hive git commit: HIVE-20344: PrivilegeSynchronizer for SBA might hit AccessControlException (Daniel Dai, reviewed by Vaibhav Gumashta)

daijy Fri, 10 Aug 2018 09:35:58 -0700

Repository: hive
Updated Branches:
  refs/heads/master 6286bbc35 -> 8cd9d3f7f



HIVE-20344: PrivilegeSynchronizer for SBA might hit AccessControlException 
(Daniel Dai, reviewed by Vaibhav Gumashta)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/8cd9d3f7
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/8cd9d3f7
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/8cd9d3f7

Branch: refs/heads/master
Commit: 8cd9d3f7ffdd1fa1518e7e836e69585c1412a684
Parents: 6286bbc
Author: Daniel Dai <dai...@gmail.com>
Authored: Fri Aug 10 09:35:24 2018 -0700
Committer: Daniel Dai <dai...@gmail.com>
Committed: Fri Aug 10 09:35:24 2018 -0700

----------------------------------------------------------------------
 .../org/apache/hadoop/hive/conf/HiveConf.java   |  2 ++
 .../authorization/PrivilegeSynchonizer.java     | 24 ++++++++++++--------
 .../apache/hive/service/server/HiveServer2.java |  9 +++++---
 3 files changed, 23 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/8cd9d3f7/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java 
b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
index 5bdcac8..929feb6 100644
--- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
+++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -3018,6 +3018,8 @@ public class HiveConf extends Configuration {
     HIVE_SSL_PROTOCOL_BLACKLIST("hive.ssl.protocol.blacklist", "SSLv2,SSLv3",
         "SSL Versions to disable for all Hive Servers"),
 
+    HIVE_PRIVILEGE_SYNCHRONIZER("hive.privilege.synchronizer", true,
+            "Whether to synchronize privileges from external authorizer 
periodically in HS2"),
     
HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL("hive.privilege.synchronizer.interval",
         "1800s", new TimeValidator(TimeUnit.SECONDS),
         "Interval to synchronize privileges from external authorizer 
periodically in HS2"),

http://git-wip-us.apache.org/repos/asf/hive/blob/8cd9d3f7/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java
----------------------------------------------------------------------
diff --git 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java
 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java
index 9ce665f..61e3cec 100644
--- 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java
+++ 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java
@@ -33,6 +33,7 @@ import org.apache.hadoop.hive.metastore.api.PrincipalType;
 import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
 import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
 import org.apache.hadoop.hive.metastore.api.Table;
+import org.apache.hadoop.hive.metastore.api.MetaException;
 import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
 import org.apache.hadoop.hive.ql.metadata.Hive;
 import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider;
@@ -193,16 +194,21 @@ public class PrivilegeSynchonizer implements Runnable {
 
               HiveObjectRef tableOfColumnsToRefresh = 
getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName);
               PrivilegeBag grantColumnBag = new PrivilegeBag();
-              Table tbl = hiveClient.getTable(dbName, tblName);
-              for (FieldSchema fs : tbl.getPartitionKeys()) {
-                addGrantPrivilegesToBag(policyProvider, grantColumnBag, 
HiveObjectType.COLUMN,
-                    dbName, tblName, fs.getName(), authorizer);
+              Table tbl = null;
+              try {
+                tbl = hiveClient.getTable(dbName, tblName);
+                for (FieldSchema fs : tbl.getPartitionKeys()) {
+                  addGrantPrivilegesToBag(policyProvider, grantColumnBag, 
HiveObjectType.COLUMN,
+                          dbName, tblName, fs.getName(), authorizer);
+                }
+                for (FieldSchema fs : tbl.getSd().getCols()) {
+                  addGrantPrivilegesToBag(policyProvider, grantColumnBag, 
HiveObjectType.COLUMN,
+                          dbName, tblName, fs.getName(), authorizer);
+                }
+                hiveClient.refresh_privileges(tableOfColumnsToRefresh, 
authorizer, grantColumnBag);
+              } catch (MetaException e) {
+                LOG.debug("Unable to synchronize " + tblName + ":" + 
e.getMessage());
               }
-              for (FieldSchema fs : tbl.getSd().getCols()) {
-                addGrantPrivilegesToBag(policyProvider, grantColumnBag, 
HiveObjectType.COLUMN,
-                    dbName, tblName, fs.getName(), authorizer);
-              }
-              hiveClient.refresh_privileges(tableOfColumnsToRefresh, 
authorizer, grantColumnBag);
             }
           }
           LOG.info("Success synchronize privilege " + 
policyProvider.getClass().getName() + ":" + numDb + " databases, "

http://git-wip-us.apache.org/repos/asf/hive/blob/8cd9d3f7/service/src/java/org/apache/hive/service/server/HiveServer2.java
----------------------------------------------------------------------
diff --git a/service/src/java/org/apache/hive/service/server/HiveServer2.java 
b/service/src/java/org/apache/hive/service/server/HiveServer2.java
index 1f6a097..c4d110e 100644
--- a/service/src/java/org/apache/hive/service/server/HiveServer2.java
+++ b/service/src/java/org/apache/hive/service/server/HiveServer2.java
@@ -986,15 +986,18 @@ public class HiveServer2 extends CompositeService {
 
   public void startPrivilegeSynchonizer(HiveConf hiveConf) throws Exception {
 
+    if (!HiveConf.getBoolVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) {
+      return;
+    }
     PolicyProviderContainer policyContainer = new PolicyProviderContainer();
     HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2();
     if (authorizer.getHivePolicyProvider() != null) {
       policyContainer.addAuthorizer(authorizer);
     }
-    if (hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()) 
!= null &&
-        
hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()).contains(
+    if (MetastoreConf.getVar(hiveConf, 
MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null &&
+        MetastoreConf.getVar(hiveConf, 
MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).contains(
         
"org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener")
 &&
-        
hiveConf.get(MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname())!= 
null) {
+        MetastoreConf.getVar(hiveConf, 
MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER)!= null) {
       List<HiveMetastoreAuthorizationProvider> providers = 
HiveUtils.getMetaStoreAuthorizeProviderManagers(
           hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, 
SessionState.get().getAuthenticator());
       for (HiveMetastoreAuthorizationProvider provider : providers) {

hive git commit: HIVE-20344: PrivilegeSynchronizer for SBA might hit AccessControlException (Daniel Dai, reviewed by Vaibhav Gumashta)

Reply via email to