Repository: hive Updated Branches: refs/heads/master f99c89388 -> bd6d91f11
HIVE-18777 : Add Authorization interface to support information_schema integration with external authorization (Thejas Nair, reviewed by Daniel Dai) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/bd6d91f1 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/bd6d91f1 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/bd6d91f1 Branch: refs/heads/master Commit: bd6d91f11d7d3323dce37344eea9d722f8945e6a Parents: f99c893 Author: Thejas M Nair <the...@hortonworks.com> Authored: Wed Feb 28 17:08:16 2018 -0800 Committer: Thejas M Nair <the...@hortonworks.com> Committed: Wed Feb 28 17:08:16 2018 -0800 ---------------------------------------------------------------------- .../plugin/AbstractHiveAuthorizer.java | 13 ++++- .../authorization/plugin/HiveAuthorizer.java | 10 ++-- .../plugin/HivePolicyChangeListener.java | 35 ++++++++++++++ .../plugin/HivePolicyProvider.java | 36 ++++++++++++++ .../authorization/plugin/HiveResourceACLs.java | 50 ++++++++++++++++++++ 5 files changed, 140 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java index 4441934..a925c5a 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin; - /** * Abstract class that extends HiveAuthorizer. This will help to shield * Hive authorization implementations from some of the changes to HiveAuthorizer @@ -38,4 +37,16 @@ public abstract class AbstractHiveAuthorizer implements HiveAuthorizer { return null; } + /* + * (non-Javadoc) + * + * @see + * org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer# + * getHivePolicyProvider() + */ + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } + } http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 9783c56..a4079b8 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -263,7 +263,7 @@ public interface HiveAuthorizer { * * @throws SemanticException */ - public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, + List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> privObjs) throws SemanticException; /** @@ -273,7 +273,11 @@ public interface HiveAuthorizer { * @return * @throws SemanticException */ - public boolean needTransform(); + boolean needTransform(); + /** + * @return HivePolicyProvider instance (expected to be a singleton) + * @throws HiveAuthzPluginException + */ + HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException; } - http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java new file mode 100644 index 0000000..577f609 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java @@ -0,0 +1,35 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.List; + +/** + * This would be implemented by a class that needs to be notified when there is + * a policy change. + */ +public interface HivePolicyChangeListener { + /** + * @param hpo + * List of Objects whose privileges have changed. If undetermined, + * null can be returned (implies that it should be treated as if all object + * policies might have changed). + */ + void notifyPolicyChange(List<HivePrivilegeObject> hpo); + +} http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java new file mode 100644 index 0000000..a9d1bd5 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +/** + * Interface that can be used to retrieve authorization policy information from + * authorization plugins. + */ +public interface HivePolicyProvider { + /** + * @param hiveObject + * @return representation of user/group to permissions mapping. + */ + HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject); + + /** + * @param listener + */ + void registerHivePolicyChangeListener(HivePolicyChangeListener listener); + +} http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java new file mode 100644 index 0000000..53e221f --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import java.util.Map; + +/** + * Captures authorization policy information on a {@link HivePrivilegeObject}. + */ +public interface HiveResourceACLs { + /** + * Privilege types. + */ + enum Privilege { + SELECT, UPDATE, CREATE, DROP, ALTER, INDEX, LOCK, READ, WRITE + }; + + /** + * Privilege access result. + */ + enum AccessResult { + ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED + }; + + /** + * @return Returns mapping of user name to privilege-access result pairs + */ + Map<String, Map<Privilege, AccessResult>> getUserPermissions(); + + /** + * @return Returns mapping of group name to privilege-access result pairs + */ + Map<String, Map<Privilege, AccessResult>> getGroupPermissions(); + +}