Google Git
Sign in
apache / sentry / refs/heads/SENTRY-1881 / . / sentry-binding / sentry-binding-hive / src / main / java / org / apache / sentry / binding / metastore / SentryMetaStoreFilterHook.java
blob: 5ecc87f9be36d6096e30de1f3c8697cd2d4da091 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sentry.binding.metastore;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.MetaStoreFilterHook;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.Index;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Partition;
import org.apache.hadoop.hive.metastore.api.PartitionSpec;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.sentry.binding.hive.authz.HiveAuthzBindingHookBase;
import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
public class SentryMetaStoreFilterHook implements MetaStoreFilterHook {
static final protected Log LOG = LogFactory.getLog(SentryMetaStoreFilterHook.class);
private HiveAuthzBinding hiveAuthzBinding;
private HiveAuthzConf authzConf;
public SentryMetaStoreFilterHook(HiveConf hiveConf) { //NOPMD
}
@Override
public List<String> filterDatabases(List<String> dbList) {
return filterDb(dbList);
}
@Override
public Database filterDatabase(Database dataBase)
throws NoSuchObjectException {
return dataBase;
}
@Override
public List<String> filterTableNames(String dbName, List<String> tableList) {
return filterTab(dbName, tableList);
}
@Override
public Table filterTable(Table table) throws NoSuchObjectException {
return table;
}
@Override
public List<Table> filterTables(List<Table> tableList) {
return tableList;
}
@Override
public List<Partition> filterPartitions(List<Partition> partitionList) {
return partitionList;
}
@Override
public List<PartitionSpec> filterPartitionSpecs(
List<PartitionSpec> partitionSpecList) {
return partitionSpecList;
}
@Override
public Partition filterPartition(Partition partition)
throws NoSuchObjectException {
return partition;
}
@Override
public List<String> filterPartitionNames(String dbName, String tblName,
List<String> partitionNames) {
return partitionNames;
}
@Override
public Index filterIndex(Index index) throws NoSuchObjectException {
return index;
}
@Override
public List<String> filterIndexNames(String dbName, String tblName,
List<String> indexList) {
return indexList;
}
@Override
public List<Index> filterIndexes(List<Index> indexeList) {
return indexeList;
}
/**
* Invoke Hive database filtering that removes the entries which use has no
* privileges to access
* @param dbList
* @return
* @throws MetaException
*/
private List<String> filterDb(List<String> dbList) {
try {
return HiveAuthzBindingHookBase.filterShowDatabases(getHiveAuthzBinding(),
dbList, HiveOperation.SHOWDATABASES, getUserName());
} catch (Exception e) {
LOG.warn("Error getting DB list ", e);
return new ArrayList<String>();
} finally {
close();
}
}
/**
* Invoke Hive table filtering that removes the entries which use has no
* privileges to access
* @param tabList
* @return
* @throws MetaException
*/
private List<String> filterTab(String dbName, List<String> tabList) {
try {
return HiveAuthzBindingHookBase.filterShowTables(getHiveAuthzBinding(),
tabList, HiveOperation.SHOWTABLES, getUserName(), dbName);
} catch (Exception e) {
LOG.warn("Error getting Table list ", e);
return new ArrayList<String>();
} finally {
close();
}
}
private String getUserName() {
return getConf().get(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME);
}
/**
* load Hive auth provider
* @return
* @throws MetaException
*/
private HiveAuthzBinding getHiveAuthzBinding() throws MetaException {
if (hiveAuthzBinding == null) {
String hiveAuthzConf = getConf().get(HiveAuthzConf.HIVE_SENTRY_CONF_URL);
if (hiveAuthzConf == null
|| (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) {
throw new MetaException("Configuration key "
+ HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf
+ "' is invalid.");
}
try {
authzConf = new HiveAuthzConf(new URL(hiveAuthzConf));
} catch (MalformedURLException e) {
throw new MetaException("Configuration key "
+ HiveAuthzConf.HIVE_SENTRY_CONF_URL
+ " specifies a malformed URL '" + hiveAuthzConf + "' "
+ e.getMessage());
}
try {
hiveAuthzBinding = new HiveAuthzBinding(
HiveAuthzBinding.HiveHook.HiveMetaStore, getConf(), authzConf);
} catch (Exception e) {
throw new MetaException("Failed to load Hive binding " + e.getMessage());
}
}
return hiveAuthzBinding;
}
private HiveConf getConf() {
return SessionState.get().getConf();
}
private void close() {
if (hiveAuthzBinding != null) {
hiveAuthzBinding.close();
hiveAuthzBinding = null;
}
}
}