org.apache.hadoop.hive.ql.security.authorization

Class StorageBasedAuthorizationProvider

java.lang.Object

org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProviderBase

org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider

All Implemented Interfaces:

org.apache.hadoop.conf.Configurable, HiveAuthorizationProvider, HiveMetastoreAuthorizationProvider

public class StorageBasedAuthorizationProvider
extends HiveAuthorizationProviderBase
implements HiveMetastoreAuthorizationProvider

StorageBasedAuthorizationProvider is an implementation of HiveMetastoreAuthorizationProvider that tries to look at the hdfs permissions of files and directories associated with objects like databases, tables and partitions to determine whether or not an operation is allowed. The rule of thumb for which location to check in hdfs is as follows: CREATE : on location specified, or on location determined from metadata READS : not checked (the preeventlistener does not have an event to fire) UPDATES : on location in metadata DELETES : on location in metadata If the location does not yet exist, as the case is with creates, it steps out to the parent directory recursively to determine its permissions till it finds a parent that does exist.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	StorageBasedAuthorizationProvider.DropPrivilegeExtractor

Nested classes/interfaces inherited from class org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProviderBase

HiveAuthorizationProviderBase.HiveProxy

Field Summary

Fields inherited from class org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProviderBase

authenticator, hive_db

Constructor Summary

Constructors

Constructor and Description
StorageBasedAuthorizationProvider()

Method Summary

Methods

Modifier and Type	Method and Description
void	authorize(Database db, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) Authorization privileges against a database object.
void	authorize(Partition part, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) Authorization privileges against a hive partition object.
void	authorize(org.apache.hadoop.fs.Path path, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) Authorization privileges against a path.
void	authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) Authorization user level privileges.
void	authorize(Table table, Partition part, List<String> columns, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) Authorization privileges against a list of columns.
void	authorize(Table table, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) Authorization privileges against a hive table object.
void	authorizeAuthorizationApiInvocation() Authorize metastore authorization api call.
protected void	checkPermissions(org.apache.hadoop.conf.Configuration conf, org.apache.hadoop.fs.Path path, EnumSet<org.apache.hadoop.fs.permission.FsAction> actions) Checks the permissions for the given path and current user on Hadoop FS.
protected static void	checkPermissions(org.apache.hadoop.fs.FileSystem fs, org.apache.hadoop.fs.FileStatus stat, EnumSet<org.apache.hadoop.fs.permission.FsAction> actions, String user) Checks the permissions for the given path and current user on Hadoop FS.
protected org.apache.hadoop.fs.Path	getDbLocation(Database db)
protected org.apache.hadoop.fs.permission.FsAction	getFsAction(Privilege priv) Given a privilege, return what FsActions are required
protected EnumSet<org.apache.hadoop.fs.permission.FsAction>	getFsActions(Privilege[] privs) Given a Privilege[], find out what all FsActions are required
void	init(org.apache.hadoop.conf.Configuration conf)
void	setMetaStoreHandler(HiveMetaStore.HMSHandler handler) Allows invoker of HiveMetaStoreAuthorizationProvider to send in a hive metastore handler that can be used to make calls to test whether or not authorizations can/will succeed.

Methods inherited from class org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProviderBase

getAuthenticator, getConf, setAuthenticator, setConf

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider

getAuthenticator, setAuthenticator

Methods inherited from interface org.apache.hadoop.conf.Configurable

getConf, setConf

Constructor Detail

StorageBasedAuthorizationProvider

public StorageBasedAuthorizationProvider()

Method Detail

init

public void init(org.apache.hadoop.conf.Configuration conf)
          throws HiveException

Specified by:

init in interface HiveAuthorizationProvider

Throws:

HiveException

authorize

public void authorize(Privilege[] readRequiredPriv,
             Privilege[] writeRequiredPriv)
               throws HiveException,
                      AuthorizationException

Description copied from interface: HiveAuthorizationProvider

Authorization user level privileges.

Specified by:

authorize in interface HiveAuthorizationProvider

Parameters:

readRequiredPriv - a list of privileges needed for inputs.

writeRequiredPriv - a list of privileges needed for outputs.

Throws:

HiveException

AuthorizationException

authorize

public void authorize(Database db,
             Privilege[] readRequiredPriv,
             Privilege[] writeRequiredPriv)
               throws HiveException,
                      AuthorizationException

Description copied from interface: HiveAuthorizationProvider

Authorization privileges against a database object.

Specified by:

authorize in interface HiveAuthorizationProvider

Parameters:

db - database

readRequiredPriv - a list of privileges needed for inputs.

writeRequiredPriv - a list of privileges needed for outputs.

Throws:

HiveException

AuthorizationException

authorize

public void authorize(Table table,
             Privilege[] readRequiredPriv,
             Privilege[] writeRequiredPriv)
               throws HiveException,
                      AuthorizationException

Description copied from interface: HiveAuthorizationProvider

Authorization privileges against a hive table object.

Specified by:

authorize in interface HiveAuthorizationProvider

Parameters:

table - table object

readRequiredPriv - a list of privileges needed for inputs.

writeRequiredPriv - a list of privileges needed for outputs.

Throws:

HiveException

AuthorizationException

authorize

public void authorize(Partition part,
             Privilege[] readRequiredPriv,
             Privilege[] writeRequiredPriv)
               throws HiveException,
                      AuthorizationException

Description copied from interface: HiveAuthorizationProvider

Authorization privileges against a hive partition object.

Specified by:

authorize in interface HiveAuthorizationProvider

Parameters:

part - partition object

readRequiredPriv - a list of privileges needed for inputs.

writeRequiredPriv - a list of privileges needed for outputs.

Throws:

HiveException

AuthorizationException

authorize

public void authorize(Table table,
             Partition part,
             List<String> columns,
             Privilege[] readRequiredPriv,
             Privilege[] writeRequiredPriv)
               throws HiveException,
                      AuthorizationException

Description copied from interface: HiveAuthorizationProvider

Authorization privileges against a list of columns. If the partition object is not null, look at the column grants for the given partition. Otherwise look at the table column grants.

Specified by:

authorize in interface HiveAuthorizationProvider

Parameters:

table - table object

part - partition object

columns - a list of columns

readRequiredPriv - a list of privileges needed for inputs.

writeRequiredPriv - a list of privileges needed for outputs.

Throws:

HiveException

AuthorizationException

setMetaStoreHandler

public void setMetaStoreHandler(HiveMetaStore.HMSHandler handler)

Description copied from interface: HiveMetastoreAuthorizationProvider

Allows invoker of HiveMetaStoreAuthorizationProvider to send in a hive metastore handler that can be used to make calls to test whether or not authorizations can/will succeed. Intended to be called before any of the authorize methods are called.

Specified by:

setMetaStoreHandler in interface HiveMetastoreAuthorizationProvider

getFsAction

protected org.apache.hadoop.fs.permission.FsAction getFsAction(Privilege priv)

Given a privilege, return what FsActions are required

getFsActions

protected EnumSet<org.apache.hadoop.fs.permission.FsAction> getFsActions(Privilege[] privs)

Given a Privilege[], find out what all FsActions are required

authorize

public void authorize(org.apache.hadoop.fs.Path path,
             Privilege[] readRequiredPriv,
             Privilege[] writeRequiredPriv)
               throws HiveException,
                      AuthorizationException

Authorization privileges against a path.

Parameters:

path - a filesystem path

readRequiredPriv - a list of privileges needed for inputs.

writeRequiredPriv - a list of privileges needed for outputs.

Throws:

HiveException

AuthorizationException

checkPermissions

protected void checkPermissions(org.apache.hadoop.conf.Configuration conf,
                    org.apache.hadoop.fs.Path path,
                    EnumSet<org.apache.hadoop.fs.permission.FsAction> actions)
                         throws IOException,
                                LoginException,
                                HiveException

Checks the permissions for the given path and current user on Hadoop FS. If the given path does not exists, it checks for its parent folder.

Throws:

IOException

LoginException

HiveException

checkPermissions

protected static void checkPermissions(org.apache.hadoop.fs.FileSystem fs,
                    org.apache.hadoop.fs.FileStatus stat,
                    EnumSet<org.apache.hadoop.fs.permission.FsAction> actions,
                    String user)
                                throws IOException,
                                       AccessControlException,
                                       HiveException

Checks the permissions for the given path and current user on Hadoop FS. If the given path does not exists, it returns.

Throws:

IOException

AccessControlException

HiveException

getDbLocation

protected org.apache.hadoop.fs.Path getDbLocation(Database db)
                                           throws HiveException

Throws:

HiveException

authorizeAuthorizationApiInvocation

public void authorizeAuthorizationApiInvocation()
                                         throws HiveException,
                                                AuthorizationException

Description copied from interface: HiveMetastoreAuthorizationProvider

Authorize metastore authorization api call.

Specified by:

authorizeAuthorizationApiInvocation in interface HiveMetastoreAuthorizationProvider

Throws:

HiveException

AuthorizationException