[GitHub] [hive] pvary commented on a change in pull request #1221: HIVE-23786: HMS server side filter with Ranger

Wed, 22 Jul 2020 01:02:14 -0700 


pvary commented on a change in pull request #1221:
URL: https://github.com/apache/hive/pull/1221#discussion_r458607547



##########
File path: 
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
##########
@@ -81,48 +92,261 @@ public HiveMetaStoreAuthorizer(Configuration config) {
 
   @Override
   public final void onEvent(PreEventContext preEventContext) throws 
MetaException, NoSuchObjectException, InvalidOperationException {
-    if (LOG.isDebugEnabled()) {
-      LOG.debug("==> HiveMetaStoreAuthorizer.onEvent(): EventType=" + 
preEventContext.getEventType());
+    LOG.debug("==> HiveMetaStoreAuthorizer.onEvent(): EventType=" + 
preEventContext.getEventType());
+
+    try {
+        HiveAuthorizer hiveAuthorizer = createHiveMetaStoreAuthorizer();
+        if (!skipAuthorization()) {
+          HiveMetaStoreAuthzInfo authzContext = 
buildAuthzContext(preEventContext);
+          checkPrivileges(authzContext, hiveAuthorizer);
+        }
+    } catch (Exception e) {
+      LOG.error("HiveMetaStoreAuthorizer.onEvent(): failed", e);
+      throw new MetaException(e.getMessage());
     }
 
-    HiveMetaStoreAuthzInfo authzContext = buildAuthzContext(preEventContext);
+    LOG.debug("<== HiveMetaStoreAuthorizer.onEvent(): EventType=" + 
preEventContext.getEventType());
+  }
 
-    if (!skipAuthorization(authzContext)) {
-      try {
-        HiveConf              hiveConf          = new 
HiveConf(super.getConf(), HiveConf.class);
-        HiveAuthorizerFactory authorizerFactory = 
HiveUtils.getAuthorizerFactory(hiveConf, 
HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);
+  @Override
+  public final List<String> filterDatabases(List<String> list) throws 
MetaException {
+    LOG.debug("HiveMetaStoreAuthorizer.filterDatabases()");
 
-        if (authorizerFactory != null) {
-          HiveMetastoreAuthenticationProvider authenticator = 
tAuthenticator.get();
+    if (list == null) {
+      return Collections.emptyList();
+    }
 
-          authenticator.setConf(hiveConf);
+    DatabaseFilterContext   databaseFilterContext    = new 
DatabaseFilterContext(list);
+    HiveMetaStoreAuthzInfo  hiveMetaStoreAuthzInfo   = 
databaseFilterContext.getAuthzContext();
+    List<String>            filteredDatabases        = 
filterDatabaseObjects(hiveMetaStoreAuthzInfo);
+    if (CollectionUtils.isEmpty(filteredDatabases)) {
+      filteredDatabases = Collections.emptyList();
+    }
 
-          HiveAuthzSessionContext.Builder authzContextBuilder = new 
HiveAuthzSessionContext.Builder();
+    LOG.debug("HiveMetaStoreAuthorizer.filterDatabases() :" + 
filteredDatabases);

Review comment:
       We might want to add some info level logging as well for supportability 
reasons, like
   LOG.info(Like "Filtered out 2 databases from 1000", or whatever...)
   
   What do you think?
   Same as for other filters




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to