hive中有个比较严重的bug,默认情况下任何用户都可以运行grant命令来做授权操作
在Driver.compile方法中,可以增加对AST的hook(hive可以有很多hook,后面分析hive hook的类型和使用阶段),用来做一些forbidden的操作:
compile相关的内容如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
BaseSemanticAnalyzer sem = SemanticAnalyzerFactory.get( conf, tree);
List<HiveSemanticAnalyzerHook> saHooks =
getHooks(HiveConf.ConfVars.SEMANTIC_ANALYZER_HOOK,
HiveSemanticAnalyzerHook.
class
);
// 获取hive.semantic.analyzer.hook的设置,可以是多项,中间以逗号分隔
// Do semantic analysis and plan generation
if
(saHooks !=
null
) {
HiveSemanticAnalyzerHookContext hookCtx =
new
HiveSemanticAnalyzerHookContextImpl();
hookCtx.setConf( conf);
hookCtx.setUserName( userName);
for
(HiveSemanticAnalyzerHook hook : saHooks) {
tree = hook.preAnalyze(hookCtx, tree);
}
sem.analyze(tree, ctx);
hookCtx.update(sem);
for
(HiveSemanticAnalyzerHook hook : saHooks) {
hook.postAnalyze(hookCtx, sem.getRootTasks());
}
}
else
{
sem.analyze(tree, ctx);
}
|
即,compile阶段通过获取hive.semantic.analyzer.hook的设置,来获取对应的hook方法,然后逐一应用到ast中。
具体的代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
import
org.apache.hadoop.hive.ql.parse.ASTNode;
import
org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import
org.apache.hadoop.hive.ql.parse.HiveParser;
import
org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
import
org.apache.hadoop.hive.ql.parse.SemanticException;
import
org.apache.hadoop.hive.ql.session.SessionState;
public
class
MyAuthHook
extends
AbstractSemanticAnalyzerHook {
private
static
String admin = "hdfs;
@Override
public
ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context,
ASTNode ast)
throws
SemanticException {
switch
(ast.getToken().getType()) {
case
HiveParser.TOK_CREATEDATABASE:
case
HiveParser.TOK_DROPDATABASE:
case
HiveParser.TOK_CREATEROLE:
case
HiveParser.TOK_DROPROLE:
case
HiveParser.TOK_GRANT:
case
HiveParser.TOK_REVOKE:
case
HiveParser.TOK_GRANT_ROLE:
case
HiveParser.TOK_REVOKE_ROLE:
String userName =
null
;
if
(SessionState.get() !=
null
&& SessionState.get().getAuthenticator() !=
null
) {
userName = SessionState.get().getAuthenticator().getUserName();
}
if
(!admin.equalsIgnoreCase(userName)) {
throw
new
SemanticException(userName
+
" can't use ADMIN options, except "
+ admin +
"."
);
}
break
;
default
:
break
;
}
return
ast;
}
}
|
测试一般用户的grant命令:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
FAILED: SemanticException User:ericni isn't ADMIN, please ask
for
hdfs.
14
/
12
/
04
16
:
24
:
41
ERROR ql.Driver: FAILED: SemanticException User:ericni isn't ADMIN, please ask
for
hdfs.
org.apache.hadoop.hive.ql.parse.SemanticException: User:ericni isn't ADMIN, please ask
for
hdfs.
at com.vipshop.hive.plugin.AuthHook.preAnalyze(AuthHook.java:
44
)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:
433
)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:
329
)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:
1002
)
at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:
1075
)
at org.apache.hadoop.hive.ql.Driver.run(Driver.java:
934
)
at org.apache.hadoop.hive.ql.Driver.run(Driver.java:
921
)
at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:
281
)
at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:
227
)
at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:
442
)
at org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:
860
)
at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:
733
)
at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:
666
)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
39
)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25
)
at java.lang.reflect.Method.invoke(Method.java:
597
)
at org.apache.hadoop.util.RunJar.main(RunJar.java:
208
)
|
本文转自菜菜光 51CTO博客,原文链接:http://blog.51cto.com/caiguangguang/1587253,如需转载请自行联系原作者
