In the first three sections, basic data has been maintained for hive permission control, and now the user permission configuration function has been implemented. In addition, you can perform maintenance and management through the interface. Next, the most important thing is to modify the Hive source code. Mainly for org. apache. hadoop. hive. conf. HiveConf and org. apache. hadoop.
In the first three sections, basic data has been maintained for hive permission control, and now the user permission configuration function has been implemented. In addition, you can perform maintenance and management through the interface. Next, the most important thing is to modify the Hive source code. Mainly for org. apache. hadoop. hive. conf. HiveConf and org. apache. hadoop.
In the first three sections, basic data has been maintained for hive permission control, and now the user permission configuration function has been implemented. In addition, you can perform maintenance and management through the interface. Next, the most important thing is to modify the Hive source code.
Mainly for org. apache. hadoop. hive. conf. HiveConf and org. apache. hadoop. hive. ql. Driver
First, targeting our specific needs,
Extended org. apache. hadoop. hive. conf. HiveConf
?? Public static enum ConfVars {KUXUNUSER ("hive. kuxun. username "," "), // username KUXUNPASSWORD (" hive. kuxun. password "," "), // password KUXUN_HIVESERVER_URL (" hive. kuxun. hiveserver. url "," "), // permission Authentication database address KUXUN_HIVESERVER_USER (" hive. kuxun. hiveserver. username "," "), // permission Authentication database username KUXUN_HIVESERVER_PASSWORD (" hive. kuxun. hiveserver. password "," "), // permission Authentication database password KUXUN_RESERVE_A (" hive. kuxun. resrver. a "," "), // retain KUXUN_RESERVE_ B (" hive. kuxun. r Esrver. B "," "), // retain KUXUN_RESERVE_C (" hive. kuxun. resrver. c "," "), // retain KUXUN_RESERVE_D (" hive. kuxun. resrver. d "," "), // retain ????????.......}
Extends the org. apache. hadoop. hive. ql. Driver Class.
Two new private variables are added. Used to store transmitted user and password information.
private String username ="";private String password ="";
Added the implementation of getting username and password in the run () method.
this.username = HiveConf.getVar(conf, HiveConf.ConfVars.KUXUNUSER);this.password = HiveConf.getVar(conf, HiveConf.ConfVars.KUXUNPASSWORD);
Add method:
Private void doAuthorizationExtend (BaseSemanticAnalyzer sem) throws HiveException, AuthorizationException {// get user permission information UserAuthDataMode ua; try {ua = new UserAuthDataMode (this. username, this. password, this. conf); ua. run ();} catch (Exception e) {throw new AuthorizationException (e. getMessage ();} if (ua. isSuperUser () {LOG. error ("current user is super user, do not check authorization. "); return;} LOG. warn ("current User is ["+ this. username +"]. start check authorization .......");???? LOG. warn ("current user [" + this. username + "] execute command [" + this. userCommand + "].");? HashSet inputs = sem. getInputs (); SessionState ss = SessionState. get (); HiveOperation op = ss. getHiveOperation (); if (op! = Null) {} // do not handle this method. hiveserver does not provide the write operation LOG. debug ("--------- auth KUXUN --------------"); if (inputs! = Null & inputs. size ()> 0) {if (inputs. size ()> ua. getMaxMapCount () {String errorMsg = "The max partition numbers which you can handler in one job is [" + ua. getMaxMapCount () + "], but current is [" + inputs. size () + "]. pemission denied. "; Exception ex = new Exception (errorMsg); throw new AuthorizationException (errorMsg, ex);} for (ReadEntity read: inputs) {if (read. getPartition ()! = Null) {Table tbl = read. getTable (); String tblName = tbl. getTableName (); LOG. debug ("----- dbName. tableName --------- "+ tbl. getDbName () + ". "+ tblName); String tblFullName = tbl. getDbName () + ". "+ tblName; // if the database of the current table is not in the user permission database and the table is not in the user permission table, an exception if (ua. getDbNameList (). indexOf (tbl. getDbName () partValueList = part. getValues (); List partList = tbl. getPartitionKeys (); int partSize = partList. size (); for (int I = 0; I TsoTopMap = parseCtx. getTopToTable ();? For (Map. Entry> topOpMap: querySem. getParseContext (). getTopOps (). entrySet () {Operator
TopOp = topOpMap. getValue (); if (topOp instanceof TableScanOperator & tsoTopMap. containsKey (topOp) {TableScanOperator tableScanOp = (TableScanOperator) topOp; Table tbl = tsoTopMap. get (tableScanOp); String dbName = tbl. getDbName (); String tblName = tbl. getTableName (); List neededColumnIds = tableScanOp. getNeededColumnIDs (); List columns = tbl. getCols (); List cols = new ArrayList (); if (neededColumnIds! = Null) {LOG. debug ("------- neededColumnIds -----" + neededColumnIds. size ();} else {LOG. debug ("------- neededColumnIds ----- null");} if (neededColumnIds! = Null & neededColumnIds. size ()> 0) {for (int I = 0; I <neededColumnIds. size (); I ++) {cols. add (columns. get (neededColumnIds. get (I )). getName () ;}} else {for (int I = 0; I <columns. size (); I ++) {cols. add (columns. get (I ). getName () ;}/// determines whether a non-partition table exists in the permission object String fullTableName = dbName + ". "+ tblName; if (ua. getDbNameList (). indexOf (tbl. getDbName () authColList = ua. getExcludeColumnList (). get (fullTableName); f Or (String col: cols) {if (authColList. indexOf (col )! =-1) {throw new AuthorizationException ("table [" + fullTableName + "] column [" + col + "] Pemission denied. ");} LOG. debug ("-------- col ------------" + dbName + ". "+ tblName +": "+ col) ;}// determines whether a column must be included, but if (ua. getIncludeColumnList (). containsKey (fullTableName) {List authColList = ua. getIncludeColumnList (). get (fullTableName); for (String authCol: authColList) {if (cols. indexOf (authCol) =-1) {throw new Authorizati OnException ("table [" + fullTableName + "] must contain ?? Column ["+ authCol +"]. Pemission denied .");}}}?}}}}}
Add custom permission authentication method calls to the complie Method
Public int compile (String command, boolean resetTaskIds ){?????? Try {?????? DoAuthorizationExtend (sem );??????} Catch (AuthorizationException authExp ){?????? ErrorMessage = "FAILED: Kuxun Authorization failed:" + authExp. getMessage ()?????????? + "Please contact anyoneking@163.com for your information .";?????? Console. printError ("Kuxun Authorization failed:" + authExp. getMessage ()?????????????????? + "Please contact anyoneking@163.com for your information .");?????????????? Return 403 ;??????}} Note: errorMessage must be assigned a value after an exception is obtained. Otherwise, no exception prompt is displayed when an exception occurs during access through hive client, and only NUll is displayed.
After the preceding steps are completed, package the package again and put it under hivelib.
Also pay attention to modifying the hive-site.xml to pass the corresponding information.
??hive.kuxun.username??test???hive.kuxun.password??test?????hive.kuxun.hiveserver.url??jdbc:mysql://localhost:3306/hiveserver??hiveserver jdbc connection url???hive.kuxun.hiveserver.username??test??username to use against hiveserver database???hive.kuxun.hiveserver.password??test??password to use against hiveserver database
Original article address: Custom Hive permission control (4) Extend Hive to implement custom permission control. Thanks to the original author for sharing.