Skip to content

Commit 3eb661c

Browse files
rameeshmRamesh Mani
andauthored
RANGER-5598:RangerHiveAuthorizer showprivileges should consider principal expiry condition in the GDS grants (#947)
Co-authored-by: Ramesh Mani <rmani@apache.org>
1 parent 3fd46db commit 3eb661c

2 files changed

Lines changed: 75 additions & 10 deletions

File tree

hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java

Lines changed: 41 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2608,7 +2608,7 @@ private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, H
26082608
partValues = (msObjRef.getPartValues() == null) ? new ArrayList<>() : msObjRef.getPartValues();
26092609
hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);
26102610

2611-
RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject);
2611+
RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject, principal);
26122612

26132613
if (rangerResourceACLs != null) {
26142614
Map<String, Map<String, RangerResourceACLs.AccessResult>> userRangerACLs = rangerResourceACLs.getUserACLs();
@@ -2800,16 +2800,50 @@ private Set<String> getPrincipalGroup(String user) {
28002800
return Sets.newHashSet(ugi.getGroupNames());
28012801
}
28022802

2803-
private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject hiveObject) {
2804-
LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[{}]", hiveObject);
2803+
private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject hiveObject, HivePrincipal principal) {
2804+
RangerResourceACLs ret = null;
28052805

2806-
RangerResourceACLs ret;
2807-
RangerHiveResource hiveResource = createHiveResource(hiveObject);
2808-
RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
2806+
LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[{}], principal=[{}]", hiveObject, principal);
2807+
2808+
RangerHiveResource hiveResource = createHiveResource(hiveObject);
2809+
if (hiveResource == null) {
2810+
return null;
2811+
}
2812+
2813+
RangerAccessRequestImpl request;
2814+
if (principal == null) {
2815+
request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);
2816+
} else {
2817+
String user = null;
2818+
Set<String> groups = Collections.emptySet();
2819+
Set<String> roles = Collections.emptySet();
2820+
2821+
switch (principal.getType()) {
2822+
case USER:
2823+
user = principal.getName();
2824+
groups = getPrincipalGroup(user);
2825+
roles = getCurrentRolesForUser(user, groups);
2826+
break;
2827+
case GROUP:
2828+
groups = Sets.newHashSet(principal.getName());
2829+
break;
2830+
case ROLE:
2831+
roles = Sets.newHashSet(principal.getName());
2832+
break;
2833+
default:
2834+
break;
2835+
}
2836+
2837+
if (LOG.isDebugEnabled()) {
2838+
LOG.debug("getRangerResourceACLs(): principalType={}, user={}, groups={}, roles={}", principal.getType(), user, groups, roles);
2839+
}
2840+
2841+
request = new RangerHiveAccessRequest(hiveResource, user, groups, roles, "SHOW PRIVILEGES", HiveAccessType.USE, null, null);
2842+
}
28092843

28102844
ret = hivePlugin.getResourceACLs(request);
28112845

2812-
LOG.debug("<== RangerHivePolicyProvider.getRangerResourceACLs:[{}], Computed ACLS:[{}]", hiveObject, ret);
2846+
LOG.debug("<== RangerHivePolicyProvider.getRangerResourceACLs:[{}], principal=[{}], Computed ACLS:[{}]", hiveObject, principal, ret);
28132847

28142848
return ret;
28152849
}

hive-agent/src/test/java/org/apache/ranger/authorization/hive/authorizer/TestRangerHiveAuthorizer.java

Lines changed: 34 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1279,13 +1279,44 @@ public void test65_getRangerResourceACLs_delegatesToPlugin() throws Exception {
12791279
Mockito.when(msFactory.getHiveMetastoreClient()).thenReturn(ms);
12801280

12811281
RangerHiveAuthorizer authorizer = new RangerHiveAuthorizer(msFactory, null, null, null);
1282-
Method m = RangerHiveAuthorizer.class.getDeclaredMethod("getRangerResourceACLs", HivePrivilegeObject.class);
1282+
Method m = RangerHiveAuthorizer.class.getDeclaredMethod("getRangerResourceACLs", HivePrivilegeObject.class, HivePrincipal.class);
12831283
m.setAccessible(true);
1284-
HivePrivilegeObject obj = new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "t1");
1285-
Object out = m.invoke(authorizer, obj);
1284+
HivePrivilegeObject obj = new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "t1");
1285+
HivePrincipal principal = new HivePrincipal("analyst", HivePrincipal.HivePrincipalType.ROLE);
1286+
Object out = m.invoke(authorizer, obj, principal);
12861287
assertInstanceOf(RangerResourceACLs.class, out);
12871288
}
12881289

1290+
@Test
1291+
void test66_getRangerResourceACLs_usesPrincipalContext() throws Exception {
1292+
RangerBasePlugin plugin = (RangerBasePlugin) Mockito.spy(newInstanceRangerHivePlugin("hiveCLI"));
1293+
Mockito.doReturn(new RangerResourceACLs()).when(plugin).getResourceACLs(Mockito.any(RangerAccessRequestImpl.class));
1294+
setStaticHivePlugin(plugin);
1295+
1296+
HiveMetastoreClientFactory msFactory = Mockito.mock(HiveMetastoreClientFactory.class);
1297+
IMetaStoreClient ms = Mockito.mock(IMetaStoreClient.class);
1298+
Mockito.when(msFactory.getHiveMetastoreClient()).thenReturn(ms);
1299+
RangerHiveAuthorizer authorizer = new RangerHiveAuthorizer(msFactory, null, null, null);
1300+
1301+
Method m = RangerHiveAuthorizer.class.getDeclaredMethod("getRangerResourceACLs", HivePrivilegeObject.class, HivePrincipal.class);
1302+
m.setAccessible(true);
1303+
1304+
HivePrivilegeObject obj = new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "t1");
1305+
HivePrincipal principal = new HivePrincipal("analyst", HivePrincipal.HivePrincipalType.ROLE);
1306+
m.invoke(authorizer, obj, principal);
1307+
1308+
Mockito.verify(plugin).getResourceACLs(Mockito.argThat(req -> {
1309+
if (!(req instanceof RangerHiveAccessRequest)) {
1310+
return false;
1311+
}
1312+
RangerHiveAccessRequest request = (RangerHiveAccessRequest) req;
1313+
return request.getUser() == null &&
1314+
request.getUserGroups().isEmpty() &&
1315+
request.getUserRoles().contains("analyst") &&
1316+
request.getHiveAccessType() == RangerHiveAuthorizer.HiveAccessType.USE;
1317+
}));
1318+
}
1319+
12891320
@Test
12901321
public void test67_getHivePrivilegeInfos_userPrincipal() throws Exception {
12911322
RangerBasePlugin plugin = (RangerBasePlugin) Mockito.spy(newInstanceRangerHivePlugin("hiveCLI"));

0 commit comments

Comments
 (0)