Repository: sentry Updated Branches: refs/heads/master ef81e0907 -> b9d2107f4
SENTRY-2021: MR session ACLs in Hive binding does not handle all types of ACLs (Wilfred Spiegelenburg, reviewed by Sergio Pena) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/b9d2107f Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/b9d2107f Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/b9d2107f Branch: refs/heads/master Commit: b9d2107f47128bd62ee0d8cf268366c71f065d2d Parents: ef81e09 Author: Sergio Pena <[email protected]> Authored: Wed Nov 22 10:23:34 2017 -0600 Committer: Sergio Pena <[email protected]> Committed: Wed Nov 22 10:23:34 2017 -0600 ---------------------------------------------------------------------- .../hive/v2/HiveAuthzBindingSessionHookV2.java | 26 ++++++++++++++++-- .../hive/HiveAuthzBindingSessionHook.java | 28 ++++++++++++++++++-- 2 files changed, 50 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/b9d2107f/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java index 9106911..5a47da8 100644 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingSessionHookV2.java @@ -45,6 +45,7 @@ public class HiveAuthzBindingSessionHookV2 implements ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, HiveAuthzConf.HIVE_ACCESS_CONF_URL, HiveAuthzConf.HIVE_SENTRY_CONF_URL, HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET); + public static final String WILDCARD_ACL_VALUE = "*"; /** * The session hook for sentry authorization that sets the required session level configuration 1. @@ -89,8 +90,8 @@ public class HiveAuthzBindingSessionHookV2 implements sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser()); // Set MR ACLs to session user - appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB, sessionHookContext.getSessionUser()); - appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, sessionHookContext.getSessionUser()); + updateJobACL(sessionConf, JobContext.JOB_ACL_VIEW_JOB, sessionHookContext.getSessionUser()); + updateJobACL(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, sessionHookContext.getSessionUser()); } // Setup given sentry hooks @@ -104,4 +105,25 @@ public class HiveAuthzBindingSessionHookV2 implements sessionConf.set(confVar, currentValue); } + // Setup ACL to include session user + private void updateJobACL(HiveConf sessionConf, String aclName, String sessionUser) { + String aclString = sessionConf.get(aclName, ""); + // An empty ACL, replace it with the user + if (aclString.isEmpty()) { + aclString = sessionUser; + } else { + // ACLs can start with a space if only groups are configured + if (aclString.startsWith(" ")) { + aclString = sessionUser + aclString; + } else { + // Do not replace the wildcard ACL, it would restrict access + boolean isWildcard = (aclString.contains(WILDCARD_ACL_VALUE) && + aclString.trim().equals(WILDCARD_ACL_VALUE)); + if (!isWildcard) { + aclString = sessionUser + "," + aclString; + } + } + } + sessionConf.set(aclName, aclString.trim()); + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/b9d2107f/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java index 7250891..3e94d09 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java @@ -53,6 +53,7 @@ public class HiveAuthzBindingSessionHook HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, HiveAuthzConf.SENTRY_ACTIVE_ROLE_SET ); + public static final String WILDCARD_ACL_VALUE = "*"; /** * The session hook for sentry authorization that sets the required session level configuration @@ -90,9 +91,9 @@ public class HiveAuthzBindingSessionHook sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser()); // Set MR ACLs to session user - appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB, + updateJobACL(sessionConf, JobContext.JOB_ACL_VIEW_JOB, sessionHookContext.getSessionUser()); - appendConfVar(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, + updateJobACL(sessionConf, JobContext.JOB_ACL_MODIFY_JOB, sessionHookContext.getSessionUser()); // setup restrict list @@ -117,4 +118,27 @@ public class HiveAuthzBindingSessionHook } sessionConf.set(confVar, currentValue); } + + // Setup ACL to include the session user + private void updateJobACL(HiveConf sessionConf, String aclName, + String sessionUser) { + String aclString = sessionConf.get(aclName, ""); + // An empty ACL, replace it with the user + if (aclString.isEmpty()) { + aclString = sessionUser; + } else { + // ACLs can start with a space if only groups are configured + if (aclString.startsWith(" ")) { + aclString = sessionUser + aclString; + } else { + // Do not replace the wildcard ACL, it would restrict access + boolean isWildcard = (aclString.contains(WILDCARD_ACL_VALUE) && + aclString.trim().equals(WILDCARD_ACL_VALUE)); + if (!isWildcard) { + aclString = sessionUser + "," + aclString; + } + } + } + sessionConf.set(aclName, aclString.trim()); + } }
