Repository: incubator-sentry Updated Branches: refs/heads/hive_plugin_v2 03ad8bd1e -> 9c3cc49b4
SENTRY-504: Sentry Hive authorizer interfaces for authorization V2 (Dapeng Sun, Reviewed by Colin Ma) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/9c3cc49b Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/9c3cc49b Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/9c3cc49b Branch: refs/heads/hive_plugin_v2 Commit: 9c3cc49b45e940f9f7525ed957a925e2712f58ae Parents: 03ad8bd Author: Sun Dapeng <s...@apache.org> Authored: Mon Aug 31 16:26:23 2015 +0800 Committer: Sun Dapeng <s...@apache.org> Committed: Mon Aug 31 16:27:22 2015 +0800 ---------------------------------------------------------------------- .../authorizer/SentryHiveAccessController.java | 201 +++++++++++++++++++ .../SentryHiveAuthorizationValidator.java | 58 ++++++ .../v2/authorizer/SentryHiveAuthorizer.java | 168 ++++++++++++++++ 3 files changed, 427 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9c3cc49b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java new file mode 100644 index 0000000..80b21be --- /dev/null +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAccessController.java @@ -0,0 +1,201 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.sentry.binding.hive.v2.authorizer; + +import java.util.List; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; + +/** + * Abstract class to do access control commands, e.g. grant/revoke privileges, grant/revoke role, + * create/drop role. + */ +public abstract class SentryHiveAccessController implements HiveAccessController { + + /** + * Hive statement: Grant privilege GRANT priv_type [, priv_type ] ... ON table_or_view_name TO + * principal_specification [, principal_specification] ... [WITH GRANT OPTION]; + * + * principal_specification : USER user | ROLE role + * + * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL + * + * @param hivePrincipals + * @param hivePrivileges + * @param hivePrivObject + * @param grantorPrincipal + * @param grantOption + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void grantPrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Revoke privilege REVOKE priv_type [, priv_type ] ... ON table_or_view_name FROM + * principal_specification [, principal_specification] ... ; + * + * principal_specification : USER user | ROLE role + * + * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL + * + * @param hivePrincipals + * @param hivePrivileges + * @param hivePrivObject + * @param grantorPrincipal + * @param grantOption + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void revokePrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Create role CREATE ROLE role_name; + * + * @param roleName + * @param adminGrantor + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void createRole(String roleName, HivePrincipal adminGrantor) + throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Hive statement: Drop role DROP ROLE role_name; + * + * @param roleName + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void dropRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Grant role GRANT role_name [, role_name] ... TO principal_specification [, + * principal_specification] ... [ WITH ADMIN OPTION ]; + * + * principal_specification : USER user | ROLE role + * + * @param hivePrincipals + * @param roles + * @param grantOption + * @param grantorPrinc + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException; + + + /** + * Hive statement: Revoke role REVOKE [ADMIN OPTION FOR] role_name [, role_name] ... FROM + * principal_specification [, principal_specification] ... ; + * + * principal_specification : USER user | ROLE role + * + * @param hivePrincipals + * @param roles + * @param grantOption + * @param grantorPrinc + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Show roles SHOW ROLES; + * + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<String> getAllRoles() throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Show grant SHOW GRANT [principal_name] ON (ALL| ([TABLE] table_or_view_name); + * + * @param principal + * @param privObj + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, + HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Hive statement: Set role SET ROLE (role_name|ALL); + * + * @param roleName + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void setCurrentRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException; + + /** + * Hive statement: Show current roles SHOW CURRENT ROLES; + * + * @throws HiveAuthzPluginException + */ + @Override + public abstract List<String> getCurrentRoleNames() throws HiveAuthzPluginException; + + /** + * Hive statement: Set role privileges SHOW PRINCIPALS role_name; + * + * @param roleName + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Hive statement: Set role grant SHOW ROLE GRANT (USER|ROLE) principal_name; + * + * @param principal + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) + throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Apply configuration files for authorization V2 + * + * @param hiveConf + * @throws HiveAuthzPluginException + */ + @Override + public abstract void applyAuthorizationConfigPolicy(HiveConf hiveConf) + throws HiveAuthzPluginException; + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9c3cc49b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java new file mode 100644 index 0000000..3242f09 --- /dev/null +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizationValidator.java @@ -0,0 +1,58 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.sentry.binding.hive.v2.authorizer; + +import java.util.List; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; + +/** + * This class used to do authorization validate. Check if current user has privileges to do the + * operation and filter the select results. + */ +public abstract class SentryHiveAuthorizationValidator implements HiveAuthorizationValidator { + + /** + * Check if current user has privileges to perform given operation type hiveOpType on the given + * input and output objects. + * + * @param hiveOpType + * @param inputHObjs + * @param outputHObjs + * @param context + * @throws HiveAuthzPluginException, HiveAccessControlException + */ + @Override + public abstract void checkPrivileges(HiveOperationType hiveOpType, + List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException; + + + /** + * Filter the select results according current user's permission. remove the object which current + * user do not have any privilege on it. + * + * @param listObjs + * @param context + */ + @Override + public abstract List<HivePrivilegeObject> filterListCmdObjects( + List<HivePrivilegeObject> listObjs, HiveAuthzContext context); +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9c3cc49b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java new file mode 100644 index 0000000..1388121 --- /dev/null +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/SentryHiveAuthorizer.java @@ -0,0 +1,168 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ +package org.apache.sentry.binding.hive.v2.authorizer; + +import java.util.List; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.plan.PrincipalDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; +import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; + +/** + * Convenience implementation of HiveAuthorizer. You can customize the behavior by passing different + * implementations of {@link SentryHiveAccessController} and + * {@link SentryHiveAuthorizationValidator} to constructor. + */ +public abstract class SentryHiveAuthorizer implements HiveAuthorizer { + + private SentryHiveAccessController accessController; + private SentryHiveAuthorizationValidator authValidator; + + public SentryHiveAuthorizer(SentryHiveAccessController accessController, + SentryHiveAuthorizationValidator authValidator) { + this.accessController = accessController; + this.authValidator = authValidator; + } + + @Override + public void grantPrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException { + accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, + grantorPrincipal, grantOption); + } + + @Override + public void revokePrivileges(List<HivePrincipal> hivePrincipals, + List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException { + accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, + grantorPrincipal, grantOption); + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor) + throws HiveAuthzPluginException, HiveAccessControlException { + accessController.createRole(roleName, adminGrantor); + } + + @Override + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + accessController.dropRole(roleName); + } + + @Override + public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc); + } + + @Override + public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc); + } + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs, context); + } + + @Override + public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.getAllRoles(); + } + + @Override + public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.showPrivileges(principal, privObj); + } + + @Override + public VERSION getVersion() { + return VERSION.V1; + } + + @Override + public void setCurrentRole(String roleName) throws HiveAccessControlException, + HiveAuthzPluginException { + accessController.setCurrentRole(roleName); + } + + @Override + public List<String> getCurrentRoleNames() throws HiveAuthzPluginException { + return accessController.getCurrentRoleNames(); + } + + @Override + public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.getPrincipalGrantInfoForRole(roleName); + } + + @Override + public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) + throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.getRoleGrantInfoForPrincipal(principal); + } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { + accessController.applyAuthorizationConfigPolicy(hiveConf); + } + + @Override + public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, + HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException { + return authValidator.filterListCmdObjects(listObjs, context); + } + + @Override + public List<HivePrincipal> getHivePrincipals(List<PrincipalDesc> principals) throws HiveException { + return AuthorizationUtils.getHivePrincipals(principals); + } + + @Override + public List<HivePrivilege> getHivePrivileges(List<PrivilegeDesc> privileges) { + return AuthorizationUtils.getHivePrivileges(privileges); + } + + @Override + public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) + throws HiveException { + return AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc); + } + +}
