Refactor GRANT/REVOKE in Hive

Leverage newly introduced method for recursive role grants traversal
prestodb · Feb 27, 2019 · 0e03eff · 0e03eff
1 parent 56c41c8
commit 0e03eff
Show file tree

Hide file tree

Showing 19 changed files with 250 additions and 609 deletions.
diff --git a/presto-hive/src/main/java/com/facebook/presto/hive/HiveMetadata.java b/presto-hive/src/main/java/com/facebook/presto/hive/HiveMetadata.java
@@ -26,6 +26,7 @@
 import com.facebook.presto.hive.metastore.SortingColumn;
 import com.facebook.presto.hive.metastore.StorageFormat;
 import com.facebook.presto.hive.metastore.Table;
+import com.facebook.presto.hive.metastore.thrift.ThriftMetastoreUtil;
 import com.facebook.presto.hive.statistics.HiveStatisticsProvider;
 import com.facebook.presto.spi.ColumnHandle;
 import com.facebook.presto.spi.ColumnMetadata;
@@ -179,6 +180,7 @@
 import static com.facebook.presto.hive.metastore.MetastoreUtil.verifyOnline;
 import static com.facebook.presto.hive.metastore.StorageFormat.VIEW_STORAGE_FORMAT;
 import static com.facebook.presto.hive.metastore.StorageFormat.fromHiveStorageFormat;
+import static com.facebook.presto.hive.metastore.thrift.ThriftMetastoreUtil.listApplicableTablePrivileges;
 import static com.facebook.presto.hive.util.ConfigurationUtils.toJobConf;
 import static com.facebook.presto.hive.util.Statistics.ReduceOperator.ADD;
 import static com.facebook.presto.hive.util.Statistics.createComputedStatisticsToPartitionMap;
@@ -1942,7 +1944,7 @@ public void revokeRoles(ConnectorSession session, Set<String> roles, Set<PrestoP
     @Override
     public Set<RoleGrant> listApplicableRoles(ConnectorSession session, PrestoPrincipal principal)
     {
-        return metastore.listApplicableRoles(principal);
+        return ThriftMetastoreUtil.listApplicableRoles(principal, metastore::listRoleGrants);
     }
 
     @Override
@@ -1976,10 +1978,11 @@ public List<GrantInfo> listTablePrivileges(ConnectorSession session, SchemaTable
     {
         ImmutableList.Builder<GrantInfo> grantInfos = ImmutableList.builder();
         for (SchemaTableName tableName : listTables(session, schemaTablePrefix)) {
-            Set<PrivilegeInfo> privileges = metastore.getTablePrivileges(session.getUser(), tableName.getSchemaName(), tableName.getTableName()).stream()
+            Set<PrivilegeInfo> privileges =
-                    .map(HivePrivilegeInfo::toPrivilegeInfo)
+                    listApplicableTablePrivileges(metastore, tableName.getSchemaName(), tableName.getTableName(), new PrestoPrincipal(USER, session.getUser())).stream()
-                    .flatMap(Set::stream)
+                            .map(HivePrivilegeInfo::toPrivilegeInfo)
-                    .collect(toImmutableSet());
+                            .flatMap(Set::stream)
+                            .collect(toImmutableSet());
 
             grantInfos.add(
                     new GrantInfo(

diff --git a/presto-hive/src/main/java/com/facebook/presto/hive/metastore/CachingHiveMetastore.java b/presto-hive/src/main/java/com/facebook/presto/hive/metastore/CachingHiveMetastore.java
@@ -51,6 +51,7 @@
 import static com.facebook.presto.hive.metastore.HivePartitionName.hivePartitionName;
 import static com.facebook.presto.hive.metastore.HiveTableName.hiveTableName;
 import static com.facebook.presto.hive.metastore.PartitionFilter.partitionFilter;
+import static com.facebook.presto.spi.security.PrincipalType.USER;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Throwables.throwIfInstanceOf;
 import static com.google.common.base.Throwables.throwIfUnchecked;
@@ -83,8 +84,7 @@ public class CachingHiveMetastore
     private final LoadingCache<HivePartitionName, Optional<Partition>> partitionCache;
     private final LoadingCache<PartitionFilter, Optional<List<String>>> partitionFilterCache;
     private final LoadingCache<HiveTableName, Optional<List<String>>> partitionNamesCache;
-    private final LoadingCache<String, Set<String>> userRolesCache;
+    private final LoadingCache<UserTableKey, Set<HivePrivilegeInfo>> tablePrivilegesCache;
-    private final LoadingCache<UserTableKey, Set<HivePrivilegeInfo>> userTablePrivileges;
     private final LoadingCache<String, Set<String>> rolesCache;
     private final LoadingCache<PrestoPrincipal, Set<RoleGrant>> roleGrantsCache;
 
@@ -187,11 +187,8 @@ public Map<HivePartitionName, Optional<Partition>> loadAll(Iterable<? extends Hi
                     }
                 }, executor));
 
-        userRolesCache = newCacheBuilder(expiresAfterWriteMillis, refreshMills, maximumSize)
+        tablePrivilegesCache = newCacheBuilder(expiresAfterWriteMillis, refreshMills, maximumSize)
-                .build(asyncReloading(CacheLoader.from(user -> loadRoles(user)), executor));
+                .build(asyncReloading(CacheLoader.from(key -> loadTablePrivileges(key.getDatabase(), key.getTable(), key.getPrincipal())), executor));
-
-        userTablePrivileges = newCacheBuilder(expiresAfterWriteMillis, refreshMills, maximumSize)
-                .build(asyncReloading(CacheLoader.from(key -> loadTablePrivileges(key.getUser(), key.getDatabase(), key.getTable())), executor));
 
         rolesCache = newCacheBuilder(expiresAfterWriteMillis, refreshMills, maximumSize)
                 .build(asyncReloading(CacheLoader.from(() -> loadRoles()), executor));
@@ -211,10 +208,9 @@ public void flushCache()
         tableCache.invalidateAll();
         partitionCache.invalidateAll();
         partitionFilterCache.invalidateAll();
-        userTablePrivileges.invalidateAll();
+        tablePrivilegesCache.invalidateAll();
         tableStatisticsCache.invalidateAll();
         partitionStatisticsCache.invalidateAll();
-        userRolesCache.invalidateAll();
         rolesCache.invalidateAll();
     }
 
@@ -504,9 +500,9 @@ protected void invalidateTable(String databaseName, String tableName)
         tableCache.invalidate(hiveTableName(databaseName, tableName));
         tableNamesCache.invalidate(databaseName);
         viewNamesCache.invalidate(databaseName);
-        userTablePrivileges.asMap().keySet().stream()
+        tablePrivilegesCache.asMap().keySet().stream()
                 .filter(userTableKey -> userTableKey.matches(databaseName, tableName))
-                .forEach(userTablePrivileges::invalidate);
+                .forEach(tablePrivilegesCache::invalidate);
         tableStatisticsCache.invalidate(hiveTableName(databaseName, tableName));
         invalidatePartitionCache(databaseName, tableName);
     }
@@ -631,7 +627,6 @@ public void createRole(String role, String grantor)
         }
         finally {
             rolesCache.invalidateAll();
-            userRolesCache.invalidate(grantor);
         }
     }
 
@@ -643,7 +638,6 @@ public void dropRole(String role)
         }
         finally {
             rolesCache.invalidateAll();
-            userRolesCache.invalidateAll();
             roleGrantsCache.invalidateAll();
         }
     }
@@ -707,42 +701,14 @@ private void invalidatePartitionCache(String databaseName, String tableName)
                 .forEach(partitionStatisticsCache::invalidate);
     }
 
-    @Override
-    public Set<String> getRoles(String user)
-    {
-        return get(userRolesCache, user);
-    }
-
-    private Set<String> loadRoles(String user)
-    {
-        return delegate.getRoles(user);
-    }
-
-    @Override
-    public Set<HivePrivilegeInfo> getDatabasePrivileges(String user, String databaseName)
-    {
-        return delegate.getDatabasePrivileges(user, databaseName);
-    }
-
-    @Override
-    public Set<HivePrivilegeInfo> getTablePrivileges(String user, String databaseName, String tableName)
-    {
-        return get(userTablePrivileges, new UserTableKey(user, tableName, databaseName));
-    }
-
-    private Set<HivePrivilegeInfo> loadTablePrivileges(String user, String databaseName, String tableName)
-    {
-        return delegate.getTablePrivileges(user, databaseName, tableName);
-    }
-
     @Override
     public void grantTablePrivileges(String databaseName, String tableName, String grantee, Set<HivePrivilegeInfo> privileges)
     {
         try {
             delegate.grantTablePrivileges(databaseName, tableName, grantee, privileges);
         }
         finally {
-            userTablePrivileges.invalidate(new UserTableKey(grantee, tableName, databaseName));
+            tablePrivilegesCache.invalidate(new UserTableKey(new PrestoPrincipal(USER, grantee), databaseName, tableName));
         }
     }
 
@@ -753,10 +719,21 @@ public void revokeTablePrivileges(String databaseName, String tableName, String
             delegate.revokeTablePrivileges(databaseName, tableName, grantee, privileges);
         }
         finally {
-            userTablePrivileges.invalidate(new UserTableKey(grantee, tableName, databaseName));
+            tablePrivilegesCache.invalidate(new UserTableKey(new PrestoPrincipal(USER, grantee), databaseName, tableName));
         }
     }
 
+    @Override
+    public Set<HivePrivilegeInfo> listTablePrivileges(String databaseName, String tableName, PrestoPrincipal principal)
+    {
+        return get(tablePrivilegesCache, new UserTableKey(principal, databaseName, tableName));
+    }
+
+    public Set<HivePrivilegeInfo> loadTablePrivileges(String databaseName, String tableName, PrestoPrincipal principal)
+    {
+        return delegate.listTablePrivileges(databaseName, tableName, principal);
+    }
+
     private static CacheBuilder<Object, Object> newCacheBuilder(OptionalLong expiresAfterWriteMillis, OptionalLong refreshMillis, long maximumSize)
     {
         CacheBuilder<Object, Object> cacheBuilder = CacheBuilder.newBuilder();

diff --git a/presto-hive/src/main/java/com/facebook/presto/hive/metastore/ExtendedHiveMetastore.java b/presto-hive/src/main/java/com/facebook/presto/hive/metastore/ExtendedHiveMetastore.java
@@ -99,13 +99,9 @@ public interface ExtendedHiveMetastore
 
     Set<RoleGrant> listRoleGrants(PrestoPrincipal principal);
 
-    Set<String> getRoles(String user);
-
-    Set<HivePrivilegeInfo> getDatabasePrivileges(String user, String databaseName);
-
-    Set<HivePrivilegeInfo> getTablePrivileges(String user, String databaseName, String tableName);
-
     void grantTablePrivileges(String databaseName, String tableName, String grantee, Set<HivePrivilegeInfo> privileges);
 
     void revokeTablePrivileges(String databaseName, String tableName, String grantee, Set<HivePrivilegeInfo> privileges);
+
+    Set<HivePrivilegeInfo> listTablePrivileges(String databaseName, String tableName, PrestoPrincipal principal);
 }
diff --git a/presto-hive/src/main/java/com/facebook/presto/hive/metastore/RecordingHiveMetastore.java b/presto-hive/src/main/java/com/facebook/presto/hive/metastore/RecordingHiveMetastore.java
@@ -74,9 +74,7 @@ public class RecordingHiveMetastore
     private final Cache<HiveTableName, Optional<List<String>>> partitionNamesCache;
     private final Cache<PartitionFilter, Optional<List<String>>> partitionNamesByPartsCache;
     private final Cache<Set<HivePartitionName>, Map<String, Optional<Partition>>> partitionsByNamesCache;
-    private final Cache<String, Set<String>> rolesCache;
+    private final Cache<UserTableKey, Set<HivePrivilegeInfo>> listTablePrivilegesCache;
-    private final Cache<UserDatabaseKey, Set<HivePrivilegeInfo>> databasePrivilegesCache;
-    private final Cache<UserTableKey, Set<HivePrivilegeInfo>> tablePrivilegesCache;
     private final Cache<String, Set<String>> listRolesCache;
     private final Cache<PrestoPrincipal, Set<RoleGrant>> listRoleGrantsCache;
 
@@ -100,9 +98,7 @@ public RecordingHiveMetastore(@ForRecordingHiveMetastore ExtendedHiveMetastore d
         partitionNamesCache = createCache(hiveClientConfig);
         partitionNamesByPartsCache = createCache(hiveClientConfig);
         partitionsByNamesCache = createCache(hiveClientConfig);
-        rolesCache = createCache(hiveClientConfig);
+        listTablePrivilegesCache = createCache(hiveClientConfig);
-        databasePrivilegesCache = createCache(hiveClientConfig);
-        tablePrivilegesCache = createCache(hiveClientConfig);
         listRolesCache = createCache(hiveClientConfig);
         listRoleGrantsCache = createCache(hiveClientConfig);
 
@@ -129,9 +125,7 @@ void loadRecording()
         partitionNamesCache.putAll(toMap(recording.getPartitionNames()));
         partitionNamesByPartsCache.putAll(toMap(recording.getPartitionNamesByParts()));
         partitionsByNamesCache.putAll(toMap(recording.getPartitionsByNames()));
-        rolesCache.putAll(toMap(recording.getRoles()));
+        listTablePrivilegesCache.putAll(toMap(recording.getListTablePrivileges()));
-        databasePrivilegesCache.putAll(toMap(recording.getDatabasePrivileges()));
-        tablePrivilegesCache.putAll(toMap(recording.getTablePrivileges()));
         listRolesCache.putAll(toMap(recording.getListRoles()));
         listRoleGrantsCache.putAll(toMap(recording.getListRoleGrants()));
     }
@@ -169,9 +163,7 @@ public void writeRecording()
                 toPairs(partitionNamesCache),
                 toPairs(partitionNamesByPartsCache),
                 toPairs(partitionsByNamesCache),
-                toPairs(rolesCache),
+                toPairs(listTablePrivilegesCache),
-                toPairs(databasePrivilegesCache),
-                toPairs(tablePrivilegesCache),
                 toPairs(listRolesCache),
                 toPairs(listRoleGrantsCache));
         new ObjectMapperProvider().get()
@@ -394,27 +386,12 @@ public void alterPartition(String databaseName, String tableName, PartitionWithS
     }
 
     @Override
-    public Set<String> getRoles(String user)
+    public Set<HivePrivilegeInfo> listTablePrivileges(String databaseName, String tableName, PrestoPrincipal principal)
-    {
-        return loadValue(rolesCache, user, () -> delegate.getRoles(user));
-    }
-
-    @Override
-    public Set<HivePrivilegeInfo> getDatabasePrivileges(String user, String databaseName)
-    {
-        return loadValue(
-                databasePrivilegesCache,
-                new UserDatabaseKey(user, databaseName),
-                () -> delegate.getDatabasePrivileges(user, databaseName));
-    }
-
-    @Override
-    public Set<HivePrivilegeInfo> getTablePrivileges(String user, String databaseName, String tableName)
     {
         return loadValue(
-                tablePrivilegesCache,
+                listTablePrivilegesCache,
-                new UserTableKey(user, databaseName, tableName),
+                new UserTableKey(principal, databaseName, tableName),
-                () -> delegate.getTablePrivileges(user, databaseName, tableName));
+                () -> delegate.listTablePrivileges(databaseName, tableName, principal));
     }
 
     @Override
@@ -518,9 +495,7 @@ public static class Recording
         private final List<Pair<HiveTableName, Optional<List<String>>>> partitionNames;
         private final List<Pair<PartitionFilter, Optional<List<String>>>> partitionNamesByParts;
         private final List<Pair<Set<HivePartitionName>, Map<String, Optional<Partition>>>> partitionsByNames;
-        private final List<Pair<String, Set<String>>> roles;
+        private final List<Pair<UserTableKey, Set<HivePrivilegeInfo>>> listTablePrivileges;
-        private final List<Pair<UserDatabaseKey, Set<HivePrivilegeInfo>>> databasePrivileges;
-        private final List<Pair<UserTableKey, Set<HivePrivilegeInfo>>> tablePrivileges;
         private final List<Pair<String, Set<String>>> listRoles;
         private final List<Pair<PrestoPrincipal, Set<RoleGrant>>> listRoleGrants;
 
@@ -538,9 +513,7 @@ public Recording(
                 @JsonProperty("partitionNames") List<Pair<HiveTableName, Optional<List<String>>>> partitionNames,
                 @JsonProperty("partitionNamesByParts") List<Pair<PartitionFilter, Optional<List<String>>>> partitionNamesByParts,
                 @JsonProperty("partitionsByNames") List<Pair<Set<HivePartitionName>, Map<String, Optional<Partition>>>> partitionsByNames,
-                @JsonProperty("roles") List<Pair<String, Set<String>>> roles,
+                @JsonProperty("listTablePrivileges") List<Pair<UserTableKey, Set<HivePrivilegeInfo>>> listTablePrivileges,
-                @JsonProperty("databasePrivileges") List<Pair<UserDatabaseKey, Set<HivePrivilegeInfo>>> databasePrivileges,
-                @JsonProperty("tablePrivileges") List<Pair<UserTableKey, Set<HivePrivilegeInfo>>> tablePrivileges,
                 @JsonProperty("listRoles") List<Pair<String, Set<String>>> listRoles,
                 @JsonProperty("listRoleGrants") List<Pair<PrestoPrincipal, Set<RoleGrant>>> listRoleGrants)
         {
@@ -556,9 +529,7 @@ public Recording(
             this.partitionNames = partitionNames;
             this.partitionNamesByParts = partitionNamesByParts;
             this.partitionsByNames = partitionsByNames;
-            this.roles = roles;
+            this.listTablePrivileges = listTablePrivileges;
-            this.databasePrivileges = databasePrivileges;
-            this.tablePrivileges = tablePrivileges;
             this.listRoles = listRoles;
             this.listRoleGrants = listRoleGrants;
         }
@@ -636,21 +607,9 @@ public List<Pair<Set<HivePartitionName>, Map<String, Optional<Partition>>>> getP
         }
 
         @JsonProperty
-        public List<Pair<String, Set<String>>> getRoles()
+        public List<Pair<UserTableKey, Set<HivePrivilegeInfo>>> getListTablePrivileges()
-        {
-            return roles;
-        }
-
-        @JsonProperty
-        public List<Pair<UserDatabaseKey, Set<HivePrivilegeInfo>>> getDatabasePrivileges()
-        {
-            return databasePrivileges;
-        }
-
-        @JsonProperty
-        public List<Pair<UserTableKey, Set<HivePrivilegeInfo>>> getTablePrivileges()
         {
-            return tablePrivileges;
+            return listTablePrivileges;
         }
 
         @JsonProperty