hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From the...@apache.org
Subject hive git commit: HIVE-18777 : Add Authorization interface to support information_schema integration with external authorization (Thejas Nair, reviewed by Daniel Dai)
Date Thu, 01 Mar 2018 01:08:22 GMT
Repository: hive
Updated Branches:
  refs/heads/master f99c89388 -> bd6d91f11


HIVE-18777 : Add Authorization interface to support information_schema integration with external
authorization (Thejas Nair, reviewed by Daniel Dai)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/bd6d91f1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/bd6d91f1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/bd6d91f1

Branch: refs/heads/master
Commit: bd6d91f11d7d3323dce37344eea9d722f8945e6a
Parents: f99c893
Author: Thejas M Nair <thejas@hortonworks.com>
Authored: Wed Feb 28 17:08:16 2018 -0800
Committer: Thejas M Nair <thejas@hortonworks.com>
Committed: Wed Feb 28 17:08:16 2018 -0800

----------------------------------------------------------------------
 .../plugin/AbstractHiveAuthorizer.java          | 13 ++++-
 .../authorization/plugin/HiveAuthorizer.java    | 10 ++--
 .../plugin/HivePolicyChangeListener.java        | 35 ++++++++++++++
 .../plugin/HivePolicyProvider.java              | 36 ++++++++++++++
 .../authorization/plugin/HiveResourceACLs.java  | 50 ++++++++++++++++++++
 5 files changed, 140 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
index 4441934..a925c5a 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/AbstractHiveAuthorizer.java
@@ -17,7 +17,6 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
-
 /**
  * Abstract class that extends HiveAuthorizer. This will help to shield
  * Hive authorization implementations from some of the changes to HiveAuthorizer
@@ -38,4 +37,16 @@ public abstract class AbstractHiveAuthorizer implements HiveAuthorizer
{
     return null;
   }
 
+  /*
+   * (non-Javadoc)
+   *
+   * @see
+   * org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer#
+   * getHivePolicyProvider()
+   */
+  @Override
+  public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {
+    return null;
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
index 9783c56..a4079b8 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
@@ -263,7 +263,7 @@ public interface HiveAuthorizer {
    *
    * @throws SemanticException
    */
-  public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext
context,
+  List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context,
       List<HivePrivilegeObject> privObjs) throws SemanticException;
 
   /**
@@ -273,7 +273,11 @@ public interface HiveAuthorizer {
    * @return
    * @throws SemanticException
    */
-  public boolean needTransform();
+  boolean needTransform();
 
+  /**
+   * @return HivePolicyProvider instance (expected to be a singleton)
+   * @throws HiveAuthzPluginException
+   */
+  HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException;
 }
-

http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
new file mode 100644
index 0000000..577f609
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyChangeListener.java
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import java.util.List;
+
+/**
+ * This would be implemented by a class that needs to be notified when there is
+ * a policy change.
+ */
+public interface HivePolicyChangeListener {
+  /**
+   * @param hpo
+   *          List of Objects whose privileges have changed. If undetermined,
+   *          null can be returned (implies that it should be treated as if all object
+   *          policies might have changed).
+   */
+  void notifyPolicyChange(List<HivePrivilegeObject> hpo);
+
+}

http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
new file mode 100644
index 0000000..a9d1bd5
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePolicyProvider.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+/**
+ * Interface that can be used to retrieve authorization policy information from
+ * authorization plugins.
+ */
+public interface HivePolicyProvider {
+  /**
+   * @param hiveObject
+   * @return representation of user/group to permissions mapping.
+   */
+  HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject);
+
+  /**
+   * @param listener
+   */
+  void registerHivePolicyChangeListener(HivePolicyChangeListener listener);
+
+}

http://git-wip-us.apache.org/repos/asf/hive/blob/bd6d91f1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
new file mode 100644
index 0000000..53e221f
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveResourceACLs.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import java.util.Map;
+
+/**
+ * Captures authorization policy information on a {@link HivePrivilegeObject}.
+ */
+public interface HiveResourceACLs {
+  /**
+   * Privilege types.
+   */
+  enum Privilege {
+    SELECT, UPDATE, CREATE, DROP, ALTER, INDEX, LOCK, READ, WRITE
+  };
+
+  /**
+   * Privilege access result.
+   */
+  enum AccessResult {
+    ALLOWED, NOT_ALLOWED, CONDITIONAL_ALLOWED
+  };
+
+  /**
+   * @return Returns mapping of user name to privilege-access result pairs
+   */
+  Map<String, Map<Privilege, AccessResult>> getUserPermissions();
+
+  /**
+   * @return Returns mapping of group name to privilege-access result pairs
+   */
+  Map<String, Map<Privilege, AccessResult>> getGroupPermissions();
+
+}


Mime
View raw message