Repository: incubator-sentry Updated Branches: refs/heads/master bf3eb482e -> bd2c5514b
SENTRY-598: Hive binding should support enforcing URI privilege for transforms ( Prasad Mujumdar via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/bd2c5514 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/bd2c5514 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/bd2c5514 Branch: refs/heads/master Commit: bd2c5514b79e599f1564f13e11845434abb8dab7 Parents: bf3eb48 Author: Sravya Tirukkovalur <[email protected]> Authored: Wed Dec 24 16:59:29 2014 -0800 Committer: Sravya Tirukkovalur <[email protected]> Committed: Wed Dec 24 16:59:29 2014 -0800 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 3 +- .../hive/HiveAuthzBindingPreExecHook.java | 72 -------------------- .../hive/HiveAuthzBindingSessionHook.java | 5 +- .../hive/authz/HiveAuthzPrivilegesMap.java | 9 +-- .../sentry/core/common/utils/PathUtils.java | 1 + .../sentry/core/common/utils/TestPathUtils.java | 4 -- .../e2e/hive/TestPrivilegeAtTransform.java | 20 ++++-- .../tests/e2e/hive/TestServerConfiguration.java | 4 +- 8 files changed, 23 insertions(+), 95 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index d096551..9a2026a 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -563,7 +563,8 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { case DFS_DIR: case LOCAL_DIR: try { - objectHierarchy.add(parseURI(entity.toString())); + objectHierarchy.add(parseURI(entity.toString(), + entity.getType().equals(Entity.Type.LOCAL_DIR))); } catch (Exception e) { throw new AuthorizationException("Failed to get File URI", e); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java deleted file mode 100644 index 813200a..0000000 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.binding.hive; - -import java.util.ArrayList; -import java.util.List; - -import org.apache.hadoop.hive.ql.QueryPlan; -import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext; -import org.apache.hadoop.hive.ql.hooks.HookContext; -import org.apache.hadoop.hive.ql.plan.HiveOperation; -import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; -import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveExtendedOperation; -import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class HiveAuthzBindingPreExecHook implements ExecuteWithHookContext { - private static final Logger LOG = LoggerFactory - .getLogger(HiveAuthzBindingPreExecHook.class); - - /** - * Raise error if the given query contains transforms - */ - @Override - public void run(HookContext hookContext) throws Exception { - HiveAuthzBinding hiveAuthzBinding = HiveAuthzBinding.get(hookContext.getConf()); - try { - QueryPlan qPlan = hookContext.getQueryPlan(); - if ((qPlan == null) || (qPlan.getQueryProperties() == null)) { - return; - } - // validate server level permissions permission for transforms - if (qPlan.getQueryProperties().usesScript()) { - if (hiveAuthzBinding == null) { - LOG.warn("No authorization binding found, skipping the authorization for transform"); - return; - } - List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>> (); - List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>> (); - List<DBModelAuthorizable> serverHierarchy = new ArrayList<DBModelAuthorizable>(); - - serverHierarchy.add(hiveAuthzBinding.getAuthServer()); - inputHierarchy.add(serverHierarchy); - hiveAuthzBinding.authorize(HiveOperation.QUERY, - HiveAuthzPrivilegesMap.getHiveExtendedAuthzPrivileges(HiveExtendedOperation.TRANSFORM), - new Subject(hookContext.getUserName()), inputHierarchy, outputHierarchy); - } - } finally { - if (hiveAuthzBinding != null) { - hiveAuthzBinding.clear(hookContext.getConf()); - } - } - } - -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java index cc7ef45..0fa4a87 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java @@ -39,8 +39,6 @@ public class HiveAuthzBindingSessionHook public static final String SEMANTIC_HOOK = "org.apache.sentry.binding.hive.HiveAuthzBindingHook"; - public static final String PRE_EXEC_HOOK = - "org.apache.sentry.binding.hive.HiveAuthzBindingPreExecHook"; public static final String FILTER_HOOK = "org.apache.sentry.binding.hive.HiveAuthzBindingHook"; public static final String SCRATCH_DIR_PERMISSIONS = "700"; @@ -58,6 +56,7 @@ public class HiveAuthzBindingSessionHook ConfVars.SCRATCHDIRPERMISSION.varname, ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname, ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname, + ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, HiveAuthzConf.HIVE_ACCESS_CONF_URL, HiveAuthzConf.HIVE_SENTRY_CONF_URL, HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, @@ -105,9 +104,9 @@ public class HiveAuthzBindingSessionHook appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname, SEMANTIC_HOOK); - appendConfVar(sessionConf, ConfVars.PREEXECHOOKS.varname, PRE_EXEC_HOOK); sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set"); sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS); + sessionConf.setBoolVar(ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY, true); // set user name sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser()); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index 3dedbc3..daaecbf 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -30,8 +30,6 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; public class HiveAuthzPrivilegesMap { private static final Map <HiveOperation, HiveAuthzPrivileges> hiveAuthzStmtPrivMap = new HashMap<HiveOperation, HiveAuthzPrivileges>(); - private static final Map <HiveExtendedOperation, HiveAuthzPrivileges> hiveAuthzExtendedPrivMap = - new HashMap<HiveExtendedOperation, HiveAuthzPrivileges>(); static { HiveAuthzPrivileges serverPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Server, EnumSet.of(DBModelAction.ALL)). @@ -114,6 +112,7 @@ public class HiveAuthzPrivilegesMap { */ HiveAuthzPrivileges tableQueryPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)). + addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT)). addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT)). addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). @@ -270,15 +269,9 @@ public class HiveAuthzPrivilegesMap { hiveAuthzStmtPrivMap.put(HiveOperation.QUERY, tableQueryPrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.DESCDATABASE, dbMetaDataPrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.DESCTABLE, tableMetaDataPrivilege); - - hiveAuthzExtendedPrivMap.put(HiveExtendedOperation.TRANSFORM, serverPrivilege); } public static HiveAuthzPrivileges getHiveAuthzPrivileges(HiveOperation hiveStmtOp) { return hiveAuthzStmtPrivMap.get(hiveStmtOp); } - - public static HiveAuthzPrivileges getHiveExtendedAuthzPrivileges(HiveExtendedOperation hiveExtOp) { - return hiveAuthzExtendedPrivMap.get(hiveExtOp); - } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java index 73f91ee..6cb599c 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java @@ -120,6 +120,7 @@ public class PathUtils { if (StringUtils.isEmpty(uriScheme) || isLocal) { uriScheme = LOCAL_FILE_SCHEMA; + uriAuthority = ""; } uriPath = new Path(uriScheme + AUTHORITY_PREFIX + StringUtils.trimToEmpty(uriAuthority) http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java index 09fc91b..4166c77 100644 --- a/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java +++ b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java @@ -90,10 +90,6 @@ public class TestPathUtils { // for local test case assertEquals("file:///tmp/hive-user", PathUtils.parseURI("testLocal:///tmp/hive-warehouse", "/tmp/hive-user", true)); - assertEquals("file://localhost:9999/tmp/hive-user", PathUtils.parseURI( - "file://localhost:9999/tmp/hive-warehouse", "file://localhost:9999/tmp/hive-user", true)); - assertEquals("file://localhost:9999/tmp/hive-user", PathUtils.parseURI( - "file:///tmp/hive-warehouse", "file://localhost:9999/tmp/hive-user", true)); try { PathUtils.parseURI("testLocal:///tmp/hive-warehouse", "tmp/hive-user", true); fail("IllegalStateException should be thrown"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java index 2d34015..310610e 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java @@ -55,19 +55,23 @@ public class TestPrivilegeAtTransform extends AbstractTestWithStaticConfiguratio * 4. insert@table select@table cannot issue transform command * 5. select@view cannot issue transform command * 6. transform@server can issue the transform command + * 7. non-admin user with URI privilege on transform can execute query */ @Test public void testTransform1() throws Exception { policyFile .addPermissionsToRole("all_db1", "server=server1->db=" + DB1) + .addPermissionsToRole("transform_uri", "server=server1->uri=file:///bin/cat") .addRolesToGroup(USERGROUP1, "all_db1") + .addRolesToGroup(USERGROUP2, "all_db1", "transform_uri") .setUserGroupMapping(StaticUserGroup.getStaticMapping()); writePolicyFile(policyFile); // verify by SQL // 1, 2 String tableName1 = "tb_1"; - String query = "select TRANSFORM(a.under_col, a.value) USING 'cat' AS (tunder_col, tvalue) FROM " + DB1 + "." + tableName1 + " a"; + String query = "select TRANSFORM(a.under_col, a.value) " + + "USING '/bin/cat' AS (tunder_col, tvalue) FROM " + DB1 + "." + tableName1 + " a"; Connection connection = context.createConnection(ADMIN1); Statement statement = context.createStatement(connection); statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE"); @@ -82,11 +86,10 @@ public class TestPrivilegeAtTransform extends AbstractTestWithStaticConfiguratio statement.close(); connection.close(); + // 3 connection = context.createConnection(USER1_1); statement = context.createStatement(connection); - - // 3 - context.assertAuthzExecHookException(statement, query); + context.assertAuthzException(statement, query); // 4 policyFile @@ -94,7 +97,7 @@ public class TestPrivilegeAtTransform extends AbstractTestWithStaticConfiguratio .addPermissionsToRole("insert_tb1", "server=server1->db=" + DB1 + "->table=tb_1->action=insert") .addRolesToGroup(USERGROUP1, "select_tb1", "insert_tb1"); writePolicyFile(policyFile); - context.assertAuthzExecHookException(statement, query); + context.assertAuthzException(statement, query); // 5 policyFile @@ -104,5 +107,12 @@ public class TestPrivilegeAtTransform extends AbstractTestWithStaticConfiguratio assertTrue(query, statement.execute(query)); statement.close(); connection.close(); + + connection = context.createConnection(USER2_1); + statement = context.createStatement(connection); + assertTrue(query, statement.execute(query)); + statement.close(); + connection.close(); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bd2c5514/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java index 7efa83d..d8ebea6 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java @@ -173,8 +173,8 @@ public class TestServerConfiguration extends AbstractTestWithHiveServer { // verify the config is set correctly by session hook verifyConfig(testUser, ConfVars.SEMANTIC_ANALYZER_HOOK.varname, HiveAuthzBindingSessionHook.SEMANTIC_HOOK); - verifyConfig(testUser, ConfVars.PREEXECHOOKS.varname, - HiveAuthzBindingSessionHook.PRE_EXEC_HOOK); + verifyConfig(testUser, ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, + "true"); verifyConfig(testUser, ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname, "set"); verifyConfig(testUser, ConfVars.SCRATCHDIRPERMISSION.varname, HiveAuthzBindingSessionHook.SCRATCH_DIR_PERMISSIONS); verifyConfig(testUser, HiveConf.ConfVars.HIVE_CONF_RESTRICTED_LIST.varname,
