pvary commented on a change in pull request #1221:
URL: https://github.com/apache/hive/pull/1221#discussion_r458607547
##########
File path:
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java
##########
@@ -81,48 +92,261 @@ public HiveMetaStoreAuthorizer(Configuration config) {
@Override
public final void onEvent(PreEventContext preEventContext) throws
MetaException, NoSuchObjectException, InvalidOperationException {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> HiveMetaStoreAuthorizer.onEvent(): EventType=" +
preEventContext.getEventType());
+ LOG.debug("==> HiveMetaStoreAuthorizer.onEvent(): EventType=" +
preEventContext.getEventType());
+
+ try {
+ HiveAuthorizer hiveAuthorizer = createHiveMetaStoreAuthorizer();
+ if (!skipAuthorization()) {
+ HiveMetaStoreAuthzInfo authzContext =
buildAuthzContext(preEventContext);
+ checkPrivileges(authzContext, hiveAuthorizer);
+ }
+ } catch (Exception e) {
+ LOG.error("HiveMetaStoreAuthorizer.onEvent(): failed", e);
+ throw new MetaException(e.getMessage());
}
- HiveMetaStoreAuthzInfo authzContext = buildAuthzContext(preEventContext);
+ LOG.debug("<== HiveMetaStoreAuthorizer.onEvent(): EventType=" +
preEventContext.getEventType());
+ }
- if (!skipAuthorization(authzContext)) {
- try {
- HiveConf hiveConf = new
HiveConf(super.getConf(), HiveConf.class);
- HiveAuthorizerFactory authorizerFactory =
HiveUtils.getAuthorizerFactory(hiveConf,
HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);
+ @Override
+ public final List<String> filterDatabases(List<String> list) throws
MetaException {
+ LOG.debug("HiveMetaStoreAuthorizer.filterDatabases()");
- if (authorizerFactory != null) {
- HiveMetastoreAuthenticationProvider authenticator =
tAuthenticator.get();
+ if (list == null) {
+ return Collections.emptyList();
+ }
- authenticator.setConf(hiveConf);
+ DatabaseFilterContext databaseFilterContext = new
DatabaseFilterContext(list);
+ HiveMetaStoreAuthzInfo hiveMetaStoreAuthzInfo =
databaseFilterContext.getAuthzContext();
+ List<String> filteredDatabases =
filterDatabaseObjects(hiveMetaStoreAuthzInfo);
+ if (CollectionUtils.isEmpty(filteredDatabases)) {
+ filteredDatabases = Collections.emptyList();
+ }
- HiveAuthzSessionContext.Builder authzContextBuilder = new
HiveAuthzSessionContext.Builder();
+ LOG.debug("HiveMetaStoreAuthorizer.filterDatabases() :" +
filteredDatabases);
Review comment:
We might want to add some info level logging as well for supportability
reasons, like
LOG.info(Like "Filtered out 2 databases from 1000", or whatever...)
What do you think?
Same as for other filters
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
