ranger hive policy 相关
hive plugin policy的定义
enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL };
enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, READ, WRITE, ALL, REPLADMIN, SERVICEADMIN, TEMPUDFADMIN };
hive plugin分为两个appId, hiveServer2和CLI
{
switch(sessionContext.getClientType()) {
case HIVECLI:
appType = "hiveCLI";
break;
case HIVESERVER2:
appType = "hiveServer2";
break;
}
plugin = new RangerHivePlugin(appType);
plugin.init();
hivePlugin = plugin;
}
public RangerHivePlugin(String appType) {
super("hive", appType);
}
public RangerBasePlugin(String serviceType, String appId) {
this(new RangerPluginConfig(serviceType, null, appId, null, null, null));
}
hive column request需要发送批量的column权限请求
public void checkPrivileges(HiveOperationType hiveOpType,
List<HivePrivilegeObject> inputHObjs,
List<HivePrivilegeObject> outputHObjs,
HiveAuthzContext context)
throws HiveAuthzPluginException, HiveAccessControlException {
RangerHiveResource resource = (RangerHiveResource)request.getResource();
RangerAccessResult result = null;
if(resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) {
List<RangerAccessRequest> colRequests = new ArrayList<RangerAccessRequest>();
String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP);
// in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set
resource.setServiceDef(hivePlugin.getServiceDef());
for(String column : columns) {
if (column != null) {
column = column.trim();
}
if(StringUtils.isBlank(column)) {
continue;
}
RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column);
colResource.setOwnerUser(resource.getOwnerUser());
RangerHiveAccessRequest colRequest = request.copy();
colRequest.setResource(colResource);
colRequests.add(colRequest);
}
Collection<RangerAccessResult> colResults = hivePlugin.isAccessAllowed(colRequests, auditHandler);
if(colResults != null) {
for(RangerAccessResult colResult : colResults) {
result = colResult;
if(result != null && !result.getIsAllowed()) {
break;
}
}
}
} else {
result = hivePlugin.isAccessAllowed(request, auditHandler);
}
...
}
hive owner user
hive plugin, 在发起权限判断请求的时候, 会连接hive metastore, 获取资源的ownerId.
ownuser看来是每个资源都有的, 创建资源的creator, 换成ownUser就不太认识了.
不过ownerUser是否有权限, 其实还取决于ranger里是否有{ownerUser}的默认参数配置.
private IMetaStoreClient getMetaStoreClient() {
IMetaStoreClient ret = null;
try {
ret = getMetastoreClientFactory().getHiveMetastoreClient();
} catch (HiveAuthzPluginException excp) {
LOG.warn("failed to get meta-store client", excp);
}
return ret;
}
static void setOwnerUser(RangerHiveResource resource, HivePrivilegeObject hiveObj, IMetaStoreClient metaStoreClient) {
if (hiveObj != null) {
// resource.setOwnerUser(hiveObj.getOwnerName());
switch (hiveObj.getType()) {
case DATABASE:
try {
Database database = metaStoreClient != null ? metaStoreClient.getDatabase(hiveObj.getDbname()) : null;
if (database != null) {
resource.setOwnerUser(database.getOwnerName());
}
} catch (Exception excp) {
LOG.error("failed to get database object from Hive metastore. dbName=" + hiveObj.getDbname(), excp);
}
break;
case TABLE_OR_VIEW:
case COLUMN:
try {
Table table = metaStoreClient != null ? metaStoreClient.getTable(hiveObj.getDbname(), hiveObj.getObjectName()) : null;
if (table != null) {
resource.setOwnerUser(table.getOwner());
}
} catch (Exception excp) {
LOG.error("failed to get table object from Hive metastore. dbName=" + hiveObj.getDbname() + ", tblName=" + hiveObj.getObjectName(), excp);
}
break;
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("setOwnerUser(" + hiveObj + "): ownerName=" + resource.getOwnerUser());
}
}