http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryValidator.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryValidator.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryValidator.java deleted file mode 100644 index 6c2410b..0000000 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryValidator.java +++ /dev/null @@ -1,477 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ -package org.apache.sentry.binding.hive.v2.authorizer; - -import static org.apache.hadoop.hive.metastore.MetaStoreUtils.DEFAULT_DATABASE_NAME; - -import java.security.CodeSource; -import java.util.ArrayList; -import java.util.Collections; -import java.util.EnumSet; -import java.util.List; -import java.util.Set; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.metadata.AuthorizationException; -import org.apache.hadoop.hive.ql.plan.HiveOperation; -import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.hive.ql.session.SessionState; -import org.apache.sentry.binding.hive.SentryOnFailureHookContext; -import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl; -import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; -import org.apache.sentry.binding.hive.authz.HiveAuthzBinding.HiveHook; -import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges; -import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.binding.hive.v2.HiveAuthzPrivilegesMapV2; -import org.apache.sentry.binding.hive.v2.util.SentryAuthorizerUtil; -import org.apache.sentry.binding.hive.v2.util.SimpleSemanticAnalyzer; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.db.AccessURI; -import org.apache.sentry.core.model.db.Column; -import org.apache.sentry.core.model.db.DBModelAction; -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.core.model.db.Table; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Preconditions; -import com.google.common.collect.Sets; - -/** - * This class used to do authorization. Check if current user has privileges to do the operation. - */ -public class DefaultSentryValidator extends SentryHiveAuthorizationValidator { - - public static final Logger LOG = LoggerFactory.getLogger(DefaultSentryValidator.class); - - protected HiveConf conf; - protected HiveAuthzConf authzConf; - protected HiveAuthenticationProvider authenticator; - - public DefaultSentryValidator(HiveConf conf, HiveAuthzConf authzConf, - HiveAuthenticationProvider authenticator) throws Exception { - initilize(conf, authzConf, authenticator); - this.hiveHook = HiveHook.HiveServer2; - } - - public DefaultSentryValidator(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf, - HiveAuthenticationProvider authenticator) throws Exception { - initilize(conf, authzConf, authenticator); - this.hiveHook = hiveHook; - } - - /** - * initialize authenticator and hiveAuthzBinding. - */ - protected void initilize(HiveConf conf, HiveAuthzConf authzConf, - HiveAuthenticationProvider authenticator) throws Exception { - Preconditions.checkNotNull(conf, "HiveConf cannot be null"); - Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null"); - Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null"); - this.conf = conf; - this.authzConf = authzConf; - this.authenticator = authenticator; - } - - private HiveHook hiveHook; - - // all operations need to extend at DB scope - private static final Set<HiveOperation> EX_DB_ALL = Sets.newHashSet(HiveOperation.DROPDATABASE, - HiveOperation.CREATETABLE, HiveOperation.IMPORT, HiveOperation.DESCDATABASE, - HiveOperation.ALTERTABLE_RENAME, HiveOperation.LOCKDB, HiveOperation.UNLOCKDB); - // input operations need to extend at DB scope - private static final Set<HiveOperation> EX_DB_INPUT = Sets.newHashSet(HiveOperation.DROPDATABASE, - HiveOperation.DESCDATABASE, HiveOperation.ALTERTABLE_RENAME, HiveOperation.LOCKDB, - HiveOperation.UNLOCKDB); - - // all operations need to extend at Table scope - private static final Set<HiveOperation> EX_TB_ALL = Sets.newHashSet(HiveOperation.DROPTABLE, - HiveOperation.DROPVIEW, HiveOperation.DESCTABLE, HiveOperation.SHOW_TBLPROPERTIES, - HiveOperation.SHOWINDEXES, HiveOperation.ALTERTABLE_PROPERTIES, - HiveOperation.ALTERTABLE_SERDEPROPERTIES, HiveOperation.ALTERTABLE_CLUSTER_SORT, - HiveOperation.ALTERTABLE_FILEFORMAT, HiveOperation.ALTERTABLE_TOUCH, - HiveOperation.ALTERTABLE_ADDCOLS, HiveOperation.ALTERTABLE_REPLACECOLS, - HiveOperation.ALTERTABLE_RENAMEPART, HiveOperation.ALTERTABLE_ARCHIVE, - HiveOperation.ALTERTABLE_UNARCHIVE, HiveOperation.ALTERTABLE_SERIALIZER, - HiveOperation.ALTERTABLE_MERGEFILES, HiveOperation.ALTERTABLE_SKEWED, - HiveOperation.ALTERTABLE_DROPPARTS, HiveOperation.ALTERTABLE_ADDPARTS, - HiveOperation.ALTERTABLE_RENAME, HiveOperation.ALTERTABLE_LOCATION, - HiveOperation.ALTERVIEW_PROPERTIES, HiveOperation.ALTERPARTITION_FILEFORMAT, - HiveOperation.ALTERPARTITION_SERIALIZER, HiveOperation.ALTERPARTITION_MERGEFILES, - HiveOperation.ALTERPARTITION_LOCATION, HiveOperation.ALTERTBLPART_SKEWED_LOCATION, - HiveOperation.MSCK, HiveOperation.ALTERINDEX_REBUILD, HiveOperation.LOCKTABLE, - HiveOperation.UNLOCKTABLE, HiveOperation.SHOWCOLUMNS, HiveOperation.SHOW_TABLESTATUS, - HiveOperation.LOAD, HiveOperation.TRUNCATETABLE); - // input operations need to extend at Table scope - private static final Set<HiveOperation> EX_TB_INPUT = Sets.newHashSet(HiveOperation.DROPTABLE, - HiveOperation.DROPVIEW, HiveOperation.SHOW_TBLPROPERTIES, HiveOperation.SHOWINDEXES, - HiveOperation.ALTERINDEX_REBUILD, HiveOperation.LOCKTABLE, HiveOperation.UNLOCKTABLE, - HiveOperation.SHOW_TABLESTATUS); - private static final Set<HiveOperation> META_TB_INPUT = Sets.newHashSet(HiveOperation.DESCTABLE, - HiveOperation.SHOWCOLUMNS); - - /** - * Check if current user has privileges to perform given operation type hiveOpType on the given - * input and output objects - * - * @param hiveOpType - * @param inputHObjs - * @param outputHObjs - * @param context - * @throws SentryAccessControlException - */ - @Override - public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) - throws HiveAuthzPluginException, HiveAccessControlException { - if (LOG.isDebugEnabled()) { - String msg = - "Checking privileges for operation " + hiveOpType + " by user " - + authenticator.getUserName() + " on " + " input objects " + inputHObjs - + " and output objects " + outputHObjs + ". Context Info: " + context; - LOG.debug(msg); - } - - HiveOperation hiveOp = SentryAuthorizerUtil.convert2HiveOperation(hiveOpType.name()); - HiveAuthzPrivileges stmtAuthPrivileges = null; - if (HiveOperation.DESCTABLE.equals(hiveOp) && - !(context.getCommandString().contains("EXTENDED") || context.getCommandString().contains("FORMATTED")) ) { - stmtAuthPrivileges = HiveAuthzPrivilegesMapV2.getHiveAuthzPrivileges(HiveOperation.SHOWCOLUMNS); - } else { - stmtAuthPrivileges = HiveAuthzPrivilegesMapV2.getHiveAuthzPrivileges(hiveOp); - } - - HiveAuthzBinding hiveAuthzBinding = null; - try { - hiveAuthzBinding = getAuthzBinding(); - if (stmtAuthPrivileges == null) { - // We don't handle authorizing this statement - return; - } - - List<List<DBModelAuthorizable>> inputHierarchyList = - SentryAuthorizerUtil.convert2SentryPrivilegeList(hiveAuthzBinding.getAuthServer(), - inputHObjs); - List<List<DBModelAuthorizable>> outputHierarchyList = - SentryAuthorizerUtil.convert2SentryPrivilegeList(hiveAuthzBinding.getAuthServer(), - outputHObjs); - - // Workaround for metadata queries - addExtendHierarchy(hiveOp, stmtAuthPrivileges, inputHierarchyList, outputHierarchyList, - context.getCommandString(), hiveAuthzBinding); - - hiveAuthzBinding.authorize(hiveOp, stmtAuthPrivileges, - new Subject(authenticator.getUserName()), inputHierarchyList, outputHierarchyList); - } catch (AuthorizationException e) { - Database db = null; - Table tab = null; - if (outputHObjs != null) { - for (HivePrivilegeObject obj : outputHObjs) { - switch (obj.getType()) { - case DATABASE: - db = new Database(obj.getObjectName()); - break; - case TABLE_OR_VIEW: - db = new Database(obj.getDbname()); - tab = new Table(obj.getObjectName()); - break; - case PARTITION: - db = new Database(obj.getDbname()); - tab = new Table(obj.getObjectName()); - case LOCAL_URI: - case DFS_URI: - } - } - } - String permsRequired = ""; - SentryOnFailureHookContext hookCtx = - new SentryOnFailureHookContextImpl(context.getCommandString(), null, null, hiveOp, db, - tab, Collections.<AccessURI>emptyList(), null, - authenticator.getUserName(), context.getIpAddress(), e, authzConf); - SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf); - for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) { - permsRequired += perm + ";"; - } - SessionState.get().getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired); - String msg = - HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE - + "\n Required privileges for this query: " + permsRequired; - throw new HiveAccessControlException(msg, e); - } catch (Exception e) { - throw new HiveAuthzPluginException(e.getClass()+ ": " + e.getMessage(), e); - } finally { - if (hiveAuthzBinding != null) { - hiveAuthzBinding.close(); - } - } - - if ("true".equalsIgnoreCase(SessionState.get().getConf() - .get(HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION))) { - throw new HiveAccessControlException(HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR - + " Mock query compilation aborted. Set " + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION - + " to 'false' for normal query processing"); - } - } - - @VisibleForTesting - public HiveAuthzBinding getAuthzBinding() throws Exception { - return new HiveAuthzBinding(hiveHook, conf, authzConf); - } - - private void addExtendHierarchy(HiveOperation hiveOp, HiveAuthzPrivileges stmtAuthPrivileges, - List<List<DBModelAuthorizable>> inputHierarchyList, - List<List<DBModelAuthorizable>> outputHierarchyList, String command, - HiveAuthzBinding hiveAuthzBinding) throws HiveAuthzPluginException, - HiveAccessControlException { - String currDatabase = null; - switch (stmtAuthPrivileges.getOperationScope()) { - case SERVER: - // validate server level privileges if applicable. Eg create UDF,register jar etc .. - List<DBModelAuthorizable> serverHierarchy = new ArrayList<DBModelAuthorizable>(); - serverHierarchy.add(hiveAuthzBinding.getAuthServer()); - inputHierarchyList.add(serverHierarchy); - break; - case DATABASE: - // workaround for metadata queries. - if (EX_DB_ALL.contains(hiveOp)) { - SimpleSemanticAnalyzer analyzer = new SimpleSemanticAnalyzer(hiveOp, command); - currDatabase = analyzer.getCurrentDb(); - - List<DBModelAuthorizable> externalAuthorizableHierarchy = - new ArrayList<DBModelAuthorizable>(); - externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer()); - externalAuthorizableHierarchy.add(new Database(currDatabase)); - - if (EX_DB_INPUT.contains(hiveOp)) { - inputHierarchyList.add(externalAuthorizableHierarchy); - } else { - outputHierarchyList.add(externalAuthorizableHierarchy); - } - } - break; - case TABLE: - case COLUMN: - // workaround for drop table/view. - if (EX_TB_ALL.contains(hiveOp)) { - SimpleSemanticAnalyzer analyzer = new SimpleSemanticAnalyzer(hiveOp, command); - currDatabase = analyzer.getCurrentDb(); - String currTable = analyzer.getCurrentTb(); - - List<DBModelAuthorizable> externalAuthorizableHierarchy = - new ArrayList<DBModelAuthorizable>(); - externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer()); - externalAuthorizableHierarchy.add(new Database(currDatabase)); - externalAuthorizableHierarchy.add(new Table(currTable)); - - if (EX_TB_INPUT.contains(hiveOp)) { - inputHierarchyList.add(externalAuthorizableHierarchy); - } else if (META_TB_INPUT.contains(hiveOp)) { - externalAuthorizableHierarchy.add(Column.SOME); - inputHierarchyList.add(externalAuthorizableHierarchy); - } else { - outputHierarchyList.add(externalAuthorizableHierarchy); - } - } - break; - case FUNCTION: - if (hiveOp.equals(HiveOperation.CREATEFUNCTION)) { - SimpleSemanticAnalyzer analyzer = new SimpleSemanticAnalyzer(hiveOp, command); - currDatabase = analyzer.getCurrentDb(); - String udfClassName = analyzer.getCurrentTb(); - try { - CodeSource udfSrc = Class.forName(udfClassName).getProtectionDomain().getCodeSource(); - if (udfSrc == null) { - throw new HiveAuthzPluginException("Could not resolve the jar for UDF class " - + udfClassName); - } - String udfJar = udfSrc.getLocation().getPath(); - if (udfJar == null || udfJar.isEmpty()) { - throw new HiveAuthzPluginException("Could not find the jar for UDF class " - + udfClassName + "to validate privileges"); - } - AccessURI udfURI = SentryAuthorizerUtil.parseURI(udfSrc.getLocation().toString(), true); - List<DBModelAuthorizable> udfUriHierarchy = new ArrayList<DBModelAuthorizable>(); - udfUriHierarchy.add(hiveAuthzBinding.getAuthServer()); - udfUriHierarchy.add(udfURI); - inputHierarchyList.add(udfUriHierarchy); - } catch (Exception e) { - throw new HiveAuthzPluginException("Error retrieving udf class", e); - } - } - break; - case CONNECT: - /* - * The 'CONNECT' is an implicit privilege scope currently used for - USE <db> It's allowed - * when the user has any privilege on the current database. For application backward - * compatibility, we allow (optional) implicit connect permission on 'default' db. - */ - List<DBModelAuthorizable> connectHierarchy = new ArrayList<DBModelAuthorizable>(); - connectHierarchy.add(hiveAuthzBinding.getAuthServer()); - if (hiveOp.equals(HiveOperation.SWITCHDATABASE)) { - currDatabase = command.split(" ")[1]; - } - // by default allow connect access to default db - Table currTbl = Table.ALL; - Database currDB = new Database(currDatabase); - Column currCol = Column.ALL; - if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(currDatabase) && "false" - .equalsIgnoreCase(authzConf.get( - HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false"))) { - currDB = Database.ALL; - currTbl = Table.SOME; - } - - connectHierarchy.add(currDB); - connectHierarchy.add(currTbl); - connectHierarchy.add(currCol); - - inputHierarchyList.add(connectHierarchy); - break; - } - } - - @Override - public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - HiveAuthzContext context) { - if (listObjs != null && listObjs.size() >= 1) { - HivePrivilegeObjectType pType = listObjs.get(0).getType(); - HiveAuthzBinding hiveAuthzBinding = null; - try { - switch (pType) { - case DATABASE: - hiveAuthzBinding = getAuthzBinding(); - listObjs = filterShowDatabases(listObjs, authenticator.getUserName(), hiveAuthzBinding); - break; - case TABLE_OR_VIEW: - hiveAuthzBinding = getAuthzBinding(); - listObjs = filterShowTables(listObjs, authenticator.getUserName(), hiveAuthzBinding); - break; - } - } catch (Exception e) { - LOG.debug(e.getMessage(),e); - } finally { - if (hiveAuthzBinding != null) { - hiveAuthzBinding.close(); - } - } - } - return listObjs; - } - - private List<HivePrivilegeObject> filterShowTables(List<HivePrivilegeObject> listObjs, - String userName, HiveAuthzBinding hiveAuthzBinding) { - List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>(); - Subject subject = new Subject(userName); - HiveAuthzPrivileges tableMetaDataPrivilege = - new HiveAuthzPrivileges.AuthzPrivilegeBuilder() - .addInputObjectPriviledge(AuthorizableType.Column, - EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)) - .setOperationScope(HiveOperationScope.TABLE) - .setOperationType( - org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.INFO) - .build(); - - for (HivePrivilegeObject obj : listObjs) { - // if user has privileges on table, add to filtered list, else discard - Table table = new Table(obj.getObjectName()); - Database database; - database = new Database(obj.getDbname()); - - List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>(); - List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>(); - List<DBModelAuthorizable> externalAuthorizableHierarchy = - new ArrayList<DBModelAuthorizable>(); - externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer()); - externalAuthorizableHierarchy.add(database); - externalAuthorizableHierarchy.add(table); - externalAuthorizableHierarchy.add(Column.ALL); - inputHierarchy.add(externalAuthorizableHierarchy); - - try { - hiveAuthzBinding.authorize(HiveOperation.SHOWTABLES, tableMetaDataPrivilege, subject, - inputHierarchy, outputHierarchy); - filteredResult.add(obj); - } catch (AuthorizationException e) { - // squash the exception, user doesn't have privileges, so the table is - // not added to - // filtered list. - } - } - return filteredResult; - } - - private List<HivePrivilegeObject> filterShowDatabases(List<HivePrivilegeObject> listObjs, - String userName, HiveAuthzBinding hiveAuthzBinding) { - List<HivePrivilegeObject> filteredResult = new ArrayList<HivePrivilegeObject>(); - Subject subject = new Subject(userName); - HiveAuthzPrivileges anyPrivilege = - new HiveAuthzPrivileges.AuthzPrivilegeBuilder() - .addInputObjectPriviledge( - AuthorizableType.Column, - EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT, DBModelAction.ALTER, - DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.INDEX, - DBModelAction.LOCK)) - .setOperationScope(HiveOperationScope.CONNECT) - .setOperationType( - org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType.QUERY) - .build(); - - for (HivePrivilegeObject obj : listObjs) { - // if user has privileges on database, add to filtered list, else discard - Database database = null; - - // if default is not restricted, continue - if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(obj.getObjectName()) - && "false".equalsIgnoreCase(hiveAuthzBinding.getAuthzConf().get( - HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false"))) { - filteredResult.add(obj); - continue; - } - - database = new Database(obj.getObjectName()); - - List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>(); - List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>(); - List<DBModelAuthorizable> externalAuthorizableHierarchy = - new ArrayList<DBModelAuthorizable>(); - externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer()); - externalAuthorizableHierarchy.add(database); - externalAuthorizableHierarchy.add(Table.ALL); - externalAuthorizableHierarchy.add(Column.ALL); - inputHierarchy.add(externalAuthorizableHierarchy); - - try { - hiveAuthzBinding.authorize(HiveOperation.SHOWDATABASES, anyPrivilege, subject, - inputHierarchy, outputHierarchy); - filteredResult.add(obj); - } catch (AuthorizationException e) { - // squash the exception, user doesn't have privileges, so the table is - // not added to - // filtered list. - } - } - return filteredResult; - } -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java deleted file mode 100644 index 26fdac8..0000000 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java +++ /dev/null @@ -1,200 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ -package org.apache.sentry.binding.hive.v2.authorizer; - -import java.util.List; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; - -/** - * Abstract class to do access control commands, e.g. grant/revoke privileges, grant/revoke role, - * create/drop role. - */ -public abstract class SentryHiveAccessController implements HiveAccessController { - - /** - * Hive statement: Grant privilege GRANT priv_type [, priv_type ] ... ON table_or_view_name TO - * principal_specification [, principal_specification] ... [WITH GRANT OPTION]; - * principal_specification : USER user | ROLE role - * - * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL - * - * @param hivePrincipals - * @param hivePrivileges - * @param hivePrivObject - * @param grantorPrincipal - * @param grantOption - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void grantPrivileges(List<HivePrincipal> hivePrincipals, - List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, - HiveAccessControlException; - - /** - * Hive statement: Revoke privilege REVOKE priv_type [, priv_type ] ... ON table_or_view_name FROM - * principal_specification [, principal_specification] ... ; - * - * principal_specification : USER user | ROLE role - * - * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL - * - * @param hivePrincipals - * @param hivePrivileges - * @param hivePrivObject - * @param grantorPrincipal - * @param grantOption - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void revokePrivileges(List<HivePrincipal> hivePrincipals, - List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, - HiveAccessControlException; - - /** - * Hive statement: Create role CREATE ROLE role_name; - * - * @param roleName - * @param adminGrantor - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void createRole(String roleName, HivePrincipal adminGrantor) - throws HiveAuthzPluginException, HiveAccessControlException; - - /** - * Hive statement: Drop role DROP ROLE role_name; - * - * @param roleName - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void dropRole(String roleName) throws HiveAuthzPluginException, - HiveAccessControlException; - - /** - * Hive statement: Grant role GRANT role_name [, role_name] ... TO principal_specification [, - * principal_specification] ... [ WITH ADMIN OPTION ]; - * - * principal_specification : USER user | ROLE role - * - * @param hivePrincipals - * @param roles - * @param grantOption - * @param grantorPrinc - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, - HiveAccessControlException; - - - /** - * Hive statement: Revoke role REVOKE [ADMIN OPTION FOR] role_name [, role_name] ... FROM - * principal_specification [, principal_specification] ... ; - * - * principal_specification : USER user | ROLE role - * - * @param hivePrincipals - * @param roles - * @param grantOption - * @param grantorPrinc - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, - HiveAccessControlException; - - /** - * Hive statement: Show roles SHOW ROLES; - * - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract List<String> getAllRoles() throws HiveAuthzPluginException, - HiveAccessControlException; - - /** - * Hive statement: Show grant SHOW GRANT [principal_name] ON (ALL| ([TABLE] table_or_view_name); - * - * @param principal - * @param privObj - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, - HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; - - /** - * Hive statement: Set role SET ROLE (role_name|ALL); - * - * @param roleName - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void setCurrentRole(String roleName) throws HiveAuthzPluginException, - HiveAccessControlException; - - /** - * Hive statement: Show current roles SHOW CURRENT ROLES; - * - * @throws HiveAuthzPluginException - */ - @Override - public abstract List<String> getCurrentRoleNames() throws HiveAuthzPluginException; - - /** - * Hive statement: Set role privileges SHOW PRINCIPALS role_name; - * - * @param roleName - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) - throws HiveAuthzPluginException, HiveAccessControlException; - - /** - * Hive statement: Set role grant SHOW ROLE GRANT (USER|ROLE) principal_name; - * - * @param principal - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) - throws HiveAuthzPluginException, HiveAccessControlException; - - /** - * Apply configuration files for authorization V2 - * - * @param hiveConf - * @throws HiveAuthzPluginException - */ - @Override - public abstract void applyAuthorizationConfigPolicy(HiveConf hiveConf) - throws HiveAuthzPluginException; - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java deleted file mode 100644 index 7bf7b87..0000000 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java +++ /dev/null @@ -1,58 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ -package org.apache.sentry.binding.hive.v2.authorizer; - -import java.util.List; - -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; - -/** - * This class used to do authorization validate. Check if current user has privileges to do the - * operation and filter the select results. - */ -public abstract class SentryHiveAuthorizationValidator implements HiveAuthorizationValidator { - - /** - * Check if current user has privileges to perform given operation type hiveOpType on the given - * input and output objects. - * - * @param hiveOpType - * @param inputHObjs - * @param outputHObjs - * @param context - * @throws HiveAuthzPluginException, HiveAccessControlException - */ - @Override - public abstract void checkPrivileges(HiveOperationType hiveOpType, - List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, - HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; - - - /** - * Filter the select results according current user's permission. remove the object which current - * user do not have any privilege on it. - * - * @param listObjs - * @param context - */ - @Override - public abstract List<HivePrivilegeObject> filterListCmdObjects( - List<HivePrivilegeObject> listObjs, HiveAuthzContext context); -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java deleted file mode 100644 index 14b952f..0000000 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java +++ /dev/null @@ -1,192 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ -package org.apache.sentry.binding.hive.v2.authorizer; - -import java.util.List; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc; -import org.apache.hadoop.hive.ql.metadata.HiveException; -import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; -import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationTranslator; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; -import org.apache.sentry.binding.hive.v2.SentryHivePrivilegeObject; - -/** - * Convenience implementation of HiveAuthorizer. You can customize the behavior by passing different - * implementations of {@link SentryHiveAccessController} and - * {@link SentryHiveAuthorizationValidator} to constructor. - */ -public class SentryHiveAuthorizer implements HiveAuthorizer { - - private SentryHiveAccessController accessController; - private SentryHiveAuthorizationValidator authValidator; - static private HiveAuthorizationTranslator hiveTranslator = - new SentryHiveAuthorizationTranslator(); - - public SentryHiveAuthorizer(SentryHiveAccessController accessController, - SentryHiveAuthorizationValidator authValidator) { - this.accessController = accessController; - this.authValidator = authValidator; - } - - @Override - public void grantPrivileges(List<HivePrincipal> hivePrincipals, - List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, - HiveAccessControlException { - accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, - grantorPrincipal, grantOption); - } - - @Override - public void revokePrivileges(List<HivePrincipal> hivePrincipals, - List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, - HiveAccessControlException { - accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, - grantorPrincipal, grantOption); - } - - @Override - public void createRole(String roleName, HivePrincipal adminGrantor) - throws HiveAuthzPluginException, HiveAccessControlException { - accessController.createRole(roleName, adminGrantor); - } - - @Override - public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { - accessController.dropRole(roleName); - } - - @Override - public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, - HiveAccessControlException { - accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc); - } - - @Override - public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, - HiveAccessControlException { - accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc); - } - - @Override - public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, - List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) - throws HiveAuthzPluginException, HiveAccessControlException { - authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context); - } - - @Override - public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getAllRoles(); - } - - @Override - public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) - throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.showPrivileges(principal, privObj); - } - - @Override - public VERSION getVersion() { - return VERSION.V1; - } - - @Override - public void setCurrentRole(String roleName) throws HiveAccessControlException, - HiveAuthzPluginException { - accessController.setCurrentRole(roleName); - } - - @Override - public List<String> getCurrentRoleNames() throws HiveAuthzPluginException { - return accessController.getCurrentRoleNames(); - } - - @Override - public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) - throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getPrincipalGrantInfoForRole(roleName); - } - - @Override - public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) - throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getRoleGrantInfoForPrincipal(principal); - } - - @Override - public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { - accessController.applyAuthorizationConfigPolicy(hiveConf); - } - - @Override - public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, - HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { - return authValidator.filterListCmdObjects(listObjs, context); - } - - protected static HivePrivilegeObjectType getPrivObjectType( - SentryHivePrivilegeObjectDesc privSubjectDesc) { - if (privSubjectDesc.getObject() == null) { - return null; - } - if (privSubjectDesc.getServer()) { - return HivePrivilegeObjectType.GLOBAL; - } else if (privSubjectDesc.getUri()) { - return HivePrivilegeObjectType.LOCAL_URI; - } else { - return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW - : HivePrivilegeObjectType.DATABASE; - } - } - - @Override - public Object getHiveAuthorizationTranslator() throws HiveAuthzPluginException { - return hiveTranslator; - } - - private static class SentryHiveAuthorizationTranslator extends DefaultHiveAuthorizationTranslator { - - @Override - public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) - throws HiveException { - if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) { - SentryHivePrivilegeObjectDesc sPrivSubjectDesc = - (SentryHivePrivilegeObjectDesc) privSubjectDesc; - if (sPrivSubjectDesc.isSentryPrivObjectDesc()) { - HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc); - return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject()); - } - } - return super.getHivePrivilegeObject(privSubjectDesc); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreBaseV2.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreBaseV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreBaseV2.java deleted file mode 100644 index e8e1d23..0000000 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreBaseV2.java +++ /dev/null @@ -1,412 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.binding.metastore; - -import java.io.IOException; -import java.net.MalformedURLException; -import java.net.URL; -import java.util.List; -import java.util.Set; - -import javax.security.auth.login.LoginException; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.ObjectStore; -import org.apache.hadoop.hive.metastore.api.ColumnStatistics; -import org.apache.hadoop.hive.metastore.api.Database; -import org.apache.hadoop.hive.metastore.api.Index; -import org.apache.hadoop.hive.metastore.api.InvalidObjectException; -import org.apache.hadoop.hive.metastore.api.MetaException; -import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; -import org.apache.hadoop.hive.metastore.api.Partition; -import org.apache.hadoop.hive.metastore.api.Table; -import org.apache.hadoop.hive.metastore.api.UnknownDBException; -import org.apache.hadoop.hive.ql.parse.SemanticException; -import org.apache.hadoop.hive.ql.plan.HiveOperation; -import org.apache.hadoop.hive.shims.Utils; -import org.apache.sentry.binding.hive.HiveAuthzBindingHookBaseV2; -import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; - -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; - -/*** - * This class is the wrapper of ObjectStore which is the interface between the - * application logic and the database store. Do the authorization or filter the - * result when processing the metastore request. - * eg: - * Callers will only receive the objects back which they have privileges to - * access. - * If there is a request for the object list(like getAllTables()), the result - * will be filtered to exclude object the requestor doesn't have privilege to - * access. - */ -public class AuthorizingObjectStoreBaseV2 extends ObjectStore { - private static ImmutableSet<String> serviceUsers; - private static HiveConf hiveConf; - private static HiveAuthzConf authzConf; - private static HiveAuthzBinding hiveAuthzBinding; - private static String NO_ACCESS_MESSAGE_TABLE = "Table does not exist or insufficient privileges to access: "; - private static String NO_ACCESS_MESSAGE_DATABASE = "Database does not exist or insufficient privileges to access: "; - - @Override - public List<String> getDatabases(String pattern) throws MetaException { - return filterDatabases(super.getDatabases(pattern)); - } - - @Override - public List<String> getAllDatabases() throws MetaException { - return filterDatabases(super.getAllDatabases()); - } - - @Override - public Database getDatabase(String name) throws NoSuchObjectException { - Database db = super.getDatabase(name); - try { - if (filterDatabases(Lists.newArrayList(name)).isEmpty()) { - throw new NoSuchObjectException(getNoAccessMessageForDB(name)); - } - } catch (MetaException e) { - throw new NoSuchObjectException("Failed to authorized access to " + name - + " : " + e.getMessage()); - } - return db; - } - - @Override - public Table getTable(String dbName, String tableName) throws MetaException { - Table table = super.getTable(dbName, tableName); - if (table == null - || filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - return null; - } - return table; - } - - @Override - public Partition getPartition(String dbName, String tableName, - List<String> part_vals) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new NoSuchObjectException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.getPartition(dbName, tableName, part_vals); - } - - @Override - public List<Partition> getPartitions(String dbName, String tableName, - int maxParts) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.getPartitions(dbName, tableName, maxParts); - } - - @Override - public List<String> getTables(String dbName, String pattern) - throws MetaException { - return filterTables(dbName, super.getTables(dbName, pattern)); - } - - @Override - public List<Table> getTableObjectsByName(String dbname, List<String> tableNames) - throws MetaException, UnknownDBException { - return super.getTableObjectsByName(dbname, filterTables(dbname, tableNames)); - } - - @Override - public List<String> getAllTables(String dbName) throws MetaException { - return filterTables(dbName, super.getAllTables(dbName)); - } - - @Override - public List<String> listTableNamesByFilter(String dbName, String filter, - short maxTables) throws MetaException { - return filterTables(dbName, - super.listTableNamesByFilter(dbName, filter, maxTables)); - } - - @Override - public List<String> listPartitionNames(String dbName, String tableName, - short max_parts) throws MetaException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.listPartitionNames(dbName, tableName, max_parts); - } - - @Override - public List<String> listPartitionNamesByFilter(String dbName, - String tableName, String filter, short max_parts) throws MetaException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.listPartitionNamesByFilter(dbName, tableName, filter, - max_parts); - } - - @Override - public Index getIndex(String dbName, String origTableName, String indexName) - throws MetaException { - if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, origTableName)); - } - return super.getIndex(dbName, origTableName, indexName); - } - - @Override - public List<Index> getIndexes(String dbName, String origTableName, int max) - throws MetaException { - if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, origTableName)); - } - return super.getIndexes(dbName, origTableName, max); - } - - @Override - public List<String> listIndexNames(String dbName, String origTableName, - short max) throws MetaException { - if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, origTableName)); - } - return super.listIndexNames(dbName, origTableName, max); - } - - @Override - public List<Partition> getPartitionsByFilter(String dbName, - String tblName, String filter, short maxParts) throws MetaException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionsByFilter(dbName, tblName, filter, maxParts); - } - - @Override - public List<Partition> getPartitionsByNames(String dbName, String tblName, - List<String> partNames) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionsByNames(dbName, tblName, partNames); - } - - @Override - public Partition getPartitionWithAuth(String dbName, String tblName, - List<String> partVals, String user_name, List<String> group_names) - throws MetaException, NoSuchObjectException, InvalidObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionWithAuth(dbName, tblName, partVals, user_name, - group_names); - } - - @Override - public List<Partition> getPartitionsWithAuth(String dbName, String tblName, - short maxParts, String userName, List<String> groupNames) - throws MetaException, InvalidObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionsWithAuth(dbName, tblName, maxParts, userName, - groupNames); - } - - @Override - public List<String> listPartitionNamesPs(String dbName, String tblName, - List<String> part_vals, short max_parts) throws MetaException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.listPartitionNamesPs(dbName, tblName, part_vals, max_parts); - } - - @Override - public List<Partition> listPartitionsPsWithAuth(String dbName, - String tblName, List<String> part_vals, short max_parts, String userName, - List<String> groupNames) throws MetaException, InvalidObjectException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.listPartitionsPsWithAuth(dbName, tblName, part_vals, - max_parts, userName, groupNames); - } - - @Override - public ColumnStatistics getTableColumnStatistics(String dbName, - String tableName, List<String> colNames) throws MetaException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.getTableColumnStatistics(dbName, tableName, colNames); - } - - @Override - public List<ColumnStatistics> getPartitionColumnStatistics( - String dbName, String tblName, List<String> partNames, - List<String> colNames) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionColumnStatistics(dbName, tblName, partNames, - colNames); - } - - /** - * Invoke Hive database filtering that removes the entries which use has no - * privileges to access - * @param dbList - * @return - * @throws MetaException - */ - private List<String> filterDatabases(List<String> dbList) - throws MetaException { - if (needsAuthorization(getUserName())) { - try { - return HiveAuthzBindingHookBaseV2.filterShowDatabases(getHiveAuthzBinding(), - dbList, HiveOperation.SHOWDATABASES, getUserName()); - } catch (SemanticException e) { - throw new MetaException("Error getting DB list " + e.getMessage()); - } - } else { - return dbList; - } - } - - /** - * Invoke Hive table filtering that removes the entries which use has no - * privileges to access - * @param dbList - * @return - * @throws MetaException - */ - protected List<String> filterTables(String dbName, List<String> tabList) - throws MetaException { - if (needsAuthorization(getUserName())) { - try { - return HiveAuthzBindingHookBaseV2.filterShowTables(getHiveAuthzBinding(), - tabList, HiveOperation.SHOWTABLES, getUserName(), dbName); - } catch (SemanticException e) { - throw new MetaException("Error getting Table list " + e.getMessage()); - } - } else { - return tabList; - } - } - - /** - * load Hive auth provider - * - * @return - * @throws MetaException - */ - private HiveAuthzBinding getHiveAuthzBinding() throws MetaException { - if (hiveAuthzBinding == null) { - try { - hiveAuthzBinding = new HiveAuthzBinding(HiveAuthzBinding.HiveHook.HiveMetaStore, - getHiveConf(), getAuthzConf()); - } catch (Exception e) { - throw new MetaException("Failed to load Hive binding " + e.getMessage()); - } - } - return hiveAuthzBinding; - } - - private ImmutableSet<String> getServiceUsers() throws MetaException { - if (serviceUsers == null) { - serviceUsers = ImmutableSet.copyOf(toTrimed(Sets.newHashSet(getAuthzConf().getStrings( - AuthzConfVars.AUTHZ_METASTORE_SERVICE_USERS.getVar(), new String[] { "" })))); - } - return serviceUsers; - } - - private HiveConf getHiveConf() { - if (hiveConf == null) { - hiveConf = new HiveConf(getConf(), this.getClass()); - } - return hiveConf; - } - - private HiveAuthzConf getAuthzConf() throws MetaException { - if (authzConf == null) { - String hiveAuthzConf = getConf().get(HiveAuthzConf.HIVE_SENTRY_CONF_URL); - if (hiveAuthzConf == null - || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf - + "' is invalid."); - } - try { - authzConf = new HiveAuthzConf(new URL(hiveAuthzConf)); - } catch (MalformedURLException e) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL - + " specifies a malformed URL '" + hiveAuthzConf + "' " - + e.getMessage()); - } - } - return authzConf; - } - - /** - * Extract the user from underlying auth subsystem - * @return - * @throws MetaException - */ - private String getUserName() throws MetaException { - try { - return Utils.getUGI().getShortUserName(); - } catch (LoginException e) { - throw new MetaException("Failed to get username " + e.getMessage()); - } catch (IOException e) { - throw new MetaException("Failed to get username " + e.getMessage()); - } - } - - /** - * Check if the give user needs to be validated. - * @param userName - * @return - */ - private boolean needsAuthorization(String userName) throws MetaException { - return !getServiceUsers().contains(userName.trim()); - } - - private static Set<String> toTrimed(Set<String> s) { - Set<String> result = Sets.newHashSet(); - for (String v : s) { - result.add(v.trim()); - } - return result; - } - - protected String getNoAccessMessageForTable(String dbName, String tableName) { - return NO_ACCESS_MESSAGE_TABLE + "<" + dbName + ">.<" + tableName + ">"; - } - - private String getNoAccessMessageForDB(String dbName) { - return NO_ACCESS_MESSAGE_DATABASE + "<" + dbName + ">"; - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreV2.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreV2.java deleted file mode 100644 index 45edf43..0000000 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/AuthorizingObjectStoreV2.java +++ /dev/null @@ -1,412 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.binding.hive.v2.metastore; - -import java.io.IOException; -import java.net.MalformedURLException; -import java.net.URL; -import java.util.List; -import java.util.Set; - -import javax.security.auth.login.LoginException; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.ObjectStore; -import org.apache.hadoop.hive.metastore.api.ColumnStatistics; -import org.apache.hadoop.hive.metastore.api.Database; -import org.apache.hadoop.hive.metastore.api.Index; -import org.apache.hadoop.hive.metastore.api.InvalidObjectException; -import org.apache.hadoop.hive.metastore.api.MetaException; -import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; -import org.apache.hadoop.hive.metastore.api.Partition; -import org.apache.hadoop.hive.metastore.api.Table; -import org.apache.hadoop.hive.metastore.api.UnknownDBException; -import org.apache.hadoop.hive.ql.parse.SemanticException; -import org.apache.hadoop.hive.ql.plan.HiveOperation; -import org.apache.hadoop.hive.shims.Utils; -import org.apache.sentry.binding.hive.HiveAuthzBindingHookBaseV2; -import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; - -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; - -/*** - * This class is the wrapper of ObjectStore which is the interface between the - * application logic and the database store. Do the authorization or filter the - * result when processing the metastore request. - * eg: - * Callers will only receive the objects back which they have privileges to - * access. - * If there is a request for the object list(like getAllTables()), the result - * will be filtered to exclude object the requestor doesn't have privilege to - * access. - */ -public class AuthorizingObjectStoreV2 extends ObjectStore { - private static ImmutableSet<String> serviceUsers; - private static HiveConf hiveConf; - private static HiveAuthzConf authzConf; - private static HiveAuthzBinding hiveAuthzBinding; - private static String NO_ACCESS_MESSAGE_TABLE = "Table does not exist or insufficient privileges to access: "; - private static String NO_ACCESS_MESSAGE_DATABASE = "Database does not exist or insufficient privileges to access: "; - - @Override - public List<String> getDatabases(String pattern) throws MetaException { - return filterDatabases(super.getDatabases(pattern)); - } - - @Override - public List<String> getAllDatabases() throws MetaException { - return filterDatabases(super.getAllDatabases()); - } - - @Override - public Database getDatabase(String name) throws NoSuchObjectException { - Database db = super.getDatabase(name); - try { - if (filterDatabases(Lists.newArrayList(name)).isEmpty()) { - throw new NoSuchObjectException(getNoAccessMessageForDB(name)); - } - } catch (MetaException e) { - throw new NoSuchObjectException("Failed to authorized access to " + name - + " : " + e.getMessage()); - } - return db; - } - - @Override - public Table getTable(String dbName, String tableName) throws MetaException { - Table table = super.getTable(dbName, tableName); - if (table == null - || filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - return null; - } - return table; - } - - @Override - public Partition getPartition(String dbName, String tableName, - List<String> part_vals) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new NoSuchObjectException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.getPartition(dbName, tableName, part_vals); - } - - @Override - public List<Partition> getPartitions(String dbName, String tableName, - int maxParts) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.getPartitions(dbName, tableName, maxParts); - } - - @Override - public List<String> getTables(String dbName, String pattern) - throws MetaException { - return filterTables(dbName, super.getTables(dbName, pattern)); - } - - @Override - public List<Table> getTableObjectsByName(String dbname, List<String> tableNames) - throws MetaException, UnknownDBException { - return super.getTableObjectsByName(dbname, filterTables(dbname, tableNames)); - } - - @Override - public List<String> getAllTables(String dbName) throws MetaException { - return filterTables(dbName, super.getAllTables(dbName)); - } - - @Override - public List<String> listTableNamesByFilter(String dbName, String filter, - short maxTables) throws MetaException { - return filterTables(dbName, - super.listTableNamesByFilter(dbName, filter, maxTables)); - } - - @Override - public List<String> listPartitionNames(String dbName, String tableName, - short max_parts) throws MetaException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.listPartitionNames(dbName, tableName, max_parts); - } - - @Override - public List<String> listPartitionNamesByFilter(String dbName, - String tableName, String filter, short max_parts) throws MetaException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.listPartitionNamesByFilter(dbName, tableName, filter, - max_parts); - } - - @Override - public Index getIndex(String dbName, String origTableName, String indexName) - throws MetaException { - if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, origTableName)); - } - return super.getIndex(dbName, origTableName, indexName); - } - - @Override - public List<Index> getIndexes(String dbName, String origTableName, int max) - throws MetaException { - if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, origTableName)); - } - return super.getIndexes(dbName, origTableName, max); - } - - @Override - public List<String> listIndexNames(String dbName, String origTableName, - short max) throws MetaException { - if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, origTableName)); - } - return super.listIndexNames(dbName, origTableName, max); - } - - @Override - public List<Partition> getPartitionsByFilter(String dbName, - String tblName, String filter, short maxParts) throws MetaException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionsByFilter(dbName, tblName, filter, maxParts); - } - - @Override - public List<Partition> getPartitionsByNames(String dbName, String tblName, - List<String> partNames) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionsByNames(dbName, tblName, partNames); - } - - @Override - public Partition getPartitionWithAuth(String dbName, String tblName, - List<String> partVals, String user_name, List<String> group_names) - throws MetaException, NoSuchObjectException, InvalidObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionWithAuth(dbName, tblName, partVals, user_name, - group_names); - } - - @Override - public List<Partition> getPartitionsWithAuth(String dbName, String tblName, - short maxParts, String userName, List<String> groupNames) - throws MetaException, InvalidObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionsWithAuth(dbName, tblName, maxParts, userName, - groupNames); - } - - @Override - public List<String> listPartitionNamesPs(String dbName, String tblName, - List<String> part_vals, short max_parts) throws MetaException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.listPartitionNamesPs(dbName, tblName, part_vals, max_parts); - } - - @Override - public List<Partition> listPartitionsPsWithAuth(String dbName, - String tblName, List<String> part_vals, short max_parts, String userName, - List<String> groupNames) throws MetaException, InvalidObjectException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.listPartitionsPsWithAuth(dbName, tblName, part_vals, - max_parts, userName, groupNames); - } - - @Override - public ColumnStatistics getTableColumnStatistics(String dbName, - String tableName, List<String> colNames) throws MetaException, - NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tableName)); - } - return super.getTableColumnStatistics(dbName, tableName, colNames); - } - - @Override - public List<ColumnStatistics> getPartitionColumnStatistics( - String dbName, String tblName, List<String> partNames, - List<String> colNames) throws MetaException, NoSuchObjectException { - if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) { - throw new MetaException(getNoAccessMessageForTable(dbName, tblName)); - } - return super.getPartitionColumnStatistics(dbName, tblName, partNames, - colNames); - } - - /** - * Invoke Hive database filtering that removes the entries which use has no - * privileges to access - * @param dbList - * @return - * @throws MetaException - */ - private List<String> filterDatabases(List<String> dbList) - throws MetaException { - if (needsAuthorization(getUserName())) { - try { - return HiveAuthzBindingHookBaseV2.filterShowDatabases(getHiveAuthzBinding(), - dbList, HiveOperation.SHOWDATABASES, getUserName()); - } catch (SemanticException e) { - throw new MetaException("Error getting DB list " + e.getMessage()); - } - } else { - return dbList; - } - } - - /** - * Invoke Hive table filtering that removes the entries which use has no - * privileges to access - * @param dbList - * @return - * @throws MetaException - */ - protected List<String> filterTables(String dbName, List<String> tabList) - throws MetaException { - if (needsAuthorization(getUserName())) { - try { - return HiveAuthzBindingHookBaseV2.filterShowTables(getHiveAuthzBinding(), - tabList, HiveOperation.SHOWTABLES, getUserName(), dbName); - } catch (SemanticException e) { - throw new MetaException("Error getting Table list " + e.getMessage()); - } - } else { - return tabList; - } - } - - /** - * load Hive auth provider - * - * @return - * @throws MetaException - */ - private HiveAuthzBinding getHiveAuthzBinding() throws MetaException { - if (hiveAuthzBinding == null) { - try { - hiveAuthzBinding = new HiveAuthzBinding(HiveAuthzBinding.HiveHook.HiveMetaStore, - getHiveConf(), getAuthzConf()); - } catch (Exception e) { - throw new MetaException("Failed to load Hive binding " + e.getMessage()); - } - } - return hiveAuthzBinding; - } - - private ImmutableSet<String> getServiceUsers() throws MetaException { - if (serviceUsers == null) { - serviceUsers = ImmutableSet.copyOf(toTrimed(Sets.newHashSet(getAuthzConf().getStrings( - AuthzConfVars.AUTHZ_METASTORE_SERVICE_USERS.getVar(), new String[] { "" })))); - } - return serviceUsers; - } - - private HiveConf getHiveConf() { - if (hiveConf == null) { - hiveConf = new HiveConf(getConf(), this.getClass()); - } - return hiveConf; - } - - private HiveAuthzConf getAuthzConf() throws MetaException { - if (authzConf == null) { - String hiveAuthzConf = getConf().get(HiveAuthzConf.HIVE_SENTRY_CONF_URL); - if (hiveAuthzConf == null - || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf - + "' is invalid."); - } - try { - authzConf = new HiveAuthzConf(new URL(hiveAuthzConf)); - } catch (MalformedURLException e) { - throw new MetaException("Configuration key " - + HiveAuthzConf.HIVE_SENTRY_CONF_URL - + " specifies a malformed URL '" + hiveAuthzConf + "' " - + e.getMessage()); - } - } - return authzConf; - } - - /** - * Extract the user from underlying auth subsystem - * @return - * @throws MetaException - */ - private String getUserName() throws MetaException { - try { - return Utils.getUGI().getShortUserName(); - } catch (LoginException e) { - throw new MetaException("Failed to get username " + e.getMessage()); - } catch (IOException e) { - throw new MetaException("Failed to get username " + e.getMessage()); - } - } - - /** - * Check if the give user needs to be validated. - * @param userName - * @return - */ - private boolean needsAuthorization(String userName) throws MetaException { - return !getServiceUsers().contains(userName.trim()); - } - - private static Set<String> toTrimed(Set<String> s) { - Set<String> result = Sets.newHashSet(); - for (String v : s) { - result.add(v.trim()); - } - return result; - } - - protected String getNoAccessMessageForTable(String dbName, String tableName) { - return NO_ACCESS_MESSAGE_TABLE + "<" + dbName + ">.<" + tableName + ">"; - } - - private String getNoAccessMessageForDB(String dbName) { - return NO_ACCESS_MESSAGE_DATABASE + "<" + dbName + ">"; - } -}
