This is an automated email from the ASF dual-hosted git repository.
gsaihemanth pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 21890280c79 HIVE-29202: Add HiveAuthzContext support to
HiveMetaStoreAuthorizable… (#6078)
21890280c79 is described below
commit 21890280c79f4c750ea19bbc342b3b8b5439b3c0
Author: Hazel Jiang <[email protected]>
AuthorDate: Fri Sep 26 15:16:36 2025 -0700
HIVE-29202: Add HiveAuthzContext support to HiveMetaStoreAuthorizable…
(#6078)
---------
Co-authored-by: Your Name <[email protected]>
Co-authored-by: Wechar Yu <[email protected]>
---
.../metastore/HiveMetaStoreAuthorizableEvent.java | 25 ++++++++++++++++++++++
.../plugin/metastore/HiveMetaStoreAuthzInfo.java | 9 ++++++++
.../plugin/metastore/events/ReadDatabaseEvent.java | 11 ++++++----
3 files changed, 41 insertions(+), 4 deletions(-)
diff --git
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java
index a801960ff57..bcc3e9451ea 100644
---
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java
+++
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java
@@ -19,15 +19,19 @@
package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore;
+import org.apache.hadoop.hive.metastore.HMSHandler;
import org.apache.hadoop.hive.metastore.api.DataConnector;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.StorageDescriptor;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
+import java.util.Map;
/*
HiveMetaStoreAuthorizableEvent: Abstract class for getting the MetaStore Event
context for HiveMetaStore Authorization
@@ -40,6 +44,27 @@ protected HiveMetaStoreAuthorizableEvent(PreEventContext
preEventContext) {
this.preEventContext = preEventContext;
}
+ protected HiveAuthzContext buildAuthzContext(String commandString) {
+ HiveAuthzContext.Builder builder = new HiveAuthzContext.Builder();
+
+ if (commandString != null) {
+ builder.setCommandString(commandString);
+ }
+
+ // TODO: refer to SessionManager/HiveSessionImpl for details on getting
ipAddress and forwardedAddresses
+ builder.setForwardedAddresses(new ArrayList<>());
+
+ String ipAddress = HMSHandler.getIPAddress();
+ builder.setUserIpAddress(ipAddress);
+
+ Map<String, Object> clientConfig =
HiveMetaStoreAuthorizer.getClientConfig();
+ if (clientConfig != null) {
+ builder.setClientConfig(clientConfig);
+ }
+
+ return builder.build();
+ }
+
public abstract HiveMetaStoreAuthzInfo getAuthzContext();
protected String getSdLocation(StorageDescriptor sd) {
diff --git
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthzInfo.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthzInfo.java
index ee70cdbeaa9..90d7ddcee78 100644
---
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthzInfo.java
+++
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthzInfo.java
@@ -51,6 +51,15 @@ public HiveMetaStoreAuthzInfo(PreEventContext
preEventContext, HiveOperationType
this.hiveAuthzContext = createHiveAuthzContext();
}
+ public HiveMetaStoreAuthzInfo(PreEventContext preEventContext,
HiveOperationType operationType, List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs, String commandString, HiveAuthzContext
hiveAuthzContext) {
+ this.preEventContext = preEventContext;
+ this.operationType = operationType;
+ this.inputHObjs = inputHObjs;
+ this.outputHObjs = outputHObjs;
+ this.commandString = commandString;
+ this.hiveAuthzContext = hiveAuthzContext;
+ }
+
public HiveOperationType getOperationType() {
return operationType;
}
diff --git
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/ReadDatabaseEvent.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/ReadDatabaseEvent.java
index 737e5009eae..40250ad222a 100644
---
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/ReadDatabaseEvent.java
+++
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/ReadDatabaseEvent.java
@@ -22,6 +22,7 @@
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.events.PreEventContext;
import org.apache.hadoop.hive.metastore.events.PreReadDatabaseEvent;
+import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
@@ -40,10 +41,12 @@ public ReadDatabaseEvent(PreEventContext preEventContext) {
super(preEventContext);
}
- @Override public HiveMetaStoreAuthzInfo getAuthzContext() {
- HiveMetaStoreAuthzInfo ret =
- new HiveMetaStoreAuthzInfo(preEventContext,
HiveOperationType.SHOWDATABASES, getInputHObjs(), getOutputHObjs(),
- COMMAND_STR);
+ @Override
+ public HiveMetaStoreAuthzInfo getAuthzContext() {
+ HiveAuthzContext authzContext = buildAuthzContext(COMMAND_STR);
+ HiveMetaStoreAuthzInfo ret = new HiveMetaStoreAuthzInfo(preEventContext,
HiveOperationType.SHOWDATABASES,
+ getInputHObjs(), getOutputHObjs(), COMMAND_STR, authzContext);
+ LOG.debug("ReadDatabaseEvent.getAuthzContext(): authzContext={}",
authzContext);
return ret;
}
