From e4627ce304ea44ddeffa6f822247fc5e105d9aba Mon Sep 17 00:00:00 2001
From: Thejas M Nair <thejas@hortonworks.com>
Date: Fri, 23 Feb 2018 14:08:08 -0800
Subject: [PATCH 1/4] add policy provider interfaces

---
 .../plugin/AbstractHiveAuthorizer.java        | 13 +++++++++-
 .../authorization/plugin/HiveAuthorizer.java  |  6 ++++-
 .../plugin/HivePolicyChangeListener.java      | 18 ++++++++++++++
 .../plugin/HivePolicyProvider.java            | 19 +++++++++++++++
 .../plugin/HiveResourceACLs.java              | 24 +++++++++++++++++++
 5 files changed, 78 insertions(+), 2 deletions(-)
 create mode 100644 ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
 create mode 100644 ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
 create mode 100644 ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
index 4441934c2bfb..99def6d293d1 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
@@ -17,7 +17,6 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
-
 /**
  * Abstract class that extends HiveAuthorizer. This will help to shield
  * Hive authorization implementations from some of the changes to HiveAuthorizer
@@ -38,4 +37,16 @@ public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveA
     return null;
   }
 
+  /*
+   * (non-Javadoc)
+   *
+   * @see
+   * org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer#
+   * createHivePolicyProvider()
+   */
+  @Override
+  public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {
+    return null;
+  }
+
 }
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
index 9783c564d1cf..b69d6e804c39 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
@@ -275,5 +275,9 @@ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext
    */
   public boolean needTransform();
 
+  /**
+   * @return HivePolicyProvider instance (expected to be a singleton)
+   * @throws HiveAuthzPluginException
+   */
+  public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException;
 }
-
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
new file mode 100644
index 000000000000..bb0f8e3dda6a
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
@@ -0,0 +1,18 @@
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import java.util.List;
+
+/**
+ * This would be implemented by a class that needs to be notified when there is
+ * a policy change
+ */
+public interface HivePolicyChangeListener {
+  /**
+   * @param hpo
+   *          List of Objects whose privileges have changed. If undetermined,
+   *          null can be returned (implies that it should be treated as if all object
+   *          policies might have changed).
+   */
+  void notifyPolicyChange(List<HivePrivilegeObject> hpo);
+
+}
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
new file mode 100644
index 000000000000..0f92872e53e8
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
@@ -0,0 +1,19 @@
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+/**
+ * Interface that can be used to retrieve authorization policy information from
+ * authorization plugins
+ */
+public interface HivePolicyProvider {
+  /**
+   * @param hiveObject
+   * @return representation of user/group to permissions mapping.
+   */
+  public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject);
+
+  /**
+   * @param listener
+   */
+  public void registerHivePolicyChangeListener(HivePolicyChangeListener listener);
+
+}
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
new file mode 100644
index 000000000000..f669c810bf9b
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
@@ -0,0 +1,24 @@
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+import java.util.Map;
+
+public interface HiveResourceACLs {
+  enum Privilege {
+    SELECT, UPDATE, CREATE, DROP, ALTER, INDEX, LOCK, READ, WRITE
+  };
+
+  enum AccessResult {
+    ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED
+  };
+
+  
+  /**
+   * @return Returns mapping of user name to privilege-access result pairs
+   */
+  public Map<String, Map<Privilege, AccessResult>> getUserPermissions();
+
+  /**
+   * @return Returns mapping of group name to privilege-access result pairs
+   */
+  public Map<String, Map<Privilege, AccessResult>> getGroupPermissions();
+
+}

From 4e0157d3aecf3f1d94eb790cb1a0f91dfeb3e25a Mon Sep 17 00:00:00 2001
From: Thejas M Nair <thejas@hortonworks.com>
Date: Fri, 23 Feb 2018 14:23:51 -0800
Subject: [PATCH 2/4] Add ASL header

---
 .../plugin/HivePolicyChangeListener.java      | 17 +++++++++++++++++
 .../plugin/HivePolicyProvider.java            | 17 +++++++++++++++++
 .../plugin/HiveResourceACLs.java              | 19 ++++++++++++++++++-
 3 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
index bb0f8e3dda6a..e75776c690c6 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
@@ -1,3 +1,20 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
 import java.util.List;
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
index 0f92872e53e8..c2494930c80d 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
@@ -1,3 +1,20 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
 /**
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
index f669c810bf9b..8be613fc757f 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
@@ -1,4 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
 import java.util.Map;
 
 public interface HiveResourceACLs {
@@ -10,7 +28,6 @@ enum AccessResult {
     ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED
   };
 
-  
   /**
    * @return Returns mapping of user name to privilege-access result pairs
    */

From fdf53ccb821e2162dc774f4bf12b6eb641900c38 Mon Sep 17 00:00:00 2001
From: Thejas M Nair <thejas@hortonworks.com>
Date: Tue, 27 Feb 2018 22:20:18 -0800
Subject: [PATCH 3/4] fix method name in AbstractHiveAuthorizer javadoc

---
 .../security/authorization/plugin/AbstractHiveAuthorizer.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
index 99def6d293d1..29d988e5feb2 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
@@ -39,10 +39,10 @@ public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveA
 
   /*
    * (non-Javadoc)
-   *
+   * 
    * @see
    * org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer#
-   * createHivePolicyProvider()
+   * getHivePolicyProvider()
    */
   @Override
   public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {

From 07f8815d89ed3f2a3b560cb0f25ef8188ccbc015 Mon Sep 17 00:00:00 2001
From: Thejas M Nair <thejas@hortonworks.com>
Date: Wed, 28 Feb 2018 11:52:00 -0800
Subject: [PATCH 4/4] fixing checkstyle issues

---
 .../authorization/plugin/HiveAuthorizer.java        |  6 +++---
 .../plugin/HivePolicyChangeListener.java            |  2 +-
 .../authorization/plugin/HivePolicyProvider.java    |  6 +++---
 .../authorization/plugin/HiveResourceACLs.java      | 13 +++++++++++--
 4 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
index b69d6e804c39..a4079b892e58 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
@@ -263,7 +263,7 @@ List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObj
    *
    * @throws SemanticException
    */
-  public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context,
+  List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context,
       List<HivePrivilegeObject> privObjs) throws SemanticException;
 
   /**
@@ -273,11 +273,11 @@ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext
    * @return
    * @throws SemanticException
    */
-  public boolean needTransform();
+  boolean needTransform();
 
   /**
    * @return HivePolicyProvider instance (expected to be a singleton)
    * @throws HiveAuthzPluginException
    */
-  public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException;
+  HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException;
 }
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
index e75776c690c6..577f609f4031 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
@@ -21,7 +21,7 @@
 
 /**
  * This would be implemented by a class that needs to be notified when there is
- * a policy change
+ * a policy change.
  */
 public interface HivePolicyChangeListener {
   /**
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
index c2494930c80d..a9d1bd5da9ba 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
@@ -19,18 +19,18 @@
 
 /**
  * Interface that can be used to retrieve authorization policy information from
- * authorization plugins
+ * authorization plugins.
  */
 public interface HivePolicyProvider {
   /**
    * @param hiveObject
    * @return representation of user/group to permissions mapping.
    */
-  public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject);
+  HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject);
 
   /**
    * @param listener
    */
-  public void registerHivePolicyChangeListener(HivePolicyChangeListener listener);
+  void registerHivePolicyChangeListener(HivePolicyChangeListener listener);
 
 }
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
index 8be613fc757f..53e221fe9cab 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
@@ -19,11 +19,20 @@
 
 import java.util.Map;
 
+/**
+ * Captures authorization policy information on a {@link HivePrivilegeObject}.
+ */
 public interface HiveResourceACLs {
+  /**
+   * Privilege types.
+   */
   enum Privilege {
     SELECT, UPDATE, CREATE, DROP, ALTER, INDEX, LOCK, READ, WRITE
   };
 
+  /**
+   * Privilege access result.
+   */
   enum AccessResult {
     ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED
   };
@@ -31,11 +40,11 @@ enum AccessResult {
   /**
    * @return Returns mapping of user name to privilege-access result pairs
    */
-  public Map<String, Map<Privilege, AccessResult>> getUserPermissions();
+  Map<String, Map<Privilege, AccessResult>> getUserPermissions();
 
   /**
    * @return Returns mapping of group name to privilege-access result pairs
    */
-  public Map<String, Map<Privilege, AccessResult>> getGroupPermissions();
+  Map<String, Map<Privilege, AccessResult>> getGroupPermissions();
 
 }