From 7dec3015ec82b69ba8f724410f12dfce2480cccd Mon Sep 17 00:00:00 2001 From: Ramesh Mani Date: Tue, 12 Oct 2021 11:55:30 -0700 Subject: [PATCH] RANGER-3474:RangerHivePlugin enhancement to handle new Hive commands --- .../hive/authorizer/RangerHiveAuthorizer.java | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index dd758e9f09..2be442460a 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -905,6 +905,14 @@ public void checkPrivileges(HiveOperationType hiveOpType, // RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext); requests.add(request); + } else if (hiveOpType.equals(HiveOperationType.ALTERTABLE_OWNER)) { + RangerHiveAccessRequest request = buildRequestForAlterTableSetOwnerFromCommandString(user, groups, roles, hiveOpType.name(), context, sessionContext); + if (request != null) { + requests.add(request); + } else { + throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command", + user, hiveOpType.name())); + } } else { if (LOG.isDebugEnabled()) { LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!"); @@ -3079,6 +3087,28 @@ private RangerRole getRangerRoleForRoleName(String roleName) { } return ret; } + + private RangerHiveAccessRequest buildRequestForAlterTableSetOwnerFromCommandString(String user, + Set userGroups, + Set userRoles, + String hiveOpTypeName, + HiveAuthzContext context, + HiveAuthzSessionContext sessionContext) { + RangerHiveResource resource = null; + RangerHiveAccessRequest request = null; + HiveObj hiveObj = new HiveObj(); + hiveObj.fetchHiveObjForAlterTable(context); + String dbName = hiveObj.getDatabaseName(); + String tableName = hiveObj.getTableName(); + if (LOG.isDebugEnabled()) { + LOG.debug("Database: " + dbName + " Table: " + tableName); + } + if (dbName != null && tableName != null) { + resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName); + request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.ALTER, context, sessionContext); + } + return request; + } } enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL }; @@ -3088,6 +3118,8 @@ class HiveObj { String databaseName; String tableName; + HiveObj() {} + HiveObj(HiveAuthzContext context) { fetchHiveObj(context); } @@ -3120,6 +3152,29 @@ private void fetchHiveObj(HiveAuthzContext context) { } } + public void fetchHiveObjForAlterTable(HiveAuthzContext context) { + // cmd passed: Alter Table set owner user|role + if (context != null) { + String cmdString = context.getCommandString(); + if (cmdString != null) { + String[] cmd = cmdString.trim().split("\\s+"); + if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) { + tableName = cmd[2]; + if (tableName.contains(".")) { + String[] result = splitDBName(tableName); + databaseName = result[0]; + tableName = result[1]; + } else { + SessionState sessionState = SessionState.get(); + if (sessionState != null) { + databaseName = sessionState.getCurrentDatabase(); + } + } + } + } + } + } + private String[] splitDBName(String dbName) { String[] ret = null; ret = dbName.split("\\.");