[jira] [Work logged] (HIVE-26248) Add data connector authorization on HMS server-side

ASF GitHub Bot (Jira) Wed, 10 Aug 2022 10:56:07 -0700


     [ 
https://issues.apache.org/jira/browse/HIVE-26248?focusedWorklogId=799805&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-799805
 ]


ASF GitHub Bot logged work on HIVE-26248:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Aug/22 17:55
            Start Date: 10/Aug/22 17:55
    Worklog Time Spent: 10m 
      Work Description: saihemanth-cloudera commented on code in PR #3312:
URL: https://github.com/apache/hive/pull/3312#discussion_r942718845


##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/AlterDataConnectorEvent.java:
##########
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package 
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.hive.metastore.api.DataConnector;
+import org.apache.hadoop.hive.metastore.events.PreAlterDataConnectorEvent;
+import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizableEvent;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthzInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/*
+ Authorizable Event for HiveMetaStore operation AlterDataConnector
+ */
+
+public class AlterDataConnectorEvent extends HiveMetaStoreAuthorizableEvent {
+  private static final Logger LOG = 
LoggerFactory.getLogger(AlterDataConnectorEvent.class);
+
+  private String COMMAND_STR = "alter connector";
+
+  public AlterDataConnectorEvent(PreEventContext preEventContext) {
+    super(preEventContext);
+  }
+
+  @Override
+  public HiveMetaStoreAuthzInfo getAuthzContext() {
+    HiveMetaStoreAuthzInfo ret =
+        new HiveMetaStoreAuthzInfo(preEventContext, 
HiveOperationType.ALTERDATACONNECTOR, getInputHObjs(),
+            getOutputHObjs(), COMMAND_STR);
+
+    return ret;
+  }
+
+  private List<HivePrivilegeObject> getInputHObjs() {
+    return Collections.emptyList();

Review Comment:
   Instead of sending an empty list, we need to send the old dataconnector 
object, so that the authorization service can check if the current user has 
required access/privilege on this connector. Anyway we have oldDC object in the 
 PreAlterDataConnectorEvent, so let's just pass it in here. 



##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizableEvent.java:
##########
@@ -71,4 +72,10 @@ protected HivePrivilegeObject 
getHivePrivilegeObjectLocalUri(String uri) {
     return new 
HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI, 
null, uri);
   }
 
+  protected HivePrivilegeObject getHivePrivilegeObject(DataConnector 
connector) {
+    return new 
HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.DATACONNECTOR, 
null,
+        connector.getName(), null, null, 
HivePrivilegeObject.HivePrivObjectActionType.OTHER, null, null,

Review Comment:
   We might need connector type and connector url in authorization service 
right? Can we include them here instead of passing null?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 799805)
    Time Spent: 1h 20m  (was: 1h 10m)

> Add data connector authorization on HMS server-side
> ---------------------------------------------------
>
>                 Key: HIVE-26248
>                 URL: https://issues.apache.org/jira/browse/HIVE-26248
>             Project: Hive
>          Issue Type: Sub-task
>    Affects Versions: 4.0.0-alpha-1, 4.0.0-alpha-2
>            Reporter: zhangbutao
>            Assignee: zhangbutao
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (HIVE-26248) Add data connector authorization on HMS server-side

Reply via email to