Apache Ranger行權(quán)限實現(xiàn)

本文將以 hive-agent 為例,講解 Apache Ranger 如何在 Hive 中實現(xiàn)行權(quán)限

整體架構(gòu)

類依賴.png

核心方法

HivePlugin.evalRowFilterPolicies 解析過濾規(guī)則,生成RangerAccessResult
RangerHiveAuthorizer.getRowFilterExpression 獲取行過濾表達式
RangerHiveAuthorizer.applyRowFilterAndColumnMasking 將過濾表達式轉(zhuǎn)化為HivePrivilegeObject

重寫邏輯

TableMask.create

將select * from tableA轉(zhuǎn)化為select * from (select * from tableA where col=filter)

public String create(HivePrivilegeObject privObject, MaskAndFilterInfo maskAndFilterInfo)
      throws SemanticException {
    boolean doColumnMasking = false;
    boolean doRowFiltering = false;
    StringBuilder sb = new StringBuilder();
    // 如果需要對字段mask,下面進行字段轉(zhuǎn)化
    sb.append("(SELECT ");
    boolean firstOne = true;
    List<String> exprs = privObject.getCellValueTransformers();
    if (exprs != null) {
      if (exprs.size() != privObject.getColumns().size()) {
        throw new SemanticException("Expect " + privObject.getColumns().size() + " columns in "
            + privObject.getObjectName() + ", but only find " + exprs.size());
      }
      List<String> colTypes = maskAndFilterInfo.colTypes;
      for (int index = 0; index < exprs.size(); index++) {
        String expr = exprs.get(index);
        if (expr == null) {
          throw new SemanticException("Expect string type CellValueTransformer in "
              + privObject.getObjectName() + ", but only find null");
        }
        if (!firstOne) {
          sb.append(", ");
        } else {
          firstOne = false;
        }
        String colName = privObject.getColumns().get(index);
        if (!expr.equals(colName)) {
          // CAST(expr AS COLTYPE) AS COLNAME
          sb.append("CAST(" + expr + " AS " + colTypes.get(index) + ") AS "
              + HiveUtils.unparseIdentifier(colName, conf));
          doColumnMasking = true;
        } else {
          sb.append(HiveUtils.unparseIdentifier(colName, conf));
        }
      }
    } 
   // 不進行mask的直接生成select * 的子查詢
    if (!doColumnMasking) {
      sb = new StringBuilder();
      sb.append("(SELECT *");
    }

    if (!maskAndFilterInfo.isView && !maskAndFilterInfo.isNonNative) {
      // put all virtual columns in RowResolver.
      Iterator<VirtualColumn> vcs = VirtualColumn.getRegistry(conf).iterator();
      while (vcs.hasNext()) {
        VirtualColumn vc = vcs.next();
        sb.append(", " + vc.getName());
      }
    }

    sb.append(" FROM ");
    sb.append(HiveUtils.unparseIdentifier(privObject.getDbname(), conf));
    sb.append(".");
    sb.append(HiveUtils.unparseIdentifier(privObject.getObjectName(), conf));
    sb.append(" " + maskAndFilterInfo.additionalTabInfo);
    String filter = privObject.getRowFilterExpression();
    if (filter != null) {
      // 添加過濾條件
      sb.append(" WHERE " + filter);
      doRowFiltering = true;
    }
    sb.append(")" + HiveUtils.unparseIdentifier(maskAndFilterInfo.alias, conf));
    
    if (!doColumnMasking && !doRowFiltering) {
      // nothing to do
      return null;
    } else {
      LOG.debug("TableMask creates `" + sb.toString() + "`");
      return sb.toString();
    }
  }
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容