access-binding/access-binding-hive/src/main/java/org/apache/access/binding/hive/HiveAuthzBindingPreExecHook.java - sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.access.binding.hive;

 import java.util.ArrayList;
 import java.util.List;

 import org.apache.access.binding.hive.authz.HiveAuthzBinding;
 import org.apache.access.binding.hive.authz.HiveAuthzPrivileges.HiveExtendedOperation;
 import org.apache.access.binding.hive.authz.HiveAuthzPrivilegesMap;
 import org.apache.access.core.Authorizable;
 import org.apache.access.core.Subject;
 import org.apache.hadoop.hive.ql.QueryPlan;
 import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext;
 import org.apache.hadoop.hive.ql.hooks.HookContext;
 import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 public class HiveAuthzBindingPreExecHook implements ExecuteWithHookContext {
   private static final Logger LOG = LoggerFactory
       .getLogger(HiveAuthzBindingPreExecHook.class);

   /**
    * Raise error if the given query contains transforms
    */
   @Override
   public void run(HookContext hookContext) throws Exception {
     HiveAuthzBinding hiveAuthzBinding =  HiveAuthzBinding.get(hookContext.getConf());
     try {
       QueryPlan qPlan = hookContext.getQueryPlan();
       if ((qPlan == null) || (qPlan.getQueryProperties() == null)) {
         return;
       }
       // validate server level permissions permission for transforms
       if (qPlan.getQueryProperties().usesScript()) {
         if (hiveAuthzBinding == null) {
           LOG.warn("No authorization binding fund, skipping the authorization for transform");
           return;
         }
         List<List<Authorizable>> inputHierarchy = new ArrayList<List<Authorizable>> ();
         List<List<Authorizable>> outputHierarchy = new ArrayList<List<Authorizable>> ();
         List<Authorizable> serverHierarchy = new ArrayList<Authorizable>();

         serverHierarchy.add(hiveAuthzBinding.getAuthServer());
         outputHierarchy.add(serverHierarchy);
         hiveAuthzBinding.authorize(HiveOperation.QUERY,
           HiveAuthzPrivilegesMap.getHiveExtendedAuthzPrivileges(HiveExtendedOperation.TRANSFORM),
           new Subject(hookContext.getUserName()), inputHierarchy, outputHierarchy);
       }
     } finally {
       if (hiveAuthzBinding != null) {
         hiveAuthzBinding.clear(hookContext.getConf());
       }
     }
   }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.access.binding.hive;

	import java.util.ArrayList;
	import java.util.List;

	import org.apache.access.binding.hive.authz.HiveAuthzBinding;
	import org.apache.access.binding.hive.authz.HiveAuthzPrivileges.HiveExtendedOperation;
	import org.apache.access.binding.hive.authz.HiveAuthzPrivilegesMap;
	import org.apache.access.core.Authorizable;
	import org.apache.access.core.Subject;
	import org.apache.hadoop.hive.ql.QueryPlan;
	import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext;
	import org.apache.hadoop.hive.ql.hooks.HookContext;
	import org.apache.hadoop.hive.ql.plan.HiveOperation;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	public class HiveAuthzBindingPreExecHook implements ExecuteWithHookContext {
	private static final Logger LOG = LoggerFactory
	.getLogger(HiveAuthzBindingPreExecHook.class);

	/**
	* Raise error if the given query contains transforms
	*/
	@Override
	public void run(HookContext hookContext) throws Exception {
	HiveAuthzBinding hiveAuthzBinding = HiveAuthzBinding.get(hookContext.getConf());
	try {
	QueryPlan qPlan = hookContext.getQueryPlan();
	if ((qPlan == null) \|\| (qPlan.getQueryProperties() == null)) {
	return;
	}
	// validate server level permissions permission for transforms
	if (qPlan.getQueryProperties().usesScript()) {
	if (hiveAuthzBinding == null) {
	LOG.warn("No authorization binding fund, skipping the authorization for transform");
	return;
	}
	List<List<Authorizable>> inputHierarchy = new ArrayList<List<Authorizable>> ();
	List<List<Authorizable>> outputHierarchy = new ArrayList<List<Authorizable>> ();
	List<Authorizable> serverHierarchy = new ArrayList<Authorizable>();

	serverHierarchy.add(hiveAuthzBinding.getAuthServer());
	outputHierarchy.add(serverHierarchy);
	hiveAuthzBinding.authorize(HiveOperation.QUERY,
	HiveAuthzPrivilegesMap.getHiveExtendedAuthzPrivileges(HiveExtendedOperation.TRANSFORM),
	new Subject(hookContext.getUserName()), inputHierarchy, outputHierarchy);
	}
	} finally {
	if (hiveAuthzBinding != null) {
	hiveAuthzBinding.clear(hookContext.getConf());
	}
	}
	}

	}