This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 8285b13 RANGER-3593: Hive authorizer fix for access to {OWNER} user
8285b13 is described below
commit 8285b13e48058de93a0c245c9e1962b5cae0beff
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Fri Jan 21 15:46:38 2022 -0800
RANGER-3593: Hive authorizer fix for access to {OWNER} user
(cherry picked from commit 0ed9d518d8299ec3708ed93910279a18ad1f903f)
---
.../hive/authorizer/RangerHiveAuthorizer.java | 84 ++++++++++++++++------
.../hive/authorizer/RangerHivePolicyProvider.java | 2 +-
2 files changed, 63 insertions(+), 23 deletions(-)
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 461d967..1fe7d31 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -42,7 +42,10 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.IMetaStoreClient;
+import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
+import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
@@ -1441,7 +1444,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
return ret;
}
- static RangerHiveResource
createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) {
+ private RangerHiveResource
createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) {
RangerHiveResource resource = null;
HivePrivilegeObjectType objectType = privilegeObject.getType();
@@ -1449,16 +1452,16 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
switch(objectType) {
case DATABASE:
case TABLE_OR_VIEW:
- resource = createHiveResource(privilegeObject);
+ resource = createHiveResource(privilegeObject,
getMetaStoreClient());
break;
default:
-
LOG.warn("RangerHiveAuthorizer.getHiveResourceForFiltering: unexpected
objectType:" + objectType);
+
LOG.warn("RangerHiveAuthorizer.createHiveResourceForFiltering: unexpected
objectType:" + objectType);
}
return resource;
}
- static RangerHiveResource createHiveResource(HivePrivilegeObject
privilegeObject) {
+ static RangerHiveResource createHiveResource(HivePrivilegeObject
privilegeObject, IMetaStoreClient metaStoreClient) {
RangerHiveResource resource = null;
HivePrivilegeObjectType objectType = privilegeObject.getType();
@@ -1471,14 +1474,14 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
break;
case TABLE_OR_VIEW:
resource = new
RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
-
//resource.setOwnerUser(privilegeObject.getOwnerName());
+ setOwnerUser(resource, privilegeObject,
metaStoreClient);
break;
case COLUMN:
List<String> columns =
privilegeObject.getColumns();
int numOfColumns = columns == null ? 0 :
columns.size();
if (numOfColumns == 1) {
resource = new
RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
-
//resource.setOwnerUser(privilegeObject.getOwnerName());
+ setOwnerUser(resource, privilegeObject,
metaStoreClient);
} else {
LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns
requested:" + numOfColumns + ", objectType:" + objectType);
}
@@ -1506,12 +1509,9 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
switch(objectType) {
case DATABASE:
ret = new RangerHiveResource(objectType,
hiveObj.getDbname());
- /*
if (!isCreateOperation(hiveOpType)) {
-
ret.setOwnerUser(hiveObj.getOwnerName());
+ setOwnerUser(ret, hiveObj,
getMetaStoreClient());
}
-
- */
break;
case TABLE:
@@ -1524,20 +1524,15 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
", Size of outputs = ["
+ (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]");
}
- /*
- String ownerName = hiveObj.getOwnerName();
+ setOwnerUser(ret, hiveObj,
getMetaStoreClient());
if (isCreateOperation(hiveOpType)) {
HivePrivilegeObject dbObject =
getDatabaseObject(hiveObj.getDbname(), inputs, outputs);
if (dbObject != null) {
- ownerName =
dbObject.getOwnerName();
+ setOwnerUser(ret, dbObject,
getMetaStoreClient());
}
}
- ret.setOwnerUser(ownerName);
-
- */
-
break;
case PARTITION:
@@ -1547,7 +1542,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
case COLUMN:
ret = new RangerHiveResource(objectType,
hiveObj.getDbname(), hiveObj.getObjectName(),
StringUtils.join(hiveObj.getColumns(), COLUMN_SEP));
- //ret.setOwnerUser(hiveObj.getOwnerName());
+ setOwnerUser(ret, hiveObj,
getMetaStoreClient());
break;
case URI:
@@ -1570,7 +1565,6 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
return ret;
}
- /*
private boolean isCreateOperation(HiveOperationType hiveOpType){
boolean ret = false;
switch (hiveOpType) {
@@ -1608,8 +1602,6 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
return ret;
}
-
- */
private HiveObjectType getObjectType(HivePrivilegeObject hiveObj,
HiveOperationType hiveOpType) {
HiveObjectType objType = HiveObjectType.NONE;
@@ -2679,7 +2671,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
LOG.debug("==>
RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]");
}
- RangerHiveResource hiveResource =
RangerHiveAuthorizer.createHiveResource(hiveObject);
+ RangerHiveResource hiveResource =
createHiveResource(hiveObject, getMetaStoreClient());
RangerAccessRequestImpl request = new
RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null,
null, null);
ret = hivePlugin.getResourceACLs(request);
@@ -3109,6 +3101,54 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
}
return request;
}
+
+ static void setOwnerUser(RangerHiveResource resource,
HivePrivilegeObject hiveObj, IMetaStoreClient metaStoreClient) {
+ if (hiveObj != null) {
+ // resource.setOwnerUser(hiveObj.getOwnerName());
+ switch (hiveObj.getType()) {
+ case DATABASE:
+ try {
+ Database database =
metaStoreClient != null ? metaStoreClient.getDatabase(hiveObj.getDbname()) :
null;
+
+ if (database != null) {
+
resource.setOwnerUser(database.getOwnerName());
+ }
+ } catch (Exception excp) {
+ LOG.error("failed to get
database object from Hive metastore. dbName=" + hiveObj.getDbname(), excp);
+ }
+ break;
+
+ case TABLE_OR_VIEW:
+ case COLUMN:
+ try {
+ Table table = metaStoreClient
!= null ? metaStoreClient.getTable(hiveObj.getDbname(),
hiveObj.getObjectName()) : null;
+
+ if (table != null) {
+
resource.setOwnerUser(table.getOwner());
+ }
+ } catch (Exception excp) {
+ LOG.error("failed to get table
object from Hive metastore. dbName=" + hiveObj.getDbname() + ", tblName=" +
hiveObj.getObjectName(), excp);
+ }
+ break;
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("setOwnerUser(" + hiveObj + "): ownerName=" +
resource.getOwnerUser());
+ }
+ }
+
+ private IMetaStoreClient getMetaStoreClient() {
+ IMetaStoreClient ret = null;
+
+ try {
+ ret =
getMetastoreClientFactory().getHiveMetastoreClient();
+ } catch (HiveAuthzPluginException excp) {
+ LOG.warn("failed to get meta-store client", excp);
+ }
+
+ return ret;
+ }
}
enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN,
FUNCTION, URI, SERVICE_NAME, GLOBAL };
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java
index 5c0fe7f..ea95fd5 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java
@@ -74,7 +74,7 @@ public class RangerHivePolicyProvider implements
HivePolicyProvider {
perf =
RangerPerfTracer.getPerfTracer(PERF_HIVEACLPROVIDER_REQUEST_LOG,
"RangerHivePolicyProvider.getResourceACLS()");
}
// Extract and build RangerHiveResource from inputObject
- RangerHiveResource hiveResource =
RangerHiveAuthorizer.createHiveResource(hiveObject);
+ RangerHiveResource hiveResource =
RangerHiveAuthorizer.createHiveResource(hiveObject, null);
ret = getResourceACLs(hiveResource);
RangerPerfTracer.log(perf);
return ret;
