| /** |
| * Licensed to the Apache Software Foundation (ASF) under one or more contributor license |
| * agreements. See the NOTICE file distributed with this work for additional information regarding |
| * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance with the License. You may obtain a |
| * copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software distributed under the License |
| * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express |
| * or implied. See the License for the specific language governing permissions and limitations under |
| * the License. |
| */ |
| package org.apache.sentry.binding.hive.v2.authorizer; |
| |
| import java.util.ArrayList; |
| import java.util.HashSet; |
| import java.util.List; |
| import java.util.Set; |
| |
| import org.apache.hadoop.hive.SentryHiveConstants; |
| import org.apache.hadoop.hive.conf.HiveConf; |
| import org.apache.hadoop.hive.conf.HiveConf.ConfVars; |
| import org.apache.hadoop.hive.ql.metadata.AuthorizationException; |
| import org.apache.hadoop.hive.ql.plan.HiveOperation; |
| import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; |
| import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; |
| import org.apache.hadoop.hive.ql.session.SessionState; |
| import org.apache.sentry.core.common.exception.SentryUserException; |
| import org.apache.sentry.core.common.exception.SentryAccessDeniedException; |
| import org.apache.sentry.binding.hive.SentryOnFailureHookContext; |
| import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl; |
| import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; |
| import org.apache.sentry.binding.hive.authz.HiveAuthzBinding.HiveHook; |
| import org.apache.sentry.binding.hive.conf.HiveAuthzConf; |
| import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; |
| import org.apache.sentry.binding.hive.v2.util.SentryAuthorizerUtil; |
| import org.apache.sentry.core.common.ActiveRoleSet; |
| import org.apache.sentry.core.common.Authorizable; |
| import org.apache.sentry.core.model.db.AccessConstants; |
| import org.apache.sentry.core.model.db.DBModelAuthorizable; |
| import org.apache.sentry.core.model.db.Server; |
| import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; |
| import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; |
| import org.apache.sentry.provider.db.service.thrift.TSentryRole; |
| import org.apache.sentry.service.thrift.SentryServiceClientFactory; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import com.google.common.base.Preconditions; |
| import com.google.common.collect.Sets; |
| |
| public class DefaultSentryAccessController extends SentryHiveAccessController { |
| |
| public static final Logger LOG = LoggerFactory.getLogger(DefaultSentryAccessController.class); |
| |
| public static final String REQUIRED_AUTHZ_SERVER_NAME = "Config " |
| + AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required"; |
| |
| private HiveAuthenticationProvider authenticator; |
| private String serverName; |
| private HiveConf conf; |
| private HiveAuthzConf authzConf; |
| private HiveAuthzSessionContext ctx; |
| |
| private HiveHook hiveHook; |
| private HiveAuthzBinding hiveAuthzBinding; |
| protected SentryPolicyServiceClient sentryClient; |
| |
| |
| public DefaultSentryAccessController(HiveConf conf, HiveAuthzConf authzConf, |
| HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception { |
| initilize(conf, authzConf, authenticator, ctx); |
| this.hiveHook = HiveHook.HiveServer2; |
| } |
| |
| public DefaultSentryAccessController(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf, |
| HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception { |
| initilize(conf, authzConf, authenticator, ctx); |
| this.hiveHook = hiveHook; |
| } |
| |
| /** |
| * initialize authenticator and hiveAuthzBinding. |
| */ |
| protected void initilize(HiveConf conf, HiveAuthzConf authzConf, |
| HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception { |
| Preconditions.checkNotNull(conf, "HiveConf cannot be null"); |
| Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null"); |
| Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null"); |
| Preconditions.checkNotNull(ctx, "HiveAuthzSessionContext cannot be null"); |
| |
| this.conf = conf; |
| this.authzConf = authzConf; |
| this.authenticator = authenticator; |
| this.ctx = ctx; |
| this.serverName = |
| Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()), |
| REQUIRED_AUTHZ_SERVER_NAME); |
| } |
| |
| @Override |
| public void createRole(String roleName, HivePrincipal adminGrantor) |
| throws HiveAuthzPluginException, HiveAccessControlException { |
| if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) { |
| String msg = |
| "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES; |
| throw new HiveAccessControlException(msg); |
| } |
| try { |
| sentryClient = getSentryClient(); |
| sentryClient.createRole(authenticator.getUserName(), roleName); |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = HiveOperation.CREATEROLE; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (SentryUserException e) { |
| String msg = "Error occurred when Sentry client creating role: " + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| } |
| } |
| |
| @Override |
| public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { |
| if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) { |
| String msg = |
| "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES; |
| throw new HiveAccessControlException(msg); |
| } |
| try { |
| sentryClient = getSentryClient(); |
| sentryClient.dropRole(authenticator.getUserName(), roleName); |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = HiveOperation.DROPROLE; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (SentryUserException e) { |
| String msg = "Error occurred when Sentry client creating role: " + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| } |
| } |
| |
| @Override |
| public List<String> getAllRoles() throws HiveAccessControlException, HiveAuthzPluginException { |
| List<String> roles = new ArrayList<String>(); |
| try { |
| sentryClient = getSentryClient(); |
| roles = convert2RoleList(sentryClient.listRoles(authenticator.getUserName())); |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = HiveOperation.SHOW_ROLES; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (SentryUserException e) { |
| String msg = "Error when sentryClient listRoles: " + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| } |
| return roles; |
| } |
| |
| @Override |
| public void grantPrivileges(List<HivePrincipal> hivePrincipals, |
| List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, |
| HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, |
| HiveAccessControlException { |
| grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true); |
| } |
| |
| @Override |
| public void revokePrivileges(List<HivePrincipal> hivePrincipals, |
| List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, |
| HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, |
| HiveAccessControlException { |
| grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false); |
| } |
| |
| @Override |
| public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, |
| boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, |
| HiveAccessControlException { |
| grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, true); |
| } |
| |
| @Override |
| public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, |
| boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, |
| HiveAccessControlException { |
| grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, false); |
| } |
| |
| |
| @Override |
| public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) |
| throws HiveAuthzPluginException, HiveAccessControlException { |
| if (principal.getType() != HivePrincipalType.ROLE) { |
| String msg = |
| SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); |
| throw new HiveAuthzPluginException(msg); |
| } |
| List<HivePrivilegeInfo> infoList = new ArrayList<HivePrivilegeInfo>(); |
| try { |
| sentryClient = getSentryClient(); |
| List<List<DBModelAuthorizable>> authorizables = |
| SentryAuthorizerUtil.getAuthzHierarchy(new Server(serverName), privObj); |
| Set<TSentryPrivilege> tPrivilges = new HashSet<TSentryPrivilege>(); |
| if (authorizables != null && !authorizables.isEmpty()) { |
| for (List<? extends Authorizable> authorizable : authorizables) { |
| tPrivilges.addAll(sentryClient.listPrivilegesByRoleName(authenticator.getUserName(), |
| principal.getName(), authorizable)); |
| } |
| } else { |
| tPrivilges.addAll(sentryClient.listPrivilegesByRoleName(authenticator.getUserName(), |
| principal.getName(), null)); |
| } |
| |
| if (tPrivilges != null && !tPrivilges.isEmpty()) { |
| for (TSentryPrivilege privilege : tPrivilges) { |
| infoList.add(SentryAuthorizerUtil.convert2HivePrivilegeInfo(privilege, principal)); |
| } |
| } |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = HiveOperation.SHOW_GRANT; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (SentryUserException e) { |
| String msg = "Error when sentryClient listPrivilegesByRoleName: " + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| } |
| return infoList; |
| } |
| |
| @Override |
| public void setCurrentRole(String roleName) throws HiveAccessControlException, |
| HiveAuthzPluginException { |
| try { |
| sentryClient = getSentryClient(); |
| hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf); |
| hiveAuthzBinding.setActiveRoleSet(roleName, |
| sentryClient.listUserRoles(authenticator.getUserName())); |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = HiveOperation.GRANT_ROLE; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (Exception e) { |
| String msg = "Error when sentryClient setCurrentRole: " + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| if (hiveAuthzBinding != null) { |
| hiveAuthzBinding.close(); |
| } |
| } |
| } |
| |
| @Override |
| public List<String> getCurrentRoleNames() throws HiveAuthzPluginException { |
| List<String> roles = new ArrayList<String>(); |
| try { |
| sentryClient = getSentryClient(); |
| hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf); |
| ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet(); |
| if (roleSet.isAll()) { |
| roles = convert2RoleList(sentryClient.listUserRoles(authenticator.getUserName())); |
| } else { |
| roles.addAll(roleSet.getRoles()); |
| } |
| } catch (Exception e) { |
| String msg = "Error when sentryClient listUserRoles: " + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| if (hiveAuthzBinding != null) { |
| hiveAuthzBinding.close(); |
| } |
| } |
| return roles; |
| } |
| |
| @Override |
| public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) |
| throws HiveAuthzPluginException { |
| // TODO we will support in future |
| throw new HiveAuthzPluginException("Not supported of SHOW_ROLE_PRINCIPALS in Sentry"); |
| } |
| |
| @Override |
| public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) |
| throws HiveAccessControlException, HiveAuthzPluginException { |
| List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(); |
| try { |
| sentryClient = getSentryClient(); |
| |
| if (principal.getType() != HivePrincipalType.GROUP) { |
| String msg = |
| SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); |
| throw new HiveAuthzPluginException(msg); |
| } |
| Set<TSentryRole> roles = |
| sentryClient.listRolesByGroupName(authenticator.getUserName(), principal.getName()); |
| if (roles != null && !roles.isEmpty()) { |
| for (TSentryRole role : roles) { |
| hiveRoleGrants.add(SentryAuthorizerUtil.convert2HiveRoleGrant(role)); |
| } |
| } |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = HiveOperation.SHOW_ROLE_GRANT; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (SentryUserException e) { |
| String msg = "Error when sentryClient listRolesByGroupName: " + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| } |
| return hiveRoleGrants; |
| } |
| |
| @Override |
| public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { |
| // Apply rest of the configuration only to HiveServer2 |
| if (ctx.getClientType() != CLIENT_TYPE.HIVESERVER2 |
| || !hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { |
| throw new HiveAuthzPluginException("Sentry just support for hiveserver2"); |
| } |
| } |
| |
| /** |
| * Grant(isGrant is true) or revoke(isGrant is false) db privileges to/from role via sentryClient, |
| * which is a instance of SentryPolicyServiceClientV2 |
| * |
| * @param hivePrincipals |
| * @param hivePrivileges |
| * @param hivePrivObject |
| * @param grantOption |
| * @param isGrant |
| */ |
| private void grantOrRevokePrivlegeOnRole(List<HivePrincipal> hivePrincipals, |
| List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, boolean grantOption, |
| boolean isGrant) throws HiveAuthzPluginException, HiveAccessControlException { |
| try { |
| sentryClient = getSentryClient(); |
| |
| for (HivePrincipal principal : hivePrincipals) { |
| // Sentry only support grant privilege to ROLE |
| if (principal.getType() != HivePrincipalType.ROLE) { |
| String msg = |
| SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); |
| throw new HiveAuthzPluginException(msg); |
| } |
| for (HivePrivilege privilege : hivePrivileges) { |
| String grantorName = authenticator.getUserName(); |
| String roleName = principal.getName(); |
| String action = SentryAuthorizerUtil.convert2SentryAction(privilege); |
| List<String> columnNames = privilege.getColumns(); |
| Boolean grantOp = null; |
| if (isGrant) { |
| grantOp = grantOption; |
| } |
| |
| switch (hivePrivObject.getType()) { |
| case GLOBAL: |
| if (isGrant) { |
| sentryClient.grantServerPrivilege(grantorName, roleName, |
| hivePrivObject.getObjectName(), action, grantOp); |
| } else { |
| sentryClient.revokeServerPrivilege(grantorName, roleName, |
| hivePrivObject.getObjectName(), action, grantOp); |
| } |
| break; |
| case DATABASE: |
| if (isGrant) { |
| sentryClient.grantDatabasePrivilege(grantorName, roleName, serverName, |
| hivePrivObject.getDbname(), action, grantOp); |
| } else { |
| sentryClient.revokeDatabasePrivilege(grantorName, roleName, serverName, |
| hivePrivObject.getDbname(), action, grantOp); |
| } |
| break; |
| case TABLE_OR_VIEW: |
| // For column level security |
| if (columnNames != null && !columnNames.isEmpty()) { |
| if (action.equalsIgnoreCase(AccessConstants.INSERT) |
| || action.equalsIgnoreCase(AccessConstants.ALL)) { |
| String msg = |
| SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privilege.getName() |
| + " on Column"; |
| throw new HiveAuthzPluginException(msg); |
| } |
| if (isGrant) { |
| sentryClient.grantColumnsPrivileges(grantorName, roleName, serverName, |
| hivePrivObject.getDbname(), hivePrivObject.getObjectName(), columnNames, |
| action, grantOp); |
| } else { |
| sentryClient.revokeColumnsPrivilege(grantorName, roleName, serverName, |
| hivePrivObject.getDbname(), hivePrivObject.getObjectName(), columnNames, |
| action, grantOp); |
| } |
| } else { |
| if (isGrant) { |
| sentryClient.grantTablePrivilege(grantorName, roleName, serverName, |
| hivePrivObject.getDbname(), hivePrivObject.getObjectName(), action, grantOp); |
| } else { |
| sentryClient.revokeTablePrivilege(grantorName, roleName, serverName, |
| hivePrivObject.getDbname(), hivePrivObject.getObjectName(), action, grantOp); |
| } |
| } |
| break; |
| case LOCAL_URI: |
| case DFS_URI: |
| String uRIString = hivePrivObject.getObjectName().replace("'", "").replace("\"", ""); |
| if (isGrant) { |
| sentryClient.grantURIPrivilege(grantorName, roleName, serverName, |
| uRIString, grantOp); |
| } else { |
| sentryClient.revokeURIPrivilege(grantorName, roleName, serverName, |
| uRIString, grantOp); |
| } |
| break; |
| case FUNCTION: |
| case PARTITION: |
| case COLUMN: |
| case COMMAND_PARAMS: |
| // not support these type |
| throw new HiveAuthzPluginException(hivePrivObject.getType().name() |
| + " are not supported in sentry"); |
| default: |
| break; |
| } |
| } |
| } |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = |
| isGrant ? HiveOperation.GRANT_PRIVILEGE : HiveOperation.REVOKE_PRIVILEGE; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (SentryUserException e) { |
| String msg = "Error when sentryClient grant/revoke privilege:" + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| } |
| } |
| |
| /** |
| * Grant(isGrant is true) or revoke(isGrant is false) role to/from group via sentryClient, which |
| * is a instance of SentryPolicyServiceClientV2 |
| * |
| * @param hivePrincipals |
| * @param roles |
| * @param grantorPrinc |
| * @param isGrant |
| */ |
| private void grantOrRevokeRoleOnGroup(List<HivePrincipal> hivePrincipals, List<String> roles, |
| HivePrincipal grantorPrinc, boolean isGrant) throws HiveAuthzPluginException, |
| HiveAccessControlException { |
| try { |
| sentryClient = getSentryClient(); |
| // get principals |
| Set<String> groups = Sets.newHashSet(); |
| for (HivePrincipal principal : hivePrincipals) { |
| if (principal.getType() != HivePrincipalType.GROUP) { |
| String msg = |
| SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); |
| throw new HiveAuthzPluginException(msg); |
| } |
| groups.add(principal.getName()); |
| } |
| |
| // grant/revoke role to/from principals |
| for (String roleName : roles) { |
| if (isGrant) { |
| sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups); |
| } else { |
| sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups); |
| } |
| } |
| |
| } catch (SentryAccessDeniedException e) { |
| HiveOperation hiveOp = isGrant ? HiveOperation.GRANT_ROLE : HiveOperation.REVOKE_ROLE; |
| executeOnFailureHooks(hiveOp, e); |
| } catch (SentryUserException e) { |
| String msg = "Error when sentryClient grant/revoke role:" + e.getMessage(); |
| executeOnErrorHooks(msg, e); |
| } finally { |
| if (sentryClient != null) { |
| sentryClient.close(); |
| } |
| } |
| } |
| |
| private void executeOnFailureHooks(HiveOperation hiveOp, SentryAccessDeniedException e) |
| throws HiveAccessControlException { |
| SentryOnFailureHookContext hookCtx = |
| new SentryOnFailureHookContextImpl(SessionState.get().getCmd(), null, null, hiveOp, null, |
| null, null, null, authenticator.getUserName(), null, new AuthorizationException(e), |
| authzConf); |
| SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf); |
| throw new HiveAccessControlException(e.getMessage(), e); |
| } |
| |
| private void executeOnErrorHooks(String msg, Exception e) throws HiveAuthzPluginException { |
| LOG.error(msg, e); |
| throw new HiveAuthzPluginException(msg, e); |
| } |
| |
| private List<String> convert2RoleList(Set<TSentryRole> roleSet) { |
| List<String> roles = new ArrayList<String>(); |
| if (roleSet != null && !roleSet.isEmpty()) { |
| for (TSentryRole tRole : roleSet) { |
| roles.add(tRole.getRoleName()); |
| } |
| } |
| return roles; |
| } |
| |
| private SentryPolicyServiceClient getSentryClient() throws HiveAuthzPluginException { |
| try { |
| Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null"); |
| return SentryServiceClientFactory.create(authzConf); |
| } catch (Exception e) { |
| String msg = "Error occurred when creating Sentry client: " + e.getMessage(); |
| throw new HiveAuthzPluginException(msg, e); |
| } |
| } |
| |
| |
| } |