sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java - sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sentry.binding.hive.authz;

 import java.util.List;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.parse.SemanticException;
 import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
 import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationTranslator;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer.VERSION;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
 import org.apache.sentry.binding.hive.SentryHivePrivilegeObject;

 /**
  * This is a HiveAuthorizer implementation, and it is used by HiveServer2 to check privileges
  * of an object, execute GRANT/REVOKE DDL statements and filter HMS metadata. This class is
  * part of the Hive authorization V2.
  * <p>
  * NOTE: For this first version of the class, only the HMS metadata filtering
  * and grant/revoke privileges are implemented.
  * The rest of the authorization is still using Hive authorization V1 API.
  */
 public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer {
   private SentryHiveAccessController accessController;
   private SentryHiveAuthorizationValidator authValidator;
   static private HiveAuthorizationTranslator hiveTranslator =
       new SentryHiveAuthorizationTranslator();

   public SentryHiveAuthorizerImpl(SentryHiveAccessController accessController,
       SentryHiveAuthorizationValidator authValidator) {
     this.accessController = accessController;
     this.authValidator = authValidator;
   }

   @Override
   public VERSION getVersion() {
     return VERSION.V1;
   }

   @Override
   public void grantPrivileges(List<HivePrincipal> hivePrincipals,
       List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
       HivePrincipal grantorPrincipal, boolean grantOption)
       throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
         grantorPrincipal, grantOption);
   }

   @Override
   public void revokePrivileges(List<HivePrincipal> hivePrincipals,
       List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
       HivePrincipal grantorPrincipal, boolean grantOption)
       throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
         grantorPrincipal, grantOption);
   }

   @Override
   public void createRole(String roleName, HivePrincipal adminGrantor)
       throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.createRole(roleName, adminGrantor);
   }

   @Override
   public void dropRole(String roleName)
       throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.dropRole(roleName);
   }

   @Override
   public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
       throws HiveAuthzPluginException, HiveAccessControlException {
     return accessController.getPrincipalGrantInfoForRole(roleName);
   }

   @Override
   public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
       throws HiveAuthzPluginException, HiveAccessControlException {
     return accessController.getRoleGrantInfoForPrincipal(principal);
   }

   @Override
   public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
       HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
   }

   @Override
   public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
       boolean grantOption, HivePrincipal grantorPrinc)
       throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
   }

   @Override
   public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
       List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
       throws HiveAuthzPluginException, HiveAccessControlException {
     // The privileges for a query are checked on the Semantic hooks (HiveAuthzBindingHook) instead
     // because of lack of information that Hive pass as parameters on this method.
     // TODO: This will be fixed as part of SENTRY-1957
     // authValidator.checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, context);
   }

   @Override
   public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
       HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
     return authValidator.filterListCmdObjects(listObjs, context);
   }

   @Override
   public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
     return accessController.getAllRoles();
   }

   @Override
   public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
       HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException {
     return accessController.showPrivileges(principal, privObj);
   }

   @Override
   public void setCurrentRole(String roleName)
       throws HiveAccessControlException, HiveAuthzPluginException {
     accessController.setCurrentRole(roleName);
   }

   @Override
   public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
     return accessController.getCurrentRoleNames();
   }

   @Override
   public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
     accessController.applyAuthorizationConfigPolicy(hiveConf);
   }

   @Override
   public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveAuthzPluginException {
     return hiveTranslator;
   }

   @Override
   public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext hiveAuthzContext,
       List<HivePrivilegeObject> list) throws SemanticException {
     return null;
   }

   @Override
   public boolean needTransform() {
     return false;
   }

   protected static HivePrivilegeObjectType getPrivObjectType(
       SentryHivePrivilegeObjectDesc privSubjectDesc) {
     if (privSubjectDesc.getObject() == null) {
       return null;
     }
     if (privSubjectDesc.getServer()) {
       return HivePrivilegeObjectType.GLOBAL;
     } else if (privSubjectDesc.getUri()) {
       return HivePrivilegeObjectType.LOCAL_URI;
     } else {
       return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW
           : HivePrivilegeObjectType.DATABASE;
     }
   }

   private static class SentryHiveAuthorizationTranslator extends
       DefaultHiveAuthorizationTranslator {

     @Override
     public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
         throws HiveException {
       if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
         SentryHivePrivilegeObjectDesc sPrivSubjectDesc =
             (SentryHivePrivilegeObjectDesc) privSubjectDesc;
         if (sPrivSubjectDesc.isSentryPrivObjectDesc()) {
           HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
           return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
         }
       }
       return super.getHivePrivilegeObject(privSubjectDesc);
     }
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sentry.binding.hive.authz;

	import java.util.List;
	import org.apache.hadoop.hive.conf.HiveConf;
	import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc;
	import org.apache.hadoop.hive.ql.metadata.HiveException;
	import org.apache.hadoop.hive.ql.parse.SemanticException;
	import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
	import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationTranslator;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer.VERSION;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
	import org.apache.sentry.binding.hive.SentryHivePrivilegeObject;

	/**
	* This is a HiveAuthorizer implementation, and it is used by HiveServer2 to check privileges
	* of an object, execute GRANT/REVOKE DDL statements and filter HMS metadata. This class is
	* part of the Hive authorization V2.
	* <p>
	* NOTE: For this first version of the class, only the HMS metadata filtering
	* and grant/revoke privileges are implemented.
	* The rest of the authorization is still using Hive authorization V1 API.
	*/
	public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer {
	private SentryHiveAccessController accessController;
	private SentryHiveAuthorizationValidator authValidator;
	static private HiveAuthorizationTranslator hiveTranslator =
	new SentryHiveAuthorizationTranslator();

	public SentryHiveAuthorizerImpl(SentryHiveAccessController accessController,
	SentryHiveAuthorizationValidator authValidator) {
	this.accessController = accessController;
	this.authValidator = authValidator;
	}

	@Override
	public VERSION getVersion() {
	return VERSION.V1;
	}

	@Override
	public void grantPrivileges(List<HivePrincipal> hivePrincipals,
	List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
	HivePrincipal grantorPrincipal, boolean grantOption)
	throws HiveAuthzPluginException, HiveAccessControlException {
	accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
	grantorPrincipal, grantOption);
	}

	@Override
	public void revokePrivileges(List<HivePrincipal> hivePrincipals,
	List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
	HivePrincipal grantorPrincipal, boolean grantOption)
	throws HiveAuthzPluginException, HiveAccessControlException {
	accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
	grantorPrincipal, grantOption);
	}

	@Override
	public void createRole(String roleName, HivePrincipal adminGrantor)
	throws HiveAuthzPluginException, HiveAccessControlException {
	accessController.createRole(roleName, adminGrantor);
	}

	@Override
	public void dropRole(String roleName)
	throws HiveAuthzPluginException, HiveAccessControlException {
	accessController.dropRole(roleName);
	}

	@Override
	public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
	throws HiveAuthzPluginException, HiveAccessControlException {
	return accessController.getPrincipalGrantInfoForRole(roleName);
	}

	@Override
	public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
	throws HiveAuthzPluginException, HiveAccessControlException {
	return accessController.getRoleGrantInfoForPrincipal(principal);
	}

	@Override
	public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
	HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
	accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
	}

	@Override
	public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
	boolean grantOption, HivePrincipal grantorPrinc)
	throws HiveAuthzPluginException, HiveAccessControlException {
	accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
	}

	@Override
	public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
	List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
	throws HiveAuthzPluginException, HiveAccessControlException {
	// The privileges for a query are checked on the Semantic hooks (HiveAuthzBindingHook) instead
	// because of lack of information that Hive pass as parameters on this method.
	// TODO: This will be fixed as part of SENTRY-1957
	// authValidator.checkPrivileges(hiveOpType, inputsHObjs, outputHObjs, context);
	}

	@Override
	public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs,
	HiveAuthzContext context) throws HiveAuthzPluginException, HiveAccessControlException {
	return authValidator.filterListCmdObjects(listObjs, context);
	}

	@Override
	public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
	return accessController.getAllRoles();
	}

	@Override
	public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
	HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException {
	return accessController.showPrivileges(principal, privObj);
	}

	@Override
	public void setCurrentRole(String roleName)
	throws HiveAccessControlException, HiveAuthzPluginException {
	accessController.setCurrentRole(roleName);
	}

	@Override
	public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
	return accessController.getCurrentRoleNames();
	}

	@Override
	public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
	accessController.applyAuthorizationConfigPolicy(hiveConf);
	}

	@Override
	public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveAuthzPluginException {
	return hiveTranslator;
	}

	@Override
	public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext hiveAuthzContext,
	List<HivePrivilegeObject> list) throws SemanticException {
	return null;
	}

	@Override
	public boolean needTransform() {
	return false;
	}

	protected static HivePrivilegeObjectType getPrivObjectType(
	SentryHivePrivilegeObjectDesc privSubjectDesc) {
	if (privSubjectDesc.getObject() == null) {
	return null;
	}
	if (privSubjectDesc.getServer()) {
	return HivePrivilegeObjectType.GLOBAL;
	} else if (privSubjectDesc.getUri()) {
	return HivePrivilegeObjectType.LOCAL_URI;
	} else {
	return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW
	: HivePrivilegeObjectType.DATABASE;
	}
	}

	private static class SentryHiveAuthorizationTranslator extends
	DefaultHiveAuthorizationTranslator {

	@Override
	public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
	throws HiveException {
	if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
	SentryHivePrivilegeObjectDesc sPrivSubjectDesc =
	(SentryHivePrivilegeObjectDesc) privSubjectDesc;
	if (sPrivSubjectDesc.isSentryPrivObjectDesc()) {
	HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
	return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
	}
	}
	return super.getHivePrivilegeObject(privSubjectDesc);
	}
	}
	}