access-binding/access-binding-hive/src/main/java/org/apache/access/binding/hive/HiveAuthzBindingSessionHook.java - sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.access.binding.hive;

 import org.apache.access.binding.hive.conf.HiveAuthzConf;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hive.service.cli.HiveSQLException;
 import org.apache.hive.service.cli.session.HiveSessionHookContext;

 public class HiveAuthzBindingSessionHook
     implements org.apache.hive.service.cli.session.HiveSessionHook {

   public static final String SEMANTIC_HOOK =
     "org.apache.access.binding.hive.HiveAuthzBindingHook";
   public static final String PRE_EXEC_HOOK =
     "org.apache.access.binding.hive.HiveAuthzBindingPreExecHook";
   public static final String FILTER_HOOK =
     "org.apache.access.binding.hive.HiveAuthzBindingHook";
   public static final String SCRATCH_DIR_PERMISSIONS = "700";
   public static final String ACCESS_RESTRICT_LIST =
     ConfVars.SEMANTIC_ANALYZER_HOOK.varname + "," +
     ConfVars.PREEXECHOOKS.varname + "," +
     ConfVars.HIVE_EXEC_FILTER_HOOK.varname + "," +
     ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE.varname + "," +
     ConfVars.SCRATCHDIR.varname + "," +
     ConfVars.LOCALSCRATCHDIR.varname + "," +
     ConfVars.HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC.varname + "," +
     ConfVars.METASTOREURIS.varname + "," +
     ConfVars.METASTORECONNECTURLKEY.varname + "," +
     ConfVars.HADOOPBIN.varname + "," +
     ConfVars.HIVESESSIONID.varname + "," +
     ConfVars.HIVEAUXJARS.varname + "," +
     ConfVars.HIVESTATSDBCONNECTIONSTRING.varname + "," +
     ConfVars.SCRATCHDIRPERMISSION.varname + "," +
     HiveAuthzConf.HIVE_ACCESS_CONF_URL + "," +
     HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME;

   /**
    * The session hook for access authorization that sets the required session level configuration
    * 1. Setup the access hooks -
    *    semantic, exec and filter hooks
    * 2. Set additional config properties required for auth
    *      set HIVE_EXTENDED_ENITITY_CAPTURE = true
    *      set HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC = false
    *      set SCRATCHDIRPERMISSION = 700
    * 3. Add sensetive config parameters to the config restrict list so that they can't be overridden by users
    */
   @Override
   public void run(HiveSessionHookContext sessionHookContext) throws HiveSQLException {
     // Add access hooks to the session configuration
     HiveConf sessionConf = sessionHookContext.getSessionConf();

     appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK, SEMANTIC_HOOK);
     appendConfVar(sessionConf, ConfVars.PREEXECHOOKS, PRE_EXEC_HOOK);
     appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK, FILTER_HOOK);

     // setup config
     sessionConf.setBoolVar(ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE, true);
     sessionConf.setBoolVar(ConfVars.HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC, false);
     sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);

     // set user name
     sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser());

     // setup restrict list
     sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST);
   }

   // Setup given access hooks
   private void appendConfVar(HiveConf sessionConf, ConfVars confVar, String accessConfVal) {
     String currentValue = sessionConf.getVar(confVar);
     if ((currentValue == null) || currentValue.isEmpty()) {
       currentValue = accessConfVal;
     } else {
       currentValue = accessConfVal + "," + currentValue;
     }
     sessionConf.setVar(confVar, currentValue);
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.access.binding.hive;

	import org.apache.access.binding.hive.conf.HiveAuthzConf;
	import org.apache.hadoop.hive.conf.HiveConf;
	import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
	import org.apache.hive.service.cli.HiveSQLException;
	import org.apache.hive.service.cli.session.HiveSessionHookContext;

	public class HiveAuthzBindingSessionHook
	implements org.apache.hive.service.cli.session.HiveSessionHook {

	public static final String SEMANTIC_HOOK =
	"org.apache.access.binding.hive.HiveAuthzBindingHook";
	public static final String PRE_EXEC_HOOK =
	"org.apache.access.binding.hive.HiveAuthzBindingPreExecHook";
	public static final String FILTER_HOOK =
	"org.apache.access.binding.hive.HiveAuthzBindingHook";
	public static final String SCRATCH_DIR_PERMISSIONS = "700";
	public static final String ACCESS_RESTRICT_LIST =
	ConfVars.SEMANTIC_ANALYZER_HOOK.varname + "," +
	ConfVars.PREEXECHOOKS.varname + "," +
	ConfVars.HIVE_EXEC_FILTER_HOOK.varname + "," +
	ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE.varname + "," +
	ConfVars.SCRATCHDIR.varname + "," +
	ConfVars.LOCALSCRATCHDIR.varname + "," +
	ConfVars.HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC.varname + "," +
	ConfVars.METASTOREURIS.varname + "," +
	ConfVars.METASTORECONNECTURLKEY.varname + "," +
	ConfVars.HADOOPBIN.varname + "," +
	ConfVars.HIVESESSIONID.varname + "," +
	ConfVars.HIVEAUXJARS.varname + "," +
	ConfVars.HIVESTATSDBCONNECTIONSTRING.varname + "," +
	ConfVars.SCRATCHDIRPERMISSION.varname + "," +
	HiveAuthzConf.HIVE_ACCESS_CONF_URL + "," +
	HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME;

	/**
	* The session hook for access authorization that sets the required session level configuration
	* 1. Setup the access hooks -
	* semantic, exec and filter hooks
	* 2. Set additional config properties required for auth
	* set HIVE_EXTENDED_ENITITY_CAPTURE = true
	* set HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC = false
	* set SCRATCHDIRPERMISSION = 700
	* 3. Add sensetive config parameters to the config restrict list so that they can't be overridden by users
	*/
	@Override
	public void run(HiveSessionHookContext sessionHookContext) throws HiveSQLException {
	// Add access hooks to the session configuration
	HiveConf sessionConf = sessionHookContext.getSessionConf();

	appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK, SEMANTIC_HOOK);
	appendConfVar(sessionConf, ConfVars.PREEXECHOOKS, PRE_EXEC_HOOK);
	appendConfVar(sessionConf, ConfVars.HIVE_EXEC_FILTER_HOOK, FILTER_HOOK);

	// setup config
	sessionConf.setBoolVar(ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE, true);
	sessionConf.setBoolVar(ConfVars.HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC, false);
	sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);

	// set user name
	sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser());

	// setup restrict list
	sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST);
	}

	// Setup given access hooks
	private void appendConfVar(HiveConf sessionConf, ConfVars confVar, String accessConfVal) {
	String currentValue = sessionConf.getVar(confVar);
	if ((currentValue == null) \|\| currentValue.isEmpty()) {
	currentValue = accessConfVal;
	} else {
	currentValue = accessConfVal + "," + currentValue;
	}
	sessionConf.setVar(confVar, currentValue);
	}
	}