首页 > 代码库 > hive hook限制grant权限

hive hook限制grant权限

  hive中有个比较严重的bug,默认情况下任何用户都可以运行grant命令来做授权操作

在Driver.compile方法中,可以增加对AST的hook(hive可以有很多hook,后面分析hive hook的类型和使用阶段),用来做一些forbidden的操作:

compile相关的内容如下:

 BaseSemanticAnalyzer sem = SemanticAnalyzerFactory.get( conf, tree);
      List<HiveSemanticAnalyzerHook> saHooks =
          getHooks(HiveConf.ConfVars.SEMANTIC_ANALYZER_HOOK,
              HiveSemanticAnalyzerHook. class);  // 获取hive.semantic.analyzer.hook的设置,可以是多项,中间以逗号分隔
      // Do semantic analysis and plan generation
      if (saHooks != null) {
        HiveSemanticAnalyzerHookContext hookCtx = new HiveSemanticAnalyzerHookContextImpl();
        hookCtx.setConf( conf);
        hookCtx.setUserName( userName);
        for (HiveSemanticAnalyzerHook hook : saHooks) {
          tree = hook.preAnalyze(hookCtx, tree);
        }
        sem.analyze(tree, ctx);
        hookCtx.update(sem);
        for (HiveSemanticAnalyzerHook hook : saHooks) {
          hook.postAnalyze(hookCtx, sem.getRootTasks());
        }
      } else {
        sem.analyze(tree, ctx);
      }

即,compile阶段通过获取hive.semantic.analyzer.hook的设置,来获取对应的hook方法,然后逐一应用到ast中。

具体的代码如下:

import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import org.apache.hadoop.hive.ql.parse.HiveParser;
import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.session.SessionState;
public class MyAuthHook extends AbstractSemanticAnalyzerHook {
     private static String admin = "hdfs;
     @Override
     public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context,
               ASTNode ast) throws SemanticException {
          switch (ast.getToken().getType()) {
          case HiveParser.TOK_CREATEDATABASE:
          case HiveParser.TOK_DROPDATABASE:
          case HiveParser.TOK_CREATEROLE:
          case HiveParser.TOK_DROPROLE:
          case HiveParser.TOK_GRANT:
          case HiveParser.TOK_REVOKE:
          case HiveParser.TOK_GRANT_ROLE:
          case HiveParser.TOK_REVOKE_ROLE:
               String userName = null;
               if (SessionState.get() != null
                         && SessionState.get().getAuthenticator() != null) {
                    userName = SessionState.get().getAuthenticator().getUserName();
               }
               if (!admin.equalsIgnoreCase(userName)) {
                    throw new SemanticException(userName
                              + " can‘t use ADMIN options, except " + admin + ".");
               }
               break;
          default:
               break;
          }
          return ast;
     }
}

测试一般用户的grant命令:

FAILED: SemanticException User:ericni isn‘t ADMIN, please ask for hdfs.
14/12/04 16:24:41 ERROR ql.Driver: FAILED: SemanticException User:ericni isn‘t ADMIN, please ask for hdfs.
org.apache.hadoop.hive.ql.parse.SemanticException: User:ericni isn‘t ADMIN, please ask for hdfs.
        at com.vipshop.hive.plugin.AuthHook.preAnalyze(AuthHook.java:44)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:433)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:329)
        at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1002)
        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1075)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:934)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:921)
        at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:281)
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:227)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:442)
        at org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:860)
        at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:733)
        at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:666)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:208)


本文出自 “菜光光的博客” 博客,请务必保留此出处http://caiguangguang.blog.51cto.com/1652935/1587253

hive hook限制grant权限