory.class.getName()); hiveConf.set(ConfVars.HIVE_CBO_ENABLED.varname, "false"); hiveConf.set(ConfVars.METASTORE_DISALLOW_INCOMPATIBLE_COL_TYPE_CHANGES.varname, "false"); http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java index 35cb2bb..64c6394 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java @@ -182,7 +182,7 @@ public class HiveServerFactory { properties.put(ConfVars.METASTORESERVERMINTHREADS.varname, "5"); } - properties.put(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "false"); + properties.put(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "true"); properties.put(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, SentryHiveAuthorizerFactory.class.getName()); // CBO has a bug on Hive 2.0.0 with VIEWS because ReadIdentity objects are sent without @@ -197,6 +197,10 @@ public class HiveServerFactory { // HS2 is configured for concurrency properties.put(ConfVars.HIVE_IN_TEST.varname, "true"); + // This configuration is used by SentryHiveAuthorizerFactory to change the client type + // to HIVESERVER2 if we're using the authorization V2 in test mode. + properties.put(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE.varname, "true"); + if (!properties.containsKey(METASTORE_BYPASS)) { properties.put(METASTORE_BYPASS, "hive,impala," + System.getProperty("user.name", "")); } else { http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java index 5cd69e1..7f53527 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java @@ -48,7 +48,7 @@ import com.google.common.collect.Lists; import com.google.common.collect.Maps; import com.google.common.io.Resources; -public class TestMetastoreEndToEnd extends +public class TestMetastoreEndToEnd extends AbstractMetastoreTestWithStaticConfiguration { private PolicyFile policyFile;
