CreateTableAutomaticGrant.java

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.hadoop.hive.ql.session;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.security.authorization.Privilege;
import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry;

public class CreateTableAutomaticGrant {
  private Map<String, List<PrivilegeGrantInfo>> userGrants;
  private Map<String, List<PrivilegeGrantInfo>> groupGrants;
  private Map<String, List<PrivilegeGrantInfo>> roleGrants;

  // the owner can change, also owner might appear in user grants as well
  // so keep owner privileges separate from userGrants
  private List<PrivilegeGrantInfo> ownerGrant;

  public static CreateTableAutomaticGrant create(HiveConf conf)
      throws HiveException {
    CreateTableAutomaticGrant grants = new CreateTableAutomaticGrant();
    grants.userGrants = getGrantMap(HiveConf.getVar(conf,
        HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLE_USER_GRANTS));
    grants.groupGrants = getGrantMap(HiveConf.getVar(conf,
        HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLE_GROUP_GRANTS));
    grants.roleGrants = getGrantMap(HiveConf.getVar(conf,
        HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLE_ROLE_GRANTS));

    grants.ownerGrant = getGrantorInfoList(HiveConf.getVar(conf,
        HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS));

    return grants;
  }

  private static Map<String, List<PrivilegeGrantInfo>> getGrantMap(String grantMapStr)
      throws HiveException {
    if (grantMapStr != null && !grantMapStr.trim().equals("")) {
      String[] grantArrayStr = grantMapStr.split(";");
      Map<String, List<PrivilegeGrantInfo>> grantsMap = new HashMap<String, List<PrivilegeGrantInfo>>();
      for (String grantStr : grantArrayStr) {
        String[] principalListAndPrivList = grantStr.split(":");
        if (principalListAndPrivList.length != 2
            || principalListAndPrivList[0] == null
            || principalListAndPrivList[0].trim().equals("")) {
          throw new HiveException(
              "Can not understand the config privilege definition " + grantStr);
        }
        String userList = principalListAndPrivList[0];
        String privList = principalListAndPrivList[1];
        List<PrivilegeGrantInfo> grantInfoList = getGrantorInfoList(privList);
        if(grantInfoList != null) {
          String[] users = userList.split(",");
          for (String user : users) {
            grantsMap.put(user, grantInfoList);
          }
        }
      }
      return grantsMap;
    }
    return null;
  }

  private static List<PrivilegeGrantInfo> getGrantorInfoList(String privList)
      throws HiveException {
    if (privList == null || privList.trim().equals("")) {
      return null;
    }
    validatePrivilege(privList);
    String[] grantArray = privList.split(",");
    List<PrivilegeGrantInfo> grantInfoList = new ArrayList<PrivilegeGrantInfo>();
    String grantor = SessionState.getUserFromAuthenticator();

    for (String grant : grantArray) {
      grantInfoList.add(new PrivilegeGrantInfo(grant, -1, grantor,
          PrincipalType.USER, true));
    }
    return grantInfoList;
  }

  private static void validatePrivilege(String ownerGrantsInConfig)
      throws HiveException {
    String[] ownerGrantArray = ownerGrantsInConfig.split(",");
    // verify the config
    for (String ownerGrant : ownerGrantArray) {
      Privilege prive = PrivilegeRegistry.getPrivilege(ownerGrant);
      if (prive == null) {
        throw new HiveException("Privilege " + ownerGrant + " is not found.");
      }
    }
  }

  public Map<String, List<PrivilegeGrantInfo>> getUserGrants() {
    Map<String, List<PrivilegeGrantInfo>> curUserGrants = new HashMap<String, List<PrivilegeGrantInfo>>();
    String owner = SessionState.getUserFromAuthenticator();
    if (owner != null && ownerGrant != null) {
      curUserGrants.put(owner, ownerGrant);
    }
    if (userGrants != null) {
      curUserGrants.putAll(userGrants);
    }
    return curUserGrants;
  }

  public Map<String, List<PrivilegeGrantInfo>> getGroupGrants() {
    return groupGrants;
  }

  public Map<String, List<PrivilegeGrantInfo>> getRoleGrants() {
    return roleGrants;
  }
}