This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.3 in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push: new 8285b13 RANGER-3593: Hive authorizer fix for access to {OWNER} user 8285b13 is described below commit 8285b13e48058de93a0c245c9e1962b5cae0beff Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Fri Jan 21 15:46:38 2022 -0800 RANGER-3593: Hive authorizer fix for access to {OWNER} user (cherry picked from commit 0ed9d518d8299ec3708ed93910279a18ad1f903f) --- .../hive/authorizer/RangerHiveAuthorizer.java | 84 ++++++++++++++++------ .../hive/authorizer/RangerHivePolicyProvider.java | 2 +- 2 files changed, 63 insertions(+), 23 deletions(-) diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 461d967..1fe7d31 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -42,7 +42,10 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.FsAction; import org.apache.hadoop.hive.common.FileUtils; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.IMetaStoreClient; +import org.apache.hadoop.hive.metastore.api.Database; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; +import org.apache.hadoop.hive.metastore.api.Table; import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; @@ -1441,7 +1444,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } - static RangerHiveResource createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) { + private RangerHiveResource createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) { RangerHiveResource resource = null; HivePrivilegeObjectType objectType = privilegeObject.getType(); @@ -1449,16 +1452,16 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { switch(objectType) { case DATABASE: case TABLE_OR_VIEW: - resource = createHiveResource(privilegeObject); + resource = createHiveResource(privilegeObject, getMetaStoreClient()); break; default: - LOG.warn("RangerHiveAuthorizer.getHiveResourceForFiltering: unexpected objectType:" + objectType); + LOG.warn("RangerHiveAuthorizer.createHiveResourceForFiltering: unexpected objectType:" + objectType); } return resource; } - static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) { + static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject, IMetaStoreClient metaStoreClient) { RangerHiveResource resource = null; HivePrivilegeObjectType objectType = privilegeObject.getType(); @@ -1471,14 +1474,14 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { break; case TABLE_OR_VIEW: resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName); - //resource.setOwnerUser(privilegeObject.getOwnerName()); + setOwnerUser(resource, privilegeObject, metaStoreClient); break; case COLUMN: List<String> columns = privilegeObject.getColumns(); int numOfColumns = columns == null ? 0 : columns.size(); if (numOfColumns == 1) { resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0)); - //resource.setOwnerUser(privilegeObject.getOwnerName()); + setOwnerUser(resource, privilegeObject, metaStoreClient); } else { LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType); } @@ -1506,12 +1509,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { switch(objectType) { case DATABASE: ret = new RangerHiveResource(objectType, hiveObj.getDbname()); - /* if (!isCreateOperation(hiveOpType)) { - ret.setOwnerUser(hiveObj.getOwnerName()); + setOwnerUser(ret, hiveObj, getMetaStoreClient()); } - - */ break; case TABLE: @@ -1524,20 +1524,15 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { ", Size of outputs = [" + (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]"); } - /* - String ownerName = hiveObj.getOwnerName(); + setOwnerUser(ret, hiveObj, getMetaStoreClient()); if (isCreateOperation(hiveOpType)) { HivePrivilegeObject dbObject = getDatabaseObject(hiveObj.getDbname(), inputs, outputs); if (dbObject != null) { - ownerName = dbObject.getOwnerName(); + setOwnerUser(ret, dbObject, getMetaStoreClient()); } } - ret.setOwnerUser(ownerName); - - */ - break; case PARTITION: @@ -1547,7 +1542,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { case COLUMN: ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName(), StringUtils.join(hiveObj.getColumns(), COLUMN_SEP)); - //ret.setOwnerUser(hiveObj.getOwnerName()); + setOwnerUser(ret, hiveObj, getMetaStoreClient()); break; case URI: @@ -1570,7 +1565,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } - /* private boolean isCreateOperation(HiveOperationType hiveOpType){ boolean ret = false; switch (hiveOpType) { @@ -1608,8 +1602,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { return ret; } - - */ private HiveObjectType getObjectType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType) { HiveObjectType objType = HiveObjectType.NONE; @@ -2679,7 +2671,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]"); } - RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject); + RangerHiveResource hiveResource = createHiveResource(hiveObject, getMetaStoreClient()); RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null); ret = hivePlugin.getResourceACLs(request); @@ -3109,6 +3101,54 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } return request; } + + static void setOwnerUser(RangerHiveResource resource, HivePrivilegeObject hiveObj, IMetaStoreClient metaStoreClient) { + if (hiveObj != null) { + // resource.setOwnerUser(hiveObj.getOwnerName()); + switch (hiveObj.getType()) { + case DATABASE: + try { + Database database = metaStoreClient != null ? metaStoreClient.getDatabase(hiveObj.getDbname()) : null; + + if (database != null) { + resource.setOwnerUser(database.getOwnerName()); + } + } catch (Exception excp) { + LOG.error("failed to get database object from Hive metastore. dbName=" + hiveObj.getDbname(), excp); + } + break; + + case TABLE_OR_VIEW: + case COLUMN: + try { + Table table = metaStoreClient != null ? metaStoreClient.getTable(hiveObj.getDbname(), hiveObj.getObjectName()) : null; + + if (table != null) { + resource.setOwnerUser(table.getOwner()); + } + } catch (Exception excp) { + LOG.error("failed to get table object from Hive metastore. dbName=" + hiveObj.getDbname() + ", tblName=" + hiveObj.getObjectName(), excp); + } + break; + } + } + + if (LOG.isDebugEnabled()) { + LOG.debug("setOwnerUser(" + hiveObj + "): ownerName=" + resource.getOwnerUser()); + } + } + + private IMetaStoreClient getMetaStoreClient() { + IMetaStoreClient ret = null; + + try { + ret = getMetastoreClientFactory().getHiveMetastoreClient(); + } catch (HiveAuthzPluginException excp) { + LOG.warn("failed to get meta-store client", excp); + } + + return ret; + } } enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL }; diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java index 5c0fe7f..ea95fd5 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java @@ -74,7 +74,7 @@ public class RangerHivePolicyProvider implements HivePolicyProvider { perf = RangerPerfTracer.getPerfTracer(PERF_HIVEACLPROVIDER_REQUEST_LOG, "RangerHivePolicyProvider.getResourceACLS()"); } // Extract and build RangerHiveResource from inputObject - RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject); + RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject, null); ret = getResourceACLs(hiveResource); RangerPerfTracer.log(perf); return ret;