标签:hive hook
hive中有个比较严重的bug,默认情况下任何用户都可以运行grant命令来做授权操作
在Driver.compile方法中,可以增加对AST的hook(hive可以有很多hook,后面分析hive hook的类型和使用阶段),用来做一些forbidden的操作:
compile相关的内容如下:
BaseSemanticAnalyzer sem = SemanticAnalyzerFactory.get( conf, tree);
List<HiveSemanticAnalyzerHook> saHooks =
getHooks(HiveConf.ConfVars.SEMANTIC_ANALYZER_HOOK,
HiveSemanticAnalyzerHook. class); // 获取hive.semantic.analyzer.hook的设置,可以是多项,中间以逗号分隔
// Do semantic analysis and plan generation
if (saHooks != null) {
HiveSemanticAnalyzerHookContext hookCtx = new HiveSemanticAnalyzerHookContextImpl();
hookCtx.setConf( conf);
hookCtx.setUserName( userName);
for (HiveSemanticAnalyzerHook hook : saHooks) {
tree = hook.preAnalyze(hookCtx, tree);
}
sem.analyze(tree, ctx);
hookCtx.update(sem);
for (HiveSemanticAnalyzerHook hook : saHooks) {
hook.postAnalyze(hookCtx, sem.getRootTasks());
}
} else {
sem.analyze(tree, ctx);
}即,compile阶段通过获取hive.semantic.analyzer.hook的设置,来获取对应的hook方法,然后逐一应用到ast中。
具体的代码如下:
import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import org.apache.hadoop.hive.ql.parse.HiveParser;
import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.session.SessionState;
public class MyAuthHook extends AbstractSemanticAnalyzerHook {
private static String admin = "hdfs;
@Override
public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context,
ASTNode ast) throws SemanticException {
switch (ast.getToken().getType()) {
case HiveParser.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
String userName = null;
if (SessionState.get() != null
&& SessionState.get().getAuthenticator() != null) {
userName = SessionState.get().getAuthenticator().getUserName();
}
if (!admin.equalsIgnoreCase(userName)) {
throw new SemanticException(userName
+ " can‘t use ADMIN options, except " + admin + ".");
}
break;
default:
break;
}
return ast;
}
}测试一般用户的grant命令:
FAILED: SemanticException User:ericni isn‘t ADMIN, please ask for hdfs. 14/12/04 16:24:41 ERROR ql.Driver: FAILED: SemanticException User:ericni isn‘t ADMIN, please ask for hdfs. org.apache.hadoop.hive.ql.parse.SemanticException: User:ericni isn‘t ADMIN, please ask for hdfs. at com.vipshop.hive.plugin.AuthHook.preAnalyze(AuthHook.java:44) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:433) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:329) at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1002) at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1075) at org.apache.hadoop.hive.ql.Driver.run(Driver.java:934) at org.apache.hadoop.hive.ql.Driver.run(Driver.java:921) at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:281) at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:227) at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:442) at org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:860) at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:733) at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:666) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hadoop.util.RunJar.main(RunJar.java:208)
本文出自 “菜光光的博客” 博客,请务必保留此出处http://caiguangguang.blog.51cto.com/1652935/1587253
标签:hive hook
原文地址:http://caiguangguang.blog.51cto.com/1652935/1587253
