Repository: incubator-sentry Updated Branches: refs/heads/master ca09fe03d -> 1f8ba5f7b
Seperate udfuri privilege from anyPrivilege model (Xiaomeng Huang via Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/1f8ba5f7 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/1f8ba5f7 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/1f8ba5f7 Branch: refs/heads/master Commit: 1f8ba5f7b1b5d09be00014fd984fd921f15bc829 Parents: ca09fe0 Author: Huang Xiaomeng <[email protected]> Authored: Tue Jan 20 14:38:55 2015 +0800 Committer: Huang Xiaomeng <[email protected]> Committed: Tue Jan 20 14:38:55 2015 +0800 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 39 ++++++++++---------- .../binding/hive/authz/HiveAuthzPrivileges.java | 2 +- .../hive/authz/HiveAuthzPrivilegesMap.java | 17 +++++++-- .../binding/hive/TestHiveAuthzBindings.java | 8 ++-- 4 files changed, 36 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1f8ba5f7/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 9a2026a..862c6a5 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -31,7 +31,6 @@ import java.util.Set; import org.apache.hadoop.hive.common.JavaUtils; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.hadoop.hive.ql.exec.FunctionRegistry; import org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask; import org.apache.hadoop.hive.ql.exec.Task; import org.apache.hadoop.hive.ql.hooks.Entity; @@ -461,10 +460,26 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { outputHierarchy.add(externalAuthorizableHierarchy); } break; + case FUNCTION: + /* The 'FUNCTION' privilege scope currently used for + * - CREATE TEMP FUNCTION + * - DROP TEMP FUNCTION. + */ + if (udfURI != null) { + List<DBModelAuthorizable> udfUriHierarchy = new ArrayList<DBModelAuthorizable>(); + udfUriHierarchy.add(hiveAuthzBinding.getAuthServer()); + udfUriHierarchy.add(udfURI); + inputHierarchy.add(udfUriHierarchy); + for (WriteEntity writeEntity : outputs) { + List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>(); + entityHierarchy.add(hiveAuthzBinding.getAuthServer()); + entityHierarchy.addAll(getAuthzHierarchyFromEntity(writeEntity)); + outputHierarchy.add(entityHierarchy); + } + } + break; case CONNECT: /* The 'CONNECT' is an implicit privilege scope currently used for - * - CREATE TEMP FUNCTION - * - DROP TEMP FUNCTION * - USE <db> * It's allowed when the user has any privilege on the current database. For application * backward compatibility, we allow (optional) implicit connect permission on 'default' db. @@ -476,9 +491,7 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { Column currCol = Column.ALL; if ((DEFAULT_DATABASE_NAME.equalsIgnoreCase(currDB.getName()) && "false".equalsIgnoreCase(authzConf. - get(HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false"))) - ||stmtOperation.equals(HiveOperation.CREATEFUNCTION) - ||stmtOperation.equals(HiveOperation.DROPFUNCTION)) { + get(HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false")))) { currDB = Database.ALL; currTbl = Table.SOME; } @@ -488,20 +501,6 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { connectHierarchy.add(currCol); inputHierarchy.add(connectHierarchy); - // check if this is a create temp function and we need to validate URI - if (udfURI != null) { - List<DBModelAuthorizable> udfUriHierarchy = new ArrayList<DBModelAuthorizable>(); - udfUriHierarchy.add(hiveAuthzBinding.getAuthServer()); - udfUriHierarchy.add(udfURI); - inputHierarchy.add(udfUriHierarchy); - for (WriteEntity writeEntity : outputs) { - List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>(); - entityHierarchy.add(hiveAuthzBinding.getAuthServer()); - entityHierarchy.addAll(getAuthzHierarchyFromEntity(writeEntity)); - outputHierarchy.add(entityHierarchy); - } - } - outputHierarchy.add(connectHierarchy); break; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1f8ba5f7/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java index 98dbc8d..8cd82ef 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java @@ -51,7 +51,7 @@ public class HiveAuthzPrivileges { SERVER, DATABASE, TABLE, - URI, + FUNCTION, CONNECT } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1f8ba5f7/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index daaecbf..11c1a0f 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -167,12 +167,17 @@ public class HiveAuthzPrivilegesMap { setOperationType(HiveOperationType.DML). build(); + HiveAuthzPrivileges functionPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). + addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). + addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). + setOperationScope(HiveOperationScope.FUNCTION). + setOperationType(HiveOperationType.DATA_LOAD). + build(); + HiveAuthzPrivileges anyPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT, DBModelAction.ALTER, DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.INDEX, DBModelAction.LOCK)). - addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). //TODO: make them || - addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). setOperationScope(HiveOperationScope.CONNECT). setOperationType(HiveOperationType.QUERY). build(); @@ -231,9 +236,13 @@ public class HiveAuthzPrivilegesMap { hiveAuthzStmtPrivMap.put(HiveOperation.ANALYZE_TABLE, tableQueryPrivilege); + // SWITCHDATABASE hiveAuthzStmtPrivMap.put(HiveOperation.SWITCHDATABASE, anyPrivilege); - hiveAuthzStmtPrivMap.put(HiveOperation.CREATEFUNCTION, anyPrivilege); - hiveAuthzStmtPrivMap.put(HiveOperation.DROPFUNCTION, anyPrivilege); + + // CREATEFUNCTION + // DROPFUNCTION + hiveAuthzStmtPrivMap.put(HiveOperation.CREATEFUNCTION, functionPrivilege); + hiveAuthzStmtPrivMap.put(HiveOperation.DROPFUNCTION, functionPrivilege); // SHOWDATABASES // SHOWTABLES http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1f8ba5f7/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java index b942678..7961e05 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java @@ -294,10 +294,6 @@ public class TestHiveAuthzBindings { @Test public void testValidateCreateFunctionAppropiateURI() throws Exception { inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { - new Server(SERVER1), new Database(CUSTOMER_DB), new Table(AccessConstants.ALL), - new Column(AccessConstants.ALL) - })); - inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar") })); testAuth.authorize(HiveOperation.CREATEFUNCTION, createFuncPrivileges, ANALYST_SUBJECT, @@ -305,7 +301,9 @@ public class TestHiveAuthzBindings { } @Test(expected=AuthorizationException.class) public void testValidateCreateFunctionRejectionForUnknownUser() throws Exception { - inputTabHierarcyList.add(buildObjectHierarchy(SERVER1, CUSTOMER_DB, AccessConstants.ALL)); + inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { + new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar") + })); testAuth.authorize(HiveOperation.CREATEFUNCTION, createFuncPrivileges, NO_SUCH_SUBJECT, inputTabHierarcyList, outputTabHierarcyList); }
