Hive Privilege 是 Hive 權限系統的基礎。

PrivilegeType 權限類型

權限類型的枚舉，以及根據 token 和名稱返回 PrivilegeType 的靜態方法。

public enum PrivilegeType {ALL(HiveParser.TOK_PRIV_ALL, "All"),ALTER_DATA(HiveParser.TOK_PRIV_ALTER_DATA, "Update"),ALTER_METADATA(HiveParser.TOK_PRIV_ALTER_METADATA, "Alter"),CREATE(HiveParser.TOK_PRIV_CREATE, "Create"),DROP(HiveParser.TOK_PRIV_DROP, "Drop"),LOCK(HiveParser.TOK_PRIV_LOCK, "Lock"),SELECT(HiveParser.TOK_PRIV_SELECT, "Select"),SHOW_DATABASE(HiveParser.TOK_PRIV_SHOW_DATABASE, "Show_Database"),INSERT(HiveParser.TOK_PRIV_INSERT, "Insert"),DELETE(HiveParser.TOK_PRIV_DELETE, "Delete"),UNKNOWN(null, null);private final String name;private final Integer token;PrivilegeType(Integer token, String name){this.name = name;this.token = token;}@Overridepublic String toString(){return name == null ? "unkown" : name;}public Integer getToken() {return token;}private static Map<Integer, PrivilegeType> token2Type;private static Map<String, PrivilegeType> name2Type;// 根據 token 返回權限類型public static PrivilegeType getPrivTypeByToken(int token) {// omit implements.}// 根據名稱返回權限類型public static PrivilegeType getPrivTypeByName(String privilegeName) {// omit implements.} }

PrivilegeScope 權限的作用范圍

定義了 4 種范圍：用戶級別，數據庫級別，表級別和字段級別。定義了兩個枚舉集合：ALLSCOPE 是所有范圍，ALLSCOPE_EXCEPT_COLUMN 是除字段外的其他范圍。

public enum PrivilegeScope {// 用戶級別USER_LEVEL_SCOPE((short) 0x01), // 數據庫級別DB_LEVEL_SCOPE((short) 0x02), // 表級別TABLE_LEVEL_SCOPE((short) 0x04), // 字段級別COLUMN_LEVEL_SCOPE((short) 0x08);private short mode;private PrivilegeScope(short mode) {this.mode = mode;}public short getMode() {return mode;}public void setMode(short mode) {this.mode = mode;}public static EnumSet<PrivilegeScope> ALLSCOPE = EnumSet.of(PrivilegeScope.USER_LEVEL_SCOPE, PrivilegeScope.DB_LEVEL_SCOPE,PrivilegeScope.TABLE_LEVEL_SCOPE, PrivilegeScope.COLUMN_LEVEL_SCOPE);public static EnumSet<PrivilegeScope> ALLSCOPE_EXCEPT_COLUMN = EnumSet.of(PrivilegeScope.USER_LEVEL_SCOPE, PrivilegeScope.DB_LEVEL_SCOPE,PrivilegeScope.TABLE_LEVEL_SCOPE); }

Privilege 權限

每個權限有權限類型和權限支持的范圍兩個變量。Privilege 不是枚舉類型，但是定義了若干個靜態變量。

public class Privilege {private PrivilegeType priv;private EnumSet<PrivilegeScope> supportedScopeSet;private Privilege(PrivilegeType priv, EnumSet<PrivilegeScope> scopeSet) {super();this.priv = priv;this.supportedScopeSet = scopeSet;}public Privilege(PrivilegeType priv) {super();this.priv = priv;}public Privilege() {}public static Privilege ALL = new Privilege(PrivilegeType.ALL,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege ALTER_METADATA = new Privilege(PrivilegeType.ALTER_METADATA,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege ALTER_DATA = new Privilege(PrivilegeType.ALTER_DATA,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege CREATE = new Privilege(PrivilegeType.CREATE,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege DROP = new Privilege(PrivilegeType.DROP,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege LOCK = new Privilege(PrivilegeType.LOCK,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege SELECT = new Privilege(PrivilegeType.SELECT,PrivilegeScope.ALLSCOPE);public static Privilege INSERT = new Privilege(PrivilegeType.INSERT,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege DELETE = new Privilege(PrivilegeType.DELETE,PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN);public static Privilege SHOW_DATABASE = new Privilege(PrivilegeType.SHOW_DATABASE,EnumSet.of(PrivilegeScope.USER_LEVEL_SCOPE));}

HiveOperation

HiveOperation 定義了所有的 Hive 操作。每個操作有操作名，需要的輸入權限和輸出權限，是否允許在事務中，需要開啟事務。
如 COMMIT，ROLLBACK 允許在事務中，并且需要開啟事務。
SHOWTABLES，SHOWCOLUMNS，SHOW_TABLESTATUS，SHOW_TBLPROPERTIES，SHOWVIEWS，SHOWLOCKS，SHOW_GRANT，SHOW_ROLES，SET_AUTOCOMMIT 允許在事務中，但是不需要開啟事務。

enum HiveOperation {private String operationName;private Privilege[] inputRequiredPrivileges;private Privilege[] outputRequiredPrivileges;private final boolean allowedInTransaction;private final boolean requiresOpenTransaction; }

HiveAuthenticationProvider

HiveAuthenticationProvider 提供認證信息，包含用戶名和組名。
子類有 ：

• HadoopDefaultAuthenticator 默認的，使用 UserGroupInformation 獲得用戶名和組名。

• SessionStateConfigUserAuthenticator 使用當前會話 SessionState 獲取用戶名，組名為空 list。在hive 終端里，執行set user.name=xxx，可以改變當前會話的用戶，基本用于測試。

• SessionStateUserAuthenticator 使用 sessionState.getUserName(); 返回用戶名，組名為空 list。

public interface HiveAuthenticationProvider extends Configurable{public String getUserName();public List<String> getGroupNames();public void destroy() throws HiveException;public void setSessionState(SessionState ss); }

HiveAuthorizationProvider 授權

判斷指定操作是否有權限，沒有權限時，拋出異常。

public interface HiveAuthorizationProvider extends Configurable{public void init(Configuration conf) throws HiveException;public HiveAuthenticationProvider getAuthenticator();public void setAuthenticator(HiveAuthenticationProvider authenticator);/*** Authorization user level privileges.** @param readRequiredPriv* a list of privileges needed for inputs.* @param writeRequiredPriv* a list of privileges needed for outputs.* @throws HiveException* @throws AuthorizationException*/public void authorize(Privilege[] readRequiredPriv,Privilege[] writeRequiredPriv) throws HiveException,AuthorizationException;/*** Authorization privileges against a database object.** @param db* database* @param readRequiredPriv* a list of privileges needed for inputs.* @param writeRequiredPriv* a list of privileges needed for outputs.* @throws HiveException* @throws AuthorizationException*/public void authorize(Database db, Privilege[] readRequiredPriv,Privilege[] writeRequiredPriv) throws HiveException,AuthorizationException;/*** Authorization privileges against a hive table object.** @param table* table object* @param readRequiredPriv* a list of privileges needed for inputs.* @param writeRequiredPriv* a list of privileges needed for outputs.* @throws HiveException* @throws AuthorizationException*/public void authorize(Table table, Privilege[] readRequiredPriv,Privilege[] writeRequiredPriv) throws HiveException,AuthorizationException;/*** Authorization privileges against a hive partition object.** @param part* partition object* @param readRequiredPriv* a list of privileges needed for inputs.* @param writeRequiredPriv* a list of privileges needed for outputs.* @throws HiveException* @throws AuthorizationException*/public void authorize(Partition part, Privilege[] readRequiredPriv,Privilege[] writeRequiredPriv) throws HiveException,AuthorizationException;/*** Authorization privileges against a list of columns. If the partition object* is not null, look at the column grants for the given partition. Otherwise* look at the table column grants.** @param table* table object* @param part* partition object* @param columns* a list of columns* @param readRequiredPriv* a list of privileges needed for inputs.* @param writeRequiredPriv* a list of privileges needed for outputs.* @throws HiveException* @throws AuthorizationException*/public void authorize(Table table, Partition part, List<String> columns,Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)throws HiveException, AuthorizationException;/*** @return HivePolicyProvider instance (expected to be a singleton)* @throws HiveAuthzPluginException*/default HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {return null;} }

HiveAccessController

HiveAccessController 是訪問控制命令調用的接口，包括 grant/revoke role/privileges, create/drop roles 和讀取授權角色的狀態。

@Private public interface HiveAccessController {void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)throws HiveAuthzPluginException, HiveAccessControlException;void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)throws HiveAuthzPluginException, HiveAccessControlException;void createRole(String roleName, HivePrincipal adminGrantor)throws HiveAuthzPluginException, HiveAccessControlException;void dropRole(String roleName)throws HiveAuthzPluginException, HiveAccessControlException;void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,HivePrincipal grantorPrinc)throws HiveAuthzPluginException, HiveAccessControlException;void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,HivePrincipal grantorPrinc)throws HiveAuthzPluginException, HiveAccessControlException;List<String> getAllRoles()throws HiveAuthzPluginException, HiveAccessControlException;List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)throws HiveAuthzPluginException, HiveAccessControlException;void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException;List<String> getCurrentRoleNames() throws HiveAuthzPluginException;List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException,HiveAccessControlException;List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException,HiveAccessControlException;void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException; }

總結

以上是生活随笔為你收集整理的Hive Privilege 分析的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。