in hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java [1808:2070]
private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType, HiveObjectType hiveObjectType, boolean isInput) {
HiveAccessType accessType = HiveAccessType.NONE;
HivePrivObjectActionType objectActionType = hiveObj.getActionType();
// This is for S3 read operation
if (hiveObjectType == HiveObjectType.URI && isInput) {
accessType = HiveAccessType.READ;
return accessType;
}
// This is for S3 write
if (hiveObjectType == HiveObjectType.URI && !isInput) {
accessType = HiveAccessType.WRITE;
return accessType;
}
switch (objectActionType) {
case INSERT:
case INSERT_OVERWRITE:
case UPDATE:
case DELETE:
accessType = HiveAccessType.UPDATE;
break;
case OTHER:
switch (hiveOpType) {
case CREATEDATABASE:
if (hiveObj.getType() == HivePrivilegeObjectType.DATABASE) {
accessType = HiveAccessType.CREATE;
}
break;
case CREATEDATACONNECTOR:
if (hiveObj.getType() == HivePrivilegeObjectType.DATACONNECTOR) {
accessType = HiveAccessType.CREATE;
}
break;
case CREATEFUNCTION:
if (hiveObj.getType() == HivePrivilegeObjectType.FUNCTION) {
accessType = HiveAccessType.CREATE;
}
if (hiveObjectType == HiveObjectType.GLOBAL) {
accessType = HiveAccessType.TEMPUDFADMIN;
}
break;
case CREATETABLE:
case CREATEVIEW:
case CREATETABLE_AS_SELECT:
case CREATE_MATERIALIZED_VIEW:
if (hiveObj.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW) {
accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE;
}
break;
case ALTERVIEW_AS:
if (hiveObj.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW) {
accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.ALTER;
} else if (hiveObj.getType() == HivePrivilegeObjectType.DATABASE) {
accessType = HiveAccessType.SELECT;
}
break;
case ALTERDATABASE:
case ALTERDATABASE_LOCATION:
case ALTERDATABASE_OWNER:
// Refer - HIVE-21968
case ALTERPARTITION_BUCKETNUM:
case ALTERPARTITION_FILEFORMAT:
case ALTERPARTITION_LOCATION:
case ALTERPARTITION_MERGEFILES:
case ALTERPARTITION_PROTECTMODE:
case ALTERPARTITION_SERDEPROPERTIES:
case ALTERPARTITION_SERIALIZER:
case ALTERTABLE_ADDCOLS:
case ALTERTABLE_ADDPARTS:
case ALTERTABLE_ARCHIVE:
case ALTERTABLE_BUCKETNUM:
case ALTERTABLE_CLUSTER_SORT:
case ALTERTABLE_COMPACT:
case ALTERTABLE_DROPPARTS:
case ALTERTABLE_DROPCONSTRAINT:
case ALTERTABLE_ADDCONSTRAINT:
case ALTERTABLE_FILEFORMAT:
case ALTERTABLE_LOCATION:
case ALTERTABLE_MERGEFILES:
case ALTERTABLE_PARTCOLTYPE:
case ALTERTABLE_PROPERTIES:
case ALTERTABLE_SETPARTSPEC:
case ALTERTABLE_EXECUTE:
case ALTERTABLE_CONVERT:
case ALTERDATACONNECTOR:
case ALTERDATACONNECTOR_OWNER:
case ALTERDATACONNECTOR_URL:
case ALTERTABLE_PROTECTMODE:
case ALTERTABLE_RENAME:
case ALTERTABLE_RENAMECOL:
case ALTERTABLE_RENAMEPART:
case ALTERTABLE_REPLACECOLS:
case ALTERTABLE_SERDEPROPERTIES:
case ALTERTABLE_SERIALIZER:
case ALTERTABLE_SKEWED:
case ALTERTABLE_TOUCH:
case ALTERTABLE_UNARCHIVE:
case ALTERTABLE_UPDATEPARTSTATS:
case ALTERTABLE_UPDATETABLESTATS:
case ALTERTABLE_UPDATECOLUMNS:
case ALTERTABLE_CREATEBRANCH:
case ALTERTABLE_DROPBRANCH:
case ALTERTABLE_CREATETAG:
case ALTERTABLE_DROPTAG:
case ALTERTBLPART_SKEWED_LOCATION:
case ALTERVIEW_PROPERTIES:
case ALTERVIEW_RENAME:
case ALTER_MATERIALIZED_VIEW_REWRITE:
case ALTER_MATERIALIZED_VIEW_REBUILD:
// HIVE-22188
case MSCK:
accessType = HiveAccessType.ALTER;
break;
case DROPFUNCTION:
case DROPTABLE:
case DROPVIEW:
case DROP_MATERIALIZED_VIEW:
case DROPDATABASE:
case DROPDATACONNECTOR:
accessType = HiveAccessType.DROP;
break;
// HIVE-21968
case IMPORT:
/*
This can happen during hive IMPORT command IFF a table is also being created as part of IMPORT.
If so then
- this would appear in the outputHObjs, i.e. accessType == false
- user then must have CREATE permission on the database
During IMPORT command it is not possible for a database to be in inputHObj list. Thus returning SELECT
when accessType==true is never expected to be hit in practice.
*/
accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE;
break;
case EXPORT:
case LOAD:
accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE;
break;
case LOCKDB:
case LOCKTABLE:
case UNLOCKDB:
case UNLOCKTABLE:
accessType = HiveAccessType.LOCK;
break;
/*
* SELECT access is done for many of these metadata operations since hive does not call back for filtering.
* Overtime these should move to _any/USE access (as hive adds support for filtering).
*/
case QUERY:
case SHOW_TABLESTATUS:
case SHOW_CREATETABLE:
case SHOWPARTITIONS:
case SHOW_TBLPROPERTIES:
case ANALYZE_TABLE:
accessType = HiveAccessType.SELECT;
break;
case SHOWCOLUMNS:
case DESCTABLE:
switch (StringUtil.toLower(RangerHivePlugin.describeShowTableAuth)) {
case "show-allowed":
// This is not implemented so defaulting to current behaviour of blocking describe/show columns not to show any columns.
// This has to be implemented when hive provides the necessary filterListCmdObjects for
// SELECT/SHOWCOLUMS/DESCTABLE to filter the columns based on access provided in ranger.
case "none":
case "":
accessType = HiveAccessType.SELECT;
break;
case "show-all":
accessType = HiveAccessType.USE;
break;
}
break;
// any access done for metadata access of actions that have support from hive for filtering
case SHOWDATABASES:
case SHOWDATACONNECTORS:
case SHOW_GRANT:
case SWITCHDATABASE:
case DESCDATABASE:
case DESCDATACONNECTOR:
case SHOWTABLES:
case SHOWVIEWS:
accessType = HiveAccessType.USE;
break;
case TRUNCATETABLE:
accessType = HiveAccessType.UPDATE;
break;
case GRANT_PRIVILEGE:
case REVOKE_PRIVILEGE:
accessType = HiveAccessType.NONE; // access check will be performed at the ranger-admin side
break;
case REPLDUMP:
case REPLLOAD:
case REPLSTATUS:
accessType = HiveAccessType.REPLADMIN;
break;
case KILL_QUERY:
case CREATE_RESOURCEPLAN:
case SHOW_RESOURCEPLAN:
case ALTER_RESOURCEPLAN:
case DROP_RESOURCEPLAN:
case CREATE_TRIGGER:
case ALTER_TRIGGER:
case DROP_TRIGGER:
case CREATE_POOL:
case ALTER_POOL:
case DROP_POOL:
case CREATE_MAPPING:
case ALTER_MAPPING:
case DROP_MAPPING:
case LLAP_CACHE_PURGE:
case LLAP_CLUSTER_INFO:
accessType = HiveAccessType.SERVICEADMIN;
break;
case ADD:
case COMPILE:
accessType = HiveAccessType.TEMPUDFADMIN;
break;
case DELETE:
case CREATEMACRO:
case CREATEROLE:
case DESCFUNCTION:
case PREPARE:
case EXECUTE:
case DFS:
case DROPMACRO:
case DROPROLE:
case EXPLAIN:
case GRANT_ROLE:
case REVOKE_ROLE:
case RESET:
case SET:
case SHOWCONF:
case SHOWFUNCTIONS:
case SHOWLOCKS:
case SHOW_COMPACTIONS:
case SHOW_ROLES:
case SHOW_ROLE_GRANT:
case SHOW_ROLE_PRINCIPALS:
case SHOW_TRANSACTIONS:
break;
}
break;
}
return accessType;
}