首页 > 代码库 > hive hook限制grant权限
hive hook限制grant权限
hive中有个比较严重的bug,默认情况下任何用户都可以运行grant命令来做授权操作
在Driver.compile方法中,可以增加对AST的hook(hive可以有很多hook,后面分析hive hook的类型和使用阶段),用来做一些forbidden的操作:
compile相关的内容如下:
BaseSemanticAnalyzer sem = SemanticAnalyzerFactory.get( conf, tree); List<HiveSemanticAnalyzerHook> saHooks = getHooks(HiveConf.ConfVars.SEMANTIC_ANALYZER_HOOK, HiveSemanticAnalyzerHook. class); // 获取hive.semantic.analyzer.hook的设置,可以是多项,中间以逗号分隔 // Do semantic analysis and plan generation if (saHooks != null) { HiveSemanticAnalyzerHookContext hookCtx = new HiveSemanticAnalyzerHookContextImpl(); hookCtx.setConf( conf); hookCtx.setUserName( userName); for (HiveSemanticAnalyzerHook hook : saHooks) { tree = hook.preAnalyze(hookCtx, tree); } sem.analyze(tree, ctx); hookCtx.update(sem); for (HiveSemanticAnalyzerHook hook : saHooks) { hook.postAnalyze(hookCtx, sem.getRootTasks()); } } else { sem.analyze(tree, ctx); }
即,compile阶段通过获取hive.semantic.analyzer.hook的设置,来获取对应的hook方法,然后逐一应用到ast中。
具体的代码如下:
import org.apache.hadoop.hive.ql.parse.ASTNode; import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook; import org.apache.hadoop.hive.ql.parse.HiveParser; import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext; import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.session.SessionState; public class MyAuthHook extends AbstractSemanticAnalyzerHook { private static String admin = "hdfs; @Override public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast) throws SemanticException { switch (ast.getToken().getType()) { case HiveParser.TOK_CREATEDATABASE: case HiveParser.TOK_DROPDATABASE: case HiveParser.TOK_CREATEROLE: case HiveParser.TOK_DROPROLE: case HiveParser.TOK_GRANT: case HiveParser.TOK_REVOKE: case HiveParser.TOK_GRANT_ROLE: case HiveParser.TOK_REVOKE_ROLE: String userName = null; if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) { userName = SessionState.get().getAuthenticator().getUserName(); } if (!admin.equalsIgnoreCase(userName)) { throw new SemanticException(userName + " can‘t use ADMIN options, except " + admin + "."); } break; default: break; } return ast; } }
测试一般用户的grant命令:
FAILED: SemanticException User:ericni isn‘t ADMIN, please ask for hdfs. 14/12/04 16:24:41 ERROR ql.Driver: FAILED: SemanticException User:ericni isn‘t ADMIN, please ask for hdfs. org.apache.hadoop.hive.ql.parse.SemanticException: User:ericni isn‘t ADMIN, please ask for hdfs. at com.vipshop.hive.plugin.AuthHook.preAnalyze(AuthHook.java:44) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:433) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:329) at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1002) at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1075) at org.apache.hadoop.hive.ql.Driver.run(Driver.java:934) at org.apache.hadoop.hive.ql.Driver.run(Driver.java:921) at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:281) at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:227) at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:442) at org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:860) at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:733) at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:666) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
本文出自 “菜光光的博客” 博客,请务必保留此出处http://caiguangguang.blog.51cto.com/1652935/1587253
hive hook限制grant权限
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。