This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new fa0dff1 RANGER-2657: Upgrade Hive version from 3.1 to 3.1.2 fa0dff1 is described below commit fa0dff146399b97554d4e745e6e2dcbd7510d988 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Wed Dec 4 14:53:11 2019 -0800 RANGER-2657: Upgrade Hive version from 3.1 to 3.1.2 --- .../RangerDefaultPolicyEvaluator.java | 2 +- .../plugin/policyengine/TestPolicyEngine.java | 65 +++++--- .../hive/authorizer/RangerHiveAuthorizer.java | 137 +++++++++++------ .../hive/authorizer/RangerHivePolicyProvider.java | 168 +++++++++++++++++++++ .../hive/authorizer/RangerHiveResourceACLs.java | 46 ++++++ pom.xml | 2 +- 6 files changed, 355 insertions(+), 65 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 6664d1b..57ad717 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -1094,7 +1094,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator case RangerPolicy.POLICY_TYPE_ACCESS: { ret = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators); - if(ret == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed + if(ret == null && !result.getIsAccessDetermined()) { // a deny policy could have set isAllowed=true, but in such case it wouldn't set isAccessDetermined=true ret = getMatchingPolicyItem(request, allowEvaluators, allowExceptionEvaluators); } break; diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index 362f28e..4265b06 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -484,35 +484,32 @@ public class TestPolicyEngine { RangerPolicyEngineOptions policyEngineOptions = pluginContext.getConfig().getPolicyEngineOptions(); - policyEngineOptions.disableTagPolicyEvaluation = false; - policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false; - policyEngineOptions.optimizeTrieForRetrieval = false; + policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true; - RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles); + RangerPolicyEngineImpl policyEngine = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles); - policyEngine.setUseForwardedIPAddress(useForwardedIPAddress); - policyEngine.setTrustedProxyAddresses(trustedProxyAddresses); + policyEngine.setUseForwardedIPAddress(useForwardedIPAddress); + policyEngine.setTrustedProxyAddresses(trustedProxyAddresses); - policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = true; - policyEngineOptions.optimizeTrieForRetrieval = false; + policyEngineOptions.disableAccessEvaluationWithPolicyACLSummary = false; - RangerPolicyEngineImpl policyEngineForResourceAccessInfo = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles); + RangerPolicyEngineImpl policyEngineForEvaluatingWithACLs = new RangerPolicyEngineImpl(servicePolicies, pluginContext, roles); - policyEngineForResourceAccessInfo.setUseForwardedIPAddress(useForwardedIPAddress); - policyEngineForResourceAccessInfo.setTrustedProxyAddresses(trustedProxyAddresses); + policyEngineForEvaluatingWithACLs.setUseForwardedIPAddress(useForwardedIPAddress); + policyEngineForEvaluatingWithACLs.setTrustedProxyAddresses(trustedProxyAddresses); - runTestCaseTests(policyEngine, policyEngineForResourceAccessInfo, testCase.serviceDef, testName, testCase.tests); + runTestCaseTests(policyEngine, policyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.tests); if (testCase.updatedPolicies != null) { servicePolicies.setPolicyDeltas(testCase.updatedPolicies.policyDeltas); servicePolicies.setSecurityZones(testCase.updatedPolicies.securityZones); RangerPolicyEngine updatedPolicyEngine = RangerPolicyEngineImpl.getPolicyEngine(policyEngine, servicePolicies); - RangerPolicyEngine updatedPolicyEngineForResourceAccessInfo = RangerPolicyEngineImpl.getPolicyEngine(policyEngineForResourceAccessInfo, servicePolicies); - runTestCaseTests(updatedPolicyEngine, updatedPolicyEngineForResourceAccessInfo, testCase.serviceDef, testName, testCase.updatedTests); + RangerPolicyEngine updatedPolicyEngineForEvaluatingWithACLs = RangerPolicyEngineImpl.getPolicyEngine(policyEngineForEvaluatingWithACLs, servicePolicies); + runTestCaseTests(updatedPolicyEngine, updatedPolicyEngineForEvaluatingWithACLs, testCase.serviceDef, testName, testCase.updatedTests); } } - private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngine policyEngineForResourceAccessInfo, RangerServiceDef serviceDef, String testName, List<TestData> tests) { + private void runTestCaseTests(RangerPolicyEngine policyEngine, RangerPolicyEngine policyEngineForEvaluatingWithACLs, RangerServiceDef serviceDef, String testName, List<TestData> tests) { RangerAccessRequest request = null; @@ -588,38 +585,66 @@ public class TestPolicyEngine { RangerAccessResultProcessor auditHandler = new RangerDefaultAuditHandler(); if(test.result != null) { - RangerAccessResult expected = test.result; - RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler); + RangerAccessResult expected = test.result; + RangerAccessResult result; + + result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler); assertNotNull("result was null! - " + test.name, result); assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed()); assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited()); + + result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, auditHandler); + + assertNotNull("result was null! - " + test.name, result); + assertEquals("isAllowed mismatched! - " + test.name, expected.getIsAllowed(), result.getIsAllowed()); + assertEquals("isAudited mismatched! - " + test.name, expected.getIsAudited(), result.getIsAudited()); } if(test.dataMaskResult != null) { RangerAccessResult expected = test.dataMaskResult; - RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler); + RangerAccessResult result; + + result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler); + + assertNotNull("result was null! - " + test.name, result); + assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType()); + assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition()); + assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue()); + assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); + + result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_DATAMASK, auditHandler); assertNotNull("result was null! - " + test.name, result); assertEquals("maskType mismatched! - " + test.name, expected.getMaskType(), result.getMaskType()); assertEquals("maskCondition mismatched! - " + test.name, expected.getMaskCondition(), result.getMaskCondition()); assertEquals("maskedValue mismatched! - " + test.name, expected.getMaskedValue(), result.getMaskedValue()); assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); + } if(test.rowFilterResult != null) { RangerAccessResult expected = test.rowFilterResult; - RangerAccessResult result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler); + RangerAccessResult result; + + result = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler); + + assertNotNull("result was null! - " + test.name, result); + assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr()); + assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); + + result = policyEngineForEvaluatingWithACLs.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ROWFILTER, auditHandler); assertNotNull("result was null! - " + test.name, result); assertEquals("filterExpr mismatched! - " + test.name, expected.getFilterExpr(), result.getFilterExpr()); assertEquals("policyId mismatched! - " + test.name, expected.getPolicyId(), result.getPolicyId()); + } if(test.resourceAccessInfo != null) { RangerResourceAccessInfo expected = new RangerResourceAccessInfo(test.resourceAccessInfo); - RangerResourceAccessInfo result = policyEngineForResourceAccessInfo.getResourceAccessInfo(test.request); + RangerResourceAccessInfo result = policyEngine.getResourceAccessInfo(test.request); assertNotNull("result was null! - " + test.name, result); assertEquals("allowedUsers mismatched! - " + test.name, expected.getAllowedUsers(), result.getAllowedUsers()); diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 5a7de43..5e2ddae 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -52,6 +52,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginEx import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; @@ -134,6 +135,17 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { case HIVESERVER2: appType = "hiveServer2"; break; + + /* + case HIVEMETASTORE: + appType = "hiveMetastore"; + break; + + case OTHER: + appType = "other"; + break; + + */ } } @@ -147,6 +159,16 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + if (hivePlugin == null) { + throw new HiveAuthzPluginException(); + } + RangerHivePolicyProvider policyProvider = new RangerHivePolicyProvider(hivePlugin); + + return policyProvider; + } + + @Override public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { if(LOG.isDebugEnabled()) { @@ -888,7 +910,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { LOG.debug(String.format(format, actionType, objectType, objectName, dbName, columns, partitionKeys, commandString, ipAddress)); } - RangerHiveResource resource = createHiveResource(privilegeObject); + RangerHiveResource resource = createHiveResourceForFiltering(privilegeObject); if (resource == null) { LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null"); } else { @@ -1150,7 +1172,24 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } - private RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) { + static RangerHiveResource createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) { + RangerHiveResource resource = null; + + HivePrivilegeObjectType objectType = privilegeObject.getType(); + + switch(objectType) { + case DATABASE: + case TABLE_OR_VIEW: + resource = createHiveResource(privilegeObject); + break; + default: + LOG.warn("RangerHiveAuthorizer.getHiveResourceForFiltering: unexpected objectType:" + objectType); + } + + return resource; + } + + static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) { RangerHiveResource resource = null; HivePrivilegeObjectType objectType = privilegeObject.getType(); @@ -1158,18 +1197,25 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { String dbName = privilegeObject.getDbname(); switch(objectType) { - case DATABASE: - resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName); - //when fix is in place for HIVE-22128 we can un comment this. - //resource.setOwnerUser(privilegeObject.getOwnerName()); - break; - case TABLE_OR_VIEW: - resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName); - //when fix is in place for HIVE-22128 we can un comment this. - //resource.setOwnerUser(privilegeObject.getOwnerName()); - break; - default: - LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType); + case DATABASE: + resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName); + break; + case TABLE_OR_VIEW: + resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName); + //resource.setOwnerUser(privilegeObject.getOwnerName()); + break; + case COLUMN: + List<String> columns = privilegeObject.getColumns(); + int numOfColumns = columns == null ? 0 : columns.size(); + if (numOfColumns == 1) { + resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0)); + //resource.setOwnerUser(privilegeObject.getOwnerName()); + } else { + LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType); + } + break; + default: + LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType); } if (resource != null) { @@ -1184,10 +1230,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { HivePrivilegeObject hiveObj, List<HivePrivilegeObject> inputs, List<HivePrivilegeObject> outputs) { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerHiveAuthorizer.getHiveResource(" + "HiveOperationType: " + hiveOpType + "HivePrivilegeObject:"+ hiveObj + " InputObjs:" + inputs + " OutputObjs:" + outputs); - } - RangerHiveResource ret = null; HiveObjectType objectType = getObjectType(hiveObj, hiveOpType); @@ -1195,17 +1237,26 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { switch(objectType) { case DATABASE: ret = new RangerHiveResource(objectType, hiveObj.getDbname()); - /*if (!isCreateOperation(hiveOpType)) { + /* + if (!isCreateOperation(hiveOpType)) { ret.setOwnerUser(hiveObj.getOwnerName()); - }*/ + } + + */ break; case TABLE: case VIEW: case FUNCTION: ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName()); + // To suppress PMD violations + if (LOG.isDebugEnabled()) { + LOG.debug("Size of inputs = [" + (CollectionUtils.isNotEmpty(inputs) ? inputs.size() : 0) + + ", Size of outputs = [" + (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]"); + } - /*String ownerName = hiveObj.getOwnerName(); + /* + String ownerName = hiveObj.getOwnerName(); if (isCreateOperation(hiveOpType)) { HivePrivilegeObject dbObject = getDatabaseObject(hiveObj.getDbname(), inputs, outputs); @@ -1215,7 +1266,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } ret.setOwnerUser(ownerName); - */ + + */ + break; case PARTITION: @@ -1245,10 +1298,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { ret.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef()); } - if(LOG.isDebugEnabled()) { - LOG.debug("<= RangerHiveAuthorizer.getHiveResource(" + " RangerHiveResource: " + ret); - } - return ret; } @@ -1290,7 +1339,8 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } - */ + + */ private HiveObjectType getObjectType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType) { HiveObjectType objType = HiveObjectType.NONE; @@ -1650,6 +1700,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { case ALTERPARTITION_LOCATION: case ALTERPARTITION_MERGEFILES: case ALTERTBLPART_SKEWED_LOCATION: + case ALTERTABLE_OWNER: case QUERY: ret = FsAction.ALL; break; @@ -2126,6 +2177,17 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } + private boolean isTempUDFOperation(String hiveOpTypeName, HivePrivilegeObject hiveObj) { + boolean ret = false; + if ((hiveOpTypeName.contains("createfunction") || hiveOpTypeName.contains("dropfunction")) && + StringUtils.isEmpty(hiveObj.getDbname())) { + // This happens for temp udf function and will use + // global resource policy in ranger for auth + ret = true; + } + return ret; + } + private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException { List<HivePrivilegeInfo> ret = new ArrayList<>(); HivePrivilegeObject.HivePrivilegeObjectType objectType = null; @@ -2133,10 +2195,10 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = null; Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> rolePermissions = null; - String dbName = null; - String objectName = null; - String columnName = null; - List<String> partValues = null; + String dbName = null; + String objectName = null; + String columnName = null; + List<String> partValues = null; try { HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj); @@ -2333,7 +2395,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]"); } - RangerHiveResource hiveResource = createHiveResource(hiveObject); + RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject); RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null); ret = hivePlugin.getResourceACLs(request); @@ -2411,17 +2473,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return result; } - private boolean isTempUDFOperation(String hiveOpTypeName, HivePrivilegeObject hiveObj) { - boolean ret = false; - if ((hiveOpTypeName.contains("createfunction") || hiveOpTypeName.contains("dropfunction")) && - StringUtils.isEmpty(hiveObj.getDbname())) { - // This happens for temp udf function and will use - // global resource policy in ranger for auth - ret = true; - } - return ret; - } - private String toString(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, List<HivePrivilegeObject> outputHObjs, diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java new file mode 100644 index 0000000..3a88c47 --- /dev/null +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java @@ -0,0 +1,168 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.hive.authorizer; + +import org.apache.commons.collections.MapUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyChangeListener; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; +import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.policyengine.RangerResourceACLs; +import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator; +import org.apache.ranger.plugin.service.RangerAuthContextListener; +import org.apache.ranger.plugin.service.RangerBasePlugin; +import org.apache.ranger.plugin.util.RangerPerfTracer; + +import javax.validation.constraints.NotNull; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +public class RangerHivePolicyProvider implements HivePolicyProvider { + private static final Log LOG = LogFactory.getLog(RangerHivePolicyProvider.class); + + private static final Log PERF_HIVEACLPROVIDER_REQUEST_LOG = RangerPerfTracer.getPerfLogger("hiveACLProvider.request"); + + private final RangerHiveAuthContextListener authContextListener = new RangerHiveAuthContextListener(); + + private final Set<String> hivePrivileges; + + private final RangerBasePlugin rangerPlugin; + + RangerHivePolicyProvider(@NotNull RangerHivePlugin hivePlugin) { + + Set<String> privileges = new HashSet<>(); + for (HiveResourceACLs.Privilege privilege : HiveResourceACLs.Privilege.values()) { + privileges.add(privilege.name().toLowerCase()); + } + + this.hivePrivileges = new HashSet<>(privileges); + this.rangerPlugin = hivePlugin; + } + + @Override + public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject) { + + HiveResourceACLs ret; + + RangerPerfTracer perf = null; + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEACLPROVIDER_REQUEST_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_HIVEACLPROVIDER_REQUEST_LOG, "RangerHivePolicyProvider.getResourceACLS()"); + } + // Extract and build RangerHiveResource from inputObject + RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject); + ret = getResourceACLs(hiveResource); + RangerPerfTracer.log(perf); + return ret; + } + + @Override + public void registerHivePolicyChangeListener(HivePolicyChangeListener listener) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerHiveACLProviderFactory.registerACLProviderChangeListener()"); + } + authContextListener.providerChangeListeners.add(listener); + + rangerPlugin.registerAuthContextEventListener(authContextListener); + + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerHiveACLProviderFactory.registerACLProviderChangeListener()"); + } + } + + private HiveResourceACLs getResourceACLs(RangerHiveResource hiveResource) { + HiveResourceACLs ret; + + RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null); + + RangerResourceACLs acls = rangerPlugin.getResourceACLs(request); + + if (LOG.isDebugEnabled()) { + LOG.debug("HiveResource:[" + hiveResource.getAsString() + "], Computed ACLS:[" + acls + "]"); + } + + Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions = convertRangerACLsToHiveACLs(acls.getUserACLs()); + Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = convertRangerACLsToHiveACLs(acls.getGroupACLs()); + + ret = new RangerHiveResourceACLs(userPermissions, groupPermissions); + + return ret; + } + + private Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> convertRangerACLsToHiveACLs(Map<String, Map<String, RangerResourceACLs.AccessResult>> rangerACLs) { + + Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> ret = new HashMap<>(); + + if (MapUtils.isNotEmpty(rangerACLs)) { + + for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : rangerACLs.entrySet()) { + + Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> permissions = new HashMap<>(); + + ret.put(entry.getKey(), permissions); + + for (Map.Entry<String, RangerResourceACLs.AccessResult> permission : entry.getValue().entrySet()) { + + if (hivePrivileges.contains(permission.getKey())) { + + HiveResourceACLs.Privilege privilege = HiveResourceACLs.Privilege.valueOf(StringUtils.upperCase(permission.getKey())); + + HiveResourceACLs.AccessResult accessResult; + + int rangerResultValue = permission.getValue().getResult(); + + if (rangerResultValue == RangerPolicyEvaluator.ACCESS_ALLOWED) { + accessResult = HiveResourceACLs.AccessResult.ALLOWED; + } else if (rangerResultValue == RangerPolicyEvaluator.ACCESS_DENIED) { + accessResult = HiveResourceACLs.AccessResult.NOT_ALLOWED; + } else if (rangerResultValue == RangerPolicyEvaluator.ACCESS_CONDITIONAL) { + accessResult = HiveResourceACLs.AccessResult.CONDITIONAL_ALLOWED; + } else { + // Should not get here + accessResult = HiveResourceACLs.AccessResult.NOT_ALLOWED; + } + + permissions.put(privilege, accessResult); + } + + } + } + } + + return ret; + } + + static class RangerHiveAuthContextListener implements RangerAuthContextListener { + Set<HivePolicyChangeListener> providerChangeListeners = new HashSet<>(); + + public void contextChanged() { + for (HivePolicyChangeListener eventListener : providerChangeListeners) { + eventListener.notifyPolicyChange(null); + } + } + } +} diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResourceACLs.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResourceACLs.java new file mode 100644 index 0000000..02dfa68 --- /dev/null +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResourceACLs.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.hive.authorizer; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; + +import java.util.HashMap; +import java.util.Map; + +public class RangerHiveResourceACLs implements HiveResourceACLs { + + private final Map<String, Map<Privilege, AccessResult>> userPermissions; + private final Map<String, Map<Privilege, AccessResult>> groupPermissions; + + RangerHiveResourceACLs() { + this(null, null); + } + + RangerHiveResourceACLs(Map<String, Map<Privilege, AccessResult>> userPermissions, Map<String, Map<Privilege, AccessResult>> groupPermissions) { + this.userPermissions = userPermissions != null ? userPermissions : new HashMap<>(); + this.groupPermissions = groupPermissions != null ? groupPermissions : new HashMap<>(); + } + + @Override + public Map<String, Map<Privilege, AccessResult>> getUserPermissions() { return userPermissions; } + + @Override + public Map<String, Map<Privilege, AccessResult>> getGroupPermissions() { return groupPermissions; } +} diff --git a/pom.xml b/pom.xml index bce4f20..cb04757 100644 --- a/pom.xml +++ b/pom.xml @@ -120,7 +120,7 @@ <ozone.version>0.4.0-alpha</ozone.version> <hamcrest.all.version>1.3</hamcrest.all.version> <hbase.version>2.0.2</hbase.version> - <hive.version>3.1.0</hive.version> + <hive.version>3.1.2</hive.version> <hbase-shaded-protobuf>2.0.0</hbase-shaded-protobuf> <hbase-shaded-netty>2.0.0</hbase-shaded-netty> <hbase-shaded-miscellaneous>2.0.0</hbase-shaded-miscellaneous>