Examples of org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException

• org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException
  Exception thrown by the Authorization plugin api (v2). Indicates an error while performing authorization, and not a authorization being denied.

  @Override
  public void createRole(String roleName, HivePrincipal adminGrantor)
      throws HiveAuthzPluginException, HiveAccessControlException {
    // only user belonging to admin role can create new roles.
    if (!isUserAdmin()) {
      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
      + " allowed to add roles. " + ADMIN_ONLY_MSG);
    }
    if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) {
      throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " +
          RESERVED_ROLE_NAMES);

  @Override
  public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
    // only user belonging to admin role can drop existing role
    if (!isUserAdmin()) {
      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
      + " allowed to drop role. " + ADMIN_ONLY_MSG);
    }
    try {
      metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName);
    } catch (Exception e) {

  @Override
  public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
    HiveAccessControlException {
    if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
        + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
    }
    for (HivePrincipal hivePrincipal : hivePrincipals) {
      for (String roleName : roleNames) {
        try {

  @Override
  public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
    HiveAccessControlException {
    if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
          + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
    }
    for (HivePrincipal hivePrincipal : hivePrincipals) {
      for (String roleName : roleNames) {
        try {

  @Override
  public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
    // only user belonging to admin role can list role
    if (!isUserAdmin()) {
      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
        + " allowed to list roles. " + ADMIN_ONLY_MSG);
    }
    try {
      return metastoreClientFactory.getHiveMetastoreClient().listRoleNames();
    } catch (Exception e) {

  @Override
  public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
    // only user belonging to admin role can list role
    if (!isUserAdmin() &&  !doesUserHasAdminOption(Arrays.asList(roleName))) {
      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
        + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
    }
    try {
      return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName);
    } catch (Exception e) {

      // First authorize the call
      if (principal == null) {
        // only the admin is allowed to list privileges for any user
        if (!isUserAdmin()) {
          throw new HiveAccessControlException("User : " + currentUserName + " has to specify"
              + " a user name or role in the show grant. " + ADMIN_ONLY_MSG);
        }
      } else {
        //principal is specified, authorize on it
        if (!isUserAdmin()) {

    // if user is not an admin user, allow the request only if the user is
    // requesting for privileges for themselves or a role they belong to
    switch (principal.getType()) {
    case USER:
      if (!principal.getName().equals(currentUserName)) {
        throw new HiveAccessControlException("User : " + currentUserName + " is not"
            + " allowed check privileges of another user : " + principal.getName() + ". "
            + ADMIN_ONLY_MSG);
      }
      break;
    case ROLE:
      if (!userBelongsToRole(principal.getName())) {
        throw new HiveAccessControlException("User : " + currentUserName + " is not"
            + " allowed check privileges of a role it does not belong to : "
            + principal.getName() + ". " + ADMIN_ONLY_MSG);
      }
      break;
    default:

      currentRoles.add(adminRole);
      return;
    }
    LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
    // If we are here it means, user is requesting a role he doesn't belong to.
    throw new HiveAccessControlException(currentUserName +" doesn't belong to role "
      +roleName);
  }

      List<SQLPrivTypeGrant> sortedmissingPrivs = new ArrayList<SQLPrivTypeGrant>(missingPrivs);
      Collections.sort(sortedmissingPrivs);

      String errMsg = "Permission denied. " + hivePrincipal
          + " does not have following privileges on " + hivePrivObject + " : " + sortedmissingPrivs;
      throw new HiveAccessControlException(errMsg.toString());
    }
  }