Classify HiveAccessControlException as ForbiddenException

Author: okumin

iceberg/iceberg-catalog/src/main/java/org/apache/iceberg/hive/HiveClientPool.java

@@ -28,6 +28,7 @@
 import org.apache.hadoop.hive.metastore.api.MetaException;
 import org.apache.iceberg.ClientPoolImpl;
 import org.apache.iceberg.common.DynMethods;
+import org.apache.iceberg.exceptions.ForbiddenException;
 import org.apache.iceberg.relocated.com.google.common.annotations.VisibleForTesting;
 import org.apache.thrift.TException;
 import org.apache.thrift.transport.TTransportException;
@@ -75,6 +76,31 @@ protected IMetaStoreClient newClient()  {
     }
   }
 
+  @Override
+  public <R> R run(Action<R, IMetaStoreClient, TException> action) throws TException, InterruptedException {
+    try {
+      return super.run(action);
+    } catch (MetaException e) {
+      if (isAccessControlException(e)) {
+        throw new ForbiddenException(e, "Access denied: %s", e.getMessage());
+      }
+      throw e;
+    }
+  }
+
+  @Override
+  public <R> R run(Action<R, IMetaStoreClient, TException> action, boolean retry)
+      throws TException, InterruptedException {
+    try {
+      return super.run(action, retry);
+    } catch (MetaException e) {
+      if (isAccessControlException(e)) {
+        throw new ForbiddenException(e, "Access denied: %s", e.getMessage());
+      }
+      throw e;
+    }
+  }
+
   @Override
   protected IMetaStoreClient reconnect(IMetaStoreClient client) {
     try {
@@ -92,6 +118,11 @@ protected boolean isConnectionException(Exception e) {
         e.getMessage().contains("Got exception: org.apache.thrift.transport.TTransportException");
   }
 
+  private boolean isAccessControlException(MetaException exception) {
+    return exception.getMessage() != null && exception.getMessage().startsWith(
+        "Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException");
+  }
+
   @Override
   protected void close(IMetaStoreClient client) {
     client.close();

ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java

@@ -136,7 +136,7 @@ public final void onEvent(PreEventContext preEventContext)
       }
     } catch (Exception e) {
       LOG.error("HiveMetaStoreAuthorizer.onEvent(): failed", e);
-      throw MetaStoreUtils.newMetaException(e);
+      MetaStoreUtils.throwMetaException(e);
     }
 
     LOG.debug("<== HiveMetaStoreAuthorizer.onEvent(): EventType=" + preEventContext.getEventType());

ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java

@@ -204,7 +204,9 @@ public void testA_CreateDatabase_unAuthorizedUser() throws Exception {
       hmsHandler.create_database(db);
     } catch (Exception e) {
       String err = e.getMessage();
-      String expected = "Operation type " + HiveOperationType.CREATEDATABASE + " not allowed for user:" + unAuthorizedUser;
+      String expected = "Got exception: "
+          + "org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException Operation type "
+          + HiveOperationType.CREATEDATABASE + " not allowed for user:" + unAuthorizedUser;
       assertEquals(expected, err);
     }
   }
@@ -221,7 +223,9 @@ public void testB_CreateTable_unAuthorizedUser() throws Exception {
       hmsHandler.create_table(table);
     } catch (Exception e) {
       String err = e.getMessage();
-      String expected = "Operation type " + HiveOperationType.CREATETABLE + " not allowed for user:" + unAuthorizedUser;
+      String expected = "Got exception: "
+          + "org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException Operation type "
+          + HiveOperationType.CREATETABLE + " not allowed for user:" + unAuthorizedUser;
       assertEquals(expected, err);
     }
   }
@@ -297,7 +301,8 @@ public void testE_CreateRole__anyUser() throws Exception {
       hmsHandler.create_role(role);
     } catch (Exception e) {
       String err = e.getMessage();
-      String expected = "Operation type " + PreEventContext.PreEventType.AUTHORIZATION_API_CALL.name() + " not allowed for user:" + authorizedUser;
+      String expected = "Got exception: org.apache.hadoop.hive.metastore.api.MetaException Operation type "
+          + PreEventContext.PreEventType.AUTHORIZATION_API_CALL.name() + " not allowed for user:" + authorizedUser;
       assertEquals(expected, err);
     }
   }
@@ -313,7 +318,8 @@ public void testF_CreateCatalog_anyUser() throws Exception {
       hmsHandler.create_catalog(new CreateCatalogRequest(catalog));
     } catch (Exception e) {
       String err = e.getMessage();
-      String expected = "Operation type " + PreEventContext.PreEventType.CREATE_CATALOG.name() + " not allowed for user:" + authorizedUser;
+      String expected = "Got exception: org.apache.hadoop.hive.metastore.api.MetaException Operation type "
+          + PreEventContext.PreEventType.CREATE_CATALOG.name() + " not allowed for user:" + authorizedUser;
       assertEquals(expected, err);
     }
   }
@@ -658,7 +664,9 @@ public void testR_CreateDataConnector_unAuthorizedUser() {
       hmsHandler.create_dataconnector_req(connectorReq);
     } catch (Exception e) {
       String err = e.getMessage();
-      String expected = "Operation type " + HiveOperationType.CREATEDATACONNECTOR + " not allowed for user:" + unAuthorizedUser;
+      String expected = "Got exception: "
+          + "org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException Operation type "
+          + HiveOperationType.CREATEDATACONNECTOR + " not allowed for user:" + unAuthorizedUser;
       assertEquals(expected, err);
     }
   }