基于元数据和sql标准权限验证的不足点

基于元数据和sql标准权限验证

问题1：show database show tables 没有进行控制
问题2：load 数据 和创建表制定location 的时候必须是自己用户对应的数据，如果本地数据linux 用户 和hdfs 数据用户 不是自己没有权限
问题3： 创建函数必须是要admin 用户

具体分析：SQLStdHiveAuthorizationValidator  checkPrivileges

switch (hiveObj.getType()) {
      case LOCAL_URI://load 数据和create table 制定location的时候会执行此处
      case DFS_URI:
        availPrivs = SQLAuthorizationUtils.getPrivilegesFromFS(new Path(hiveObj.getObjectName()),
            conf, userName);
        break;
      case PARTITION:
        // sql std authorization is managing privileges at the table/view levels
        // only
        // ignore partitions
        continue;
      case COMMAND_PARAMS:
      case FUNCTION://创建函数的时候会走次逻辑
        // operations that have objects of type COMMAND_PARAMS, FUNCTION are authorized
        // solely on the type
        if (privController.isUserAdmin()) {
          availPrivs.addPrivilege(SQLPrivTypeGrant.ADMIN_PRIV);
        }
        break;
      default:
        availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore(metastoreClient, userName,
            hiveObj, privController.getCurrentRoleNames(), privController.isUserAdmin());
      }

LOCAL_URI DFS_URI

  public static RequiredPrivileges getPrivilegesFromFS(Path filePath, HiveConf conf,
      String userName) throws HiveAuthzPluginException {
    // get the 'available privileges' from file system


    RequiredPrivileges availPrivs = new RequiredPrivileges();
    // check file system permission
    FileSystem fs;
    try {
      fs = FileSystem.get(filePath.toUri(), conf);
      Path path = FileUtils.getPathOrParentThatExists(fs, filePath);
      FileStatus fileStatus = fs.getFileStatus(path);
      if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) {
        availPrivs.addPrivilege(SQLPrivTypeGrant.OWNER_PRIV);// 需要时owner
      }
      if (FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, FsAction.WRITE)) {
        availPrivs.addPrivilege(SQLPrivTypeGrant.INSERT_NOGRANT); //需要insert
        availPrivs.addPrivilege(SQLPrivTypeGrant.DELETE_NOGRANT); //需要delete
      }
      if (FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, FsAction.READ)) {
        availPrivs.addPrivilege(SQLPrivTypeGrant.SELECT_NOGRANT); //需要select
      }
    } catch (Exception e) {
      String msg = "Error getting permissions for " + filePath + ": " + e.getMessage();
      throw new HiveAuthzPluginException(msg, e);
    }
    return availPrivs;
  }

关于不同Object Type 对应的权限 PrivRequirement.java(URI的分析)