Repository: sentry Updated Branches: refs/heads/SENTRY-999 6c248e465 -> 2561272da
SENTRY-1074: Refactor ResourceAuthorizationProvider with CommonPrivilege and CommonPolicy(Colin Ma, Reviewed by Dapeng Sun) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/2561272d Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/2561272d Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/2561272d Branch: refs/heads/SENTRY-999 Commit: 2561272da159984ce90c32372f2971f16eaf56f8 Parents: 6c248e4 Author: Colin Ma <[email protected]> Authored: Wed Mar 23 10:36:31 2016 +0800 Committer: Colin Ma <[email protected]> Committed: Wed Mar 23 10:36:31 2016 +0800 ---------------------------------------------------------------------- pom.xml | 5 ++++ .../binding/hive/authz/HiveAuthzBinding.java | 25 ++++++++++++++++---- .../sentry/binding/hive/conf/HiveAuthzConf.java | 2 +- ...sourceAuthorizationProviderGeneralCases.java | 3 ++- ...sourceAuthorizationProviderSpecialCases.java | 5 ++-- .../hive/TestCommonPrivilegeForHive.java | 6 ++--- .../binding/solr/authz/SolrAuthzBinding.java | 16 ++++++++++--- .../sentry/binding/solr/conf/SolrAuthzConf.java | 2 +- ...SearchAuthorizationProviderGeneralCases.java | 3 ++- ...SearchAuthorizationProviderSpecialCases.java | 3 ++- .../solr/TestCommonPrivilegeForSearch.java | 6 ++--- .../sentry/sqoop/binding/SqoopAuthBinding.java | 14 +++++++++-- .../apache/sentry/sqoop/conf/SqoopAuthConf.java | 2 +- ...tSqoopAuthorizationProviderGeneralCases.java | 3 ++- ...tSqoopAuthorizationProviderSpecialCases.java | 3 ++- .../sqoop/TestCommonPrivilegeForSqoop.java | 6 ++--- .../sentry/policy/common/CommonPrivilege.java | 13 ++++------ .../apache/sentry/policy/common/Privilege.java | 4 +++- .../sentry/policy/db/DBWildcardPrivilege.java | 4 +++- .../engine/common/CommonPolicyEngine.java | 3 ++- .../indexer/IndexerWildcardPrivilege.java | 3 ++- .../indexer/TestCommonPrivilegeForIndexer.java | 6 ++--- ...ndexerAuthorizationProviderGeneralCases.java | 3 ++- ...ndexerAuthorizationProviderSpecialCases.java | 3 ++- .../policy/search/SearchWildcardPrivilege.java | 4 +++- .../policy/sqoop/SqoopWildcardPrivilege.java | 4 +++- ...adoopGroupResourceAuthorizationProvider.java | 15 +++++++----- .../common/ResourceAuthorizationProvider.java | 7 ++++-- ...adoopGroupResourceAuthorizationProvider.java | 14 ++++++----- .../provider/common/TestGetGroupMapping.java | 2 +- sentry-provider/sentry-provider-db/pom.xml | 4 ++++ ...LocalGroupResourceAuthorizationProvider.java | 11 +++++---- 32 files changed, 137 insertions(+), 67 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 2f855fb..0075b47 100644 --- a/pom.xml +++ b/pom.xml @@ -462,6 +462,11 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-policy-engine</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-policy-db</artifactId> <version>${project.version}</version> </dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java index e093b5c..775a1f5 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java @@ -34,6 +34,7 @@ import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; import org.apache.sentry.binding.hive.conf.InvalidConfigurationException; import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.DBModelAction; @@ -61,6 +62,7 @@ public class HiveAuthzBinding { private static final Splitter ROLE_SET_SPLITTER = Splitter.on(",").trimResults() .omitEmptyStrings(); public static final String HIVE_BINDING_TAG = "hive.authz.bindings.tag"; + public static final String HIVE_POLICY_ENGINE_OLD = "org.apache.sentry.policy.db.SimpleDBPolicyEngine"; private final HiveConf hiveConf; private final Server authServer; @@ -207,6 +209,11 @@ public class HiveAuthzBinding { String providerBackendName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar()); String policyEngineName = authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar()); + // for the backward compatibility + if (HIVE_POLICY_ENGINE_OLD.equals(policyEngineName)) { + policyEngineName = AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault(); + } + LOG.debug("Using authorization provider " + authProviderName + " with resource " + resourceName + ", policy engine " + policyEngineName + ", provider backend " + providerBackendName); @@ -235,9 +242,10 @@ public class HiveAuthzBinding { // load the authz provider class Constructor<?> constrctor = - Class.forName(authProviderName).getDeclaredConstructor(String.class, PolicyEngine.class); + Class.forName(authProviderName).getDeclaredConstructor(String.class, PolicyEngine.class, Model.class); constrctor.setAccessible(true); - return (AuthorizationProvider) constrctor.newInstance(new Object[] {resourceName, policyEngine}); + return (AuthorizationProvider) constrctor.newInstance(new Object[] {resourceName, policyEngine, + HivePrivilegeModel.getInstance()}); } // Instantiate the authz provider using PrivilegeCache, this method is used for metadata filter function. @@ -247,7 +255,13 @@ public class HiveAuthzBinding { String authProviderName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER.getVar()); String resourceName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar()); - String policyEngineName = authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar()); + String policyEngineName = authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), + AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault()); + + // for the backward compatibility + if (HIVE_POLICY_ENGINE_OLD.equals(policyEngineName)) { + policyEngineName = AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault(); + } LOG.debug("Using authorization provider " + authProviderName + " with resource " + resourceName + ", policy engine " @@ -267,9 +281,10 @@ public class HiveAuthzBinding { // load the authz provider class Constructor<?> constrctor = - Class.forName(authProviderName).getDeclaredConstructor(String.class, PolicyEngine.class); + Class.forName(authProviderName).getDeclaredConstructor(String.class, PolicyEngine.class, Model.class); constrctor.setAccessible(true); - return (AuthorizationProvider) constrctor.newInstance(new Object[] {resourceName, policyEngine}); + return (AuthorizationProvider) constrctor.newInstance(new Object[] {resourceName, policyEngine, + HivePrivilegeModel.getInstance()}); } /** http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java index 6b79dda..dd01bb5 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java @@ -84,7 +84,7 @@ public class HiveAuthzConf extends Configuration { "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider"), AUTHZ_PROVIDER_RESOURCE("sentry.hive.provider.resource", ""), AUTHZ_PROVIDER_BACKEND("sentry.hive.provider.backend", "org.apache.sentry.provider.file.SimpleFileProviderBackend"), - AUTHZ_POLICY_ENGINE("sentry.hive.policy.engine", "org.apache.sentry.policy.db.SimpleDBPolicyEngine"), + AUTHZ_POLICY_ENGINE("sentry.hive.policy.engine", "org.apache.sentry.policy.engine.common.CommonPolicyEngine"), AUTHZ_POLICY_FILE_FORMATTER( "sentry.hive.policy.file.formatter", "org.apache.sentry.binding.hive.SentryIniPolicyFileFormatter"), http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java index 05dc449..2afb304 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderGeneralCases.java @@ -35,6 +35,7 @@ import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.DBModelAction; import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.model.db.HivePrivilegeModel; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; import org.apache.sentry.provider.common.GroupMappingService; @@ -95,7 +96,7 @@ public class TestResourceAuthorizationProviderGeneralCases { authzProvider = new HadoopGroupResourceAuthorizationProvider( DBPolicyTestUtil.createPolicyEngineForTest("server1", new File(baseDir, "hive-policy-test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), HivePrivilegeModel.getInstance()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java index bf57bf2..9a82a1f 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java @@ -31,6 +31,7 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.db.AccessURI; import org.apache.sentry.core.model.db.DBModelAction; +import org.apache.sentry.core.model.db.HivePrivilegeModel; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; @@ -76,7 +77,7 @@ public class TestResourceAuthorizationProviderSpecialCases { "server=" + server1.getName() + "->uri=" + uri.getName()); policyFile.write(iniFile); PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, HivePrivilegeModel.getInstance()); List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri); Assert.assertTrue(authorizableHierarchy.toString(), authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); @@ -92,7 +93,7 @@ public class TestResourceAuthorizationProviderSpecialCases { .addPermissionsToRole("role1", "server=" + server1.getName() + "->uri=" + uri.getName()); policyFile.write(iniFile); PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, HivePrivilegeModel.getInstance()); // positive test List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri); Assert.assertTrue(authorizableHierarchy.toString(), http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java index 28674bd..da1a3f3 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java @@ -208,12 +208,12 @@ public class TestCommonPrivilegeForHive { public void testUnexpected() throws Exception { Privilege p = new Privilege() { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model m) { return false; } }; - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null)); - assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p)); + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null, hivePrivilegeModel)); + assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p, hivePrivilegeModel)); assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null)); assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p)); http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java index ea14d44..d733a26 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java @@ -36,6 +36,7 @@ import org.apache.sentry.binding.solr.conf.SolrAuthzConf; import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars; import org.apache.sentry.core.common.Action; import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.search.Collection; import org.apache.sentry.core.model.search.SearchModelAction; @@ -67,6 +68,7 @@ public class SolrAuthzBinding { public static final String KERBEROS_ENABLED = "solr.hdfs.security.kerberos.enabled"; public static final String KERBEROS_KEYTAB = "solr.hdfs.security.kerberos.keytabfile"; public static final String KERBEROS_PRINCIPAL = "solr.hdfs.security.kerberos.principal"; + private static final String SOLR_POLICY_ENGINE_OLD = "org.apache.sentry.policy.search.SimpleSearchPolicyEngine"; private static final String kerberosEnabledProp = Strings.nullToEmpty(System.getProperty(KERBEROS_ENABLED)).trim(); private static final String keytabProp = Strings.nullToEmpty(System.getProperty(KERBEROS_KEYTAB)).trim(); private static final String principalProp = Strings.nullToEmpty(System.getProperty(KERBEROS_PRINCIPAL)).trim(); @@ -98,7 +100,13 @@ public class SolrAuthzBinding { String providerBackendName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar()); String policyEngineName = - authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar()); + authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault()); + + // for the backward compatibility + if (SOLR_POLICY_ENGINE_OLD.equals(policyEngineName)) { + policyEngineName = AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault(); + } + String serviceName = authzConf.get(SENTRY_SEARCH_CLUSTER_KEY, SENTRY_SEARCH_CLUSTER_DEFAULT); LOG.debug("Using authorization provider " + authProviderName + @@ -153,9 +161,11 @@ public class SolrAuthzBinding { // load the authz provider class Constructor<?> constrctor = - Class.forName(authProviderName).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class); + Class.forName(authProviderName).getDeclaredConstructor(Configuration.class, + String.class, PolicyEngine.class, Model.class); constrctor.setAccessible(true); - return (AuthorizationProvider) constrctor.newInstance(new Object[] {authzConf, resourceName, policyEngine}); + return (AuthorizationProvider) constrctor.newInstance(new Object[] {authzConf, resourceName, + policyEngine, SearchPrivilegeModel.getInstance()}); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java index 227f75e..b31f4fa 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java @@ -33,7 +33,7 @@ public class SolrAuthzConf extends Configuration { "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider"), AUTHZ_PROVIDER_RESOURCE("sentry.solr.provider.resource", ""), AUTHZ_PROVIDER_BACKEND("sentry.solr.provider.backend", "org.apache.sentry.provider.file.SimpleFileProviderBackend"), - AUTHZ_POLICY_ENGINE("sentry.solr.policy.engine", "org.apache.sentry.policy.search.SimpleSearchPolicyEngine"); + AUTHZ_POLICY_ENGINE("sentry.solr.policy.engine", "org.apache.sentry.policy.engine.common.CommonPolicyEngine"); private final String varName; private final String defaultVal; http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java index f460d7a..6f7f07a 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderGeneralCases.java @@ -33,6 +33,7 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.search.Collection; import org.apache.sentry.core.model.search.SearchModelAction; +import org.apache.sentry.core.model.search.SearchPrivilegeModel; import org.apache.sentry.provider.common.GroupMappingService; import org.apache.sentry.provider.common.ResourceAuthorizationProvider; import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; @@ -86,7 +87,7 @@ public class TestSearchAuthorizationProviderGeneralCases { PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini"); authzProvider = new HadoopGroupResourceAuthorizationProvider( SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), SearchPrivilegeModel.getInstance()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java index 6d51dee..6191185 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java @@ -31,6 +31,7 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.search.Collection; import org.apache.sentry.core.model.search.SearchModelAction; +import org.apache.sentry.core.model.search.SearchPrivilegeModel; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; @@ -74,7 +75,7 @@ public class TestSearchAuthorizationProviderSpecialCases { "collection=" + collection1.getName()); policyFile.write(iniFile); PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, SearchPrivilegeModel.getInstance()); List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1); Assert.assertTrue(authorizableHierarchy.toString(), authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java index 644e0ef..5814cd1 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java @@ -162,13 +162,13 @@ public class TestCommonPrivilegeForSearch { public void testUnexpected() throws Exception { Privilege p = new Privilege() { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model m) { return false; } }; Privilege collection1 = create(new KeyValue("collection", "coll1")); - assertFalse(collection1.implies(null)); - assertFalse(collection1.implies(p)); + assertFalse(collection1.implies(null, searchPrivilegeModel)); + assertFalse(collection1.implies(p, searchPrivilegeModel)); assertFalse(collection1.equals(null)); assertFalse(collection1.equals(p)); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java index 55d9eb9..731541d 100644 --- a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java +++ b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java @@ -25,6 +25,7 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.sqoop.Server; import org.apache.sentry.core.model.sqoop.SqoopActionConstant; @@ -65,6 +66,7 @@ public class SqoopAuthBinding { private ProviderBackend providerBackend; private final SqoopActionFactory actionFactory = new SqoopActionFactory(); + private final String SQOOP_POLICY_ENGINE_OLD = "org.apache.sentry.policy.sqoop.SimpleSqoopPolicyEngine"; public SqoopAuthBinding(Configuration authConf, String serverName) throws Exception { this.authConf = authConf; @@ -89,6 +91,12 @@ public class SqoopAuthBinding { String providerBackendName = authConf.get(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getDefault()); String policyEngineName = authConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault()); String serviceName = authConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()); + + // for the backward compatibility + if (SQOOP_POLICY_ENGINE_OLD.equals(policyEngineName)) { + policyEngineName = AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault(); + } + if (LOG.isDebugEnabled()) { LOG.debug("Using authorization provider " + authProviderName + " with resource " + resourceName + ", policy engine " @@ -127,9 +135,11 @@ public class SqoopAuthBinding { //Instantiate the configured authProvider Constructor<?> constrctor = - Class.forName(authProviderName).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class); + Class.forName(authProviderName).getDeclaredConstructor(Configuration.class, String.class, + PolicyEngine.class, Model.class); constrctor.setAccessible(true); - return (AuthorizationProvider) constrctor.newInstance(new Object[] {authConf, resourceName, policyEngine}); + return (AuthorizationProvider) constrctor.newInstance(new Object[] {authConf, resourceName, + policyEngine, SqoopPrivilegeModel.getInstance()}); } /** http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/conf/SqoopAuthConf.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/conf/SqoopAuthConf.java b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/conf/SqoopAuthConf.java index 097e7f7..7836871 100644 --- a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/conf/SqoopAuthConf.java +++ b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/conf/SqoopAuthConf.java @@ -34,7 +34,7 @@ public class SqoopAuthConf extends Configuration { AUTHZ_PROVIDER_BACKEND( "sentry.sqoop.provider.backend", "org.apache.sentry.provider.db.generic.SentryGenericProviderBackend"), - AUTHZ_POLICY_ENGINE("sentry.sqoop.policy.engine","org.apache.sentry.policy.sqoop.SimpleSqoopPolicyEngine"), + AUTHZ_POLICY_ENGINE("sentry.sqoop.policy.engine","org.apache.sentry.policy.engine.common.CommonPolicyEngine"), AUTHZ_SERVER_NAME("sentry.sqoop.name", ""), AUTHZ_TESTING_MODE("sentry.sqoop.testing.mode", "false"); http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java index b01b88f..5d43689 100644 --- a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java +++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java @@ -37,6 +37,7 @@ import org.apache.sentry.core.model.sqoop.Link; import org.apache.sentry.core.model.sqoop.Server; import org.apache.sentry.core.model.sqoop.SqoopActionConstant; import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction; +import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel; import org.apache.sentry.provider.common.GroupMappingService; import org.apache.sentry.provider.common.ResourceAuthorizationProvider; import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider; @@ -101,7 +102,7 @@ public class TestSqoopAuthorizationProviderGeneralCases { authzProvider = new HadoopGroupResourceAuthorizationProvider( SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(), new File(baseDir, "sqoop-policy-test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), SqoopPrivilegeModel.getInstance()); } @After http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java index 99eaf18..2aed61f 100644 --- a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java +++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java @@ -34,6 +34,7 @@ import org.apache.sentry.core.model.sqoop.Connector; import org.apache.sentry.core.model.sqoop.Server; import org.apache.sentry.core.model.sqoop.SqoopActionConstant; import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction; +import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; @@ -79,7 +80,7 @@ public class TestSqoopAuthorizationProviderSpecialCases { "server=server1->connector=c1->action=read"); policyFile.write(iniFile); PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, SqoopPrivilegeModel.getInstance()); List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, connector1); Assert.assertTrue(authorizableHierarchy.toString(), authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java index 0ec7783..b27e01f 100644 --- a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java +++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java @@ -144,13 +144,13 @@ public class TestCommonPrivilegeForSqoop { public void testUnexpected() throws Exception { Privilege p = new Privilege() { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model m) { return false; } }; Privilege job1 = create(new KeyValue("SERVER", "server"), new KeyValue("JOB", "job1")); - assertFalse(job1.implies(null)); - assertFalse(job1.implies(p)); + assertFalse(job1.implies(null, sqoopPrivilegeModel)); + assertFalse(job1.implies(p, sqoopPrivilegeModel)); assertFalse(job1.equals(null)); assertFalse(job1.equals(p)); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java index 43cb5c8..edad2e8 100644 --- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java +++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java @@ -53,6 +53,7 @@ public class CommonPrivilege implements Privilege { this.parts = ImmutableList.copyOf(parts); } + @Override public boolean implies(Privilege privilege, Model model) { // By default only supports comparisons with other IndexerWildcardPermissions if (!(privilege instanceof CommonPrivilege)) { @@ -89,7 +90,8 @@ public class CommonPrivilege implements Privilege { return false; } } else { - if (!impliesResource(model.getImplyMethodMap().get(policyKey), part.getValue(), otherPart.getValue())) { + if (!impliesResource(model.getImplyMethodMap().get(policyKey.toLowerCase()), + part.getValue(), otherPart.getValue())) { return false; } } @@ -120,7 +122,6 @@ public class CommonPrivilege implements Privilege { || SentryConstants.RESOURCE_WILDCARD_VALUE.equals(requestValue) || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equals(policyValue) || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equals(requestValue) - || SentryConstants.RESOURCE_WILDCARD_VALUE_SOME.equals(policyValue) || SentryConstants.RESOURCE_WILDCARD_VALUE_SOME.equals(requestValue)) { return true; } @@ -129,8 +130,8 @@ public class CommonPrivilege implements Privilege { if (ImplyMethodType.URL == implyMethodType) { return PathUtils.impliesURI(policyValue, requestValue); } - // default: compare as the string - return policyValue.equals(requestValue); + // default: compare as the string case insensitive + return policyValue.equalsIgnoreCase(requestValue); } // The method is used for compare the action for the privilege model. @@ -152,10 +153,6 @@ public class CommonPrivilege implements Privilege { return SentryConstants.AUTHORIZABLE_JOINER.join(parts); } - public boolean implies(Privilege p) { - return false; - } - public List<KeyValue> getParts() { return parts; } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java index 27d5afa..e9f4609 100644 --- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java +++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java @@ -16,6 +16,8 @@ */ package org.apache.sentry.policy.common; +import org.apache.sentry.core.common.Model; + public interface Privilege { - boolean implies(Privilege p); + boolean implies(Privilege p, Model model); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java index 69e9ad2..a8d16fa 100644 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java +++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java @@ -23,6 +23,7 @@ package org.apache.sentry.policy.db; import java.util.List; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.utils.PathUtils; import org.apache.sentry.core.common.utils.SentryConstants; import org.apache.sentry.core.model.db.AccessConstants; @@ -38,6 +39,7 @@ import com.google.common.collect.ImmutableList; import com.google.common.collect.Lists; // XXX this class is made ugly by the fact that Action is not a Authorizable. +// todo: DBWildcardPrivilege is replaced by CommonPrivilege, it should be removed public class DBWildcardPrivilege implements Privilege { private final ImmutableList<KeyValue> parts; @@ -63,7 +65,7 @@ public class DBWildcardPrivilege implements Privilege { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model model) { // By default only supports comparisons with other DBWildcardPermissions if (!(p instanceof DBWildcardPrivilege)) { return false; http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java b/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java index a661190..d4ab866 100644 --- a/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java +++ b/sentry-policy/sentry-policy-engine/src/main/java/org/apache/sentry/policy/engine/common/CommonPolicyEngine.java @@ -65,7 +65,8 @@ public class CommonPolicyEngine implements PolicyEngine { if(LOGGER.isDebugEnabled()) { LOGGER.debug("Getting permissions for {}", groups); } - ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet, authorizableHierarchy); + + ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet); if(LOGGER.isDebugEnabled()) { LOGGER.debug("result = " + result); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java index cda5d3d..71d2a66 100644 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java +++ b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerWildcardPrivilege.java @@ -23,6 +23,7 @@ package org.apache.sentry.policy.indexer; import java.util.List; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.utils.SentryConstants; import org.apache.sentry.core.model.indexer.IndexerConstants; import org.apache.sentry.policy.common.Privilege; @@ -59,7 +60,7 @@ public class IndexerWildcardPrivilege implements Privilege { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model model) { // By default only supports comparisons with other IndexerWildcardPermissions if (!(p instanceof IndexerWildcardPrivilege)) { return false; http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java index 42fed4b..fd3618b 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java @@ -162,13 +162,13 @@ public class TestCommonPrivilegeForIndexer { public void testUnexpected() throws Exception { Privilege p = new Privilege() { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model model) { return false; } }; CommonPrivilege indexer1 = create(new KeyValue("indexer", "index1")); - assertFalse(indexer1.implies(null)); - assertFalse(indexer1.implies(p)); + assertFalse(indexer1.implies(null, indexerPrivilegeModel)); + assertFalse(indexer1.implies(p, indexerPrivilegeModel)); assertFalse(indexer1.equals(null)); assertFalse(indexer1.equals(p)); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java index 2781bf9..6a9d79a 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderGeneralCases.java @@ -32,6 +32,7 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.indexer.Indexer; import org.apache.sentry.core.model.indexer.IndexerModelAction; +import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; import org.apache.sentry.provider.common.MockGroupMappingServiceProvider; import org.apache.sentry.provider.common.ResourceAuthorizationProvider; import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; @@ -86,7 +87,7 @@ public class TestIndexerAuthorizationProviderGeneralCases { PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini"); authzProvider = new HadoopGroupResourceAuthorizationProvider( IndexPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); + new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP), IndexerPrivilegeModel.getInstance()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java index 3af9481..dbe1a09 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java @@ -31,6 +31,7 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.indexer.Indexer; import org.apache.sentry.core.model.indexer.IndexerModelAction; +import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; @@ -74,7 +75,7 @@ public class TestIndexerAuthorizationProviderSpecialCases { "indexer=" + indexer1.getName()); policyFile.write(iniFile); PolicyEngine policy = IndexPolicyTestUtil.createPolicyEngineForTest(initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); + authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy, IndexerPrivilegeModel.getInstance()); List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(indexer1); Assert.assertTrue(authorizableHierarchy.toString(), authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java index 8aeab04..8670197 100644 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java +++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java @@ -23,6 +23,7 @@ package org.apache.sentry.policy.search; import java.util.List; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.utils.SentryConstants; import org.apache.sentry.core.model.search.SearchConstants; import org.apache.sentry.policy.common.Privilege; @@ -34,6 +35,7 @@ import com.google.common.base.Strings; import com.google.common.collect.ImmutableList; import com.google.common.collect.Lists; +// todo: SearchWildcardPrivilege is replaced by CommonPrivilege, it should be removed public class SearchWildcardPrivilege implements Privilege { private final ImmutableList<KeyValue> parts; @@ -59,7 +61,7 @@ public class SearchWildcardPrivilege implements Privilege { @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model model) { // By default only supports comparisons with other SearchWildcardPermissions if (!(p instanceof SearchWildcardPrivilege)) { return false; http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java index ae70943..4509979 100644 --- a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java +++ b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java @@ -20,6 +20,7 @@ import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_S import java.util.List; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.model.sqoop.SqoopActionConstant; import org.apache.sentry.policy.common.Privilege; import org.apache.sentry.policy.common.PrivilegeFactory; @@ -30,6 +31,7 @@ import com.google.common.base.Strings; import com.google.common.collect.ImmutableList; import com.google.common.collect.Lists; +// todo: SqoopWildcardPrivilege is replaced by CommonPrivilege, it should be removed public class SqoopWildcardPrivilege implements Privilege { public static class Factory implements PrivilegeFactory { @@ -59,7 +61,7 @@ public class SqoopWildcardPrivilege implements Privilege { } @Override - public boolean implies(Privilege p) { + public boolean implies(Privilege p, Model model) { if (!(p instanceof SqoopWildcardPrivilege)) { return false; } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java index bcd3312..e45799f 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java @@ -21,6 +21,7 @@ import java.io.IOException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.Groups; +import org.apache.sentry.core.common.Model; import org.apache.sentry.policy.common.PolicyEngine; import com.google.common.annotations.VisibleForTesting; @@ -35,18 +36,20 @@ public class HadoopGroupResourceAuthorizationProvider extends // resource parameter present so that other AuthorizationProviders (e.g. // LocalGroupResourceAuthorizationProvider) has the same constructor params. - public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException { - this(new Configuration(), resource, policy); + public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, + Model model) throws IOException { + this(new Configuration(), resource, policy, model); } - public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException { //NOPMD - this(policy, new HadoopGroupMappingService(getGroups(conf))); + public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, //NOPMD + PolicyEngine policy, Model model) throws IOException { + this(policy, new HadoopGroupMappingService(getGroups(conf)), model); } @VisibleForTesting public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService) { - super(policy, groupService); + GroupMappingService groupService, Model model) { + super(policy, groupService, model); } private static Groups getGroups(Configuration conf) { http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java index 758f2cf..7c3facc 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java @@ -29,6 +29,7 @@ import java.util.Set; import org.apache.sentry.core.common.Action; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Model; import org.apache.sentry.core.common.SentryConfigurationException; import org.apache.sentry.core.common.Subject; import org.apache.sentry.policy.common.PolicyEngine; @@ -58,12 +59,14 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv private final GroupMappingService groupService; private final PolicyEngine policy; private final PrivilegeFactory privilegeFactory; + private final Model model; public ResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService) { + GroupMappingService groupService, Model model) { this.policy = policy; this.groupService = groupService; this.privilegeFactory = policy.getPrivilegeFactory(); + this.model = model; } /*** @@ -108,7 +111,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv /* * Does the permission granted in the policy file imply the requested action? */ - boolean result = permission.implies(privilegeFactory.createPrivilege(requestPrivilege)); + boolean result = permission.implies(privilegeFactory.createPrivilege(requestPrivilege), model); if (LOGGER.isDebugEnabled()) { LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}", new Object[]{ permission, requestPrivilege, roleSet, result}); http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java index 8674700..2214867 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java @@ -20,6 +20,7 @@ package org.apache.sentry.provider.file; import java.io.IOException; import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.Model; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.GroupMappingService; @@ -32,18 +33,19 @@ import com.google.common.annotations.VisibleForTesting; public class HadoopGroupResourceAuthorizationProvider extends org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider { - public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException { - super(resource, policy); + public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, Model model) throws IOException { + super(resource, policy, model); } - public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException { - super(conf, resource, policy); + public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, + PolicyEngine policy, Model model) throws IOException { + super(conf, resource, policy, model); } @VisibleForTesting public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService) { - super(policy, groupService); + GroupMappingService groupService, Model model) { + super(policy, groupService, model); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java index dfb5d70..874bf78 100644 --- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java +++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java @@ -37,7 +37,7 @@ public class TestGetGroupMapping { private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider { public TestResourceAuthorizationProvider(PolicyEngine policy, GroupMappingService groupService) { - super(policy, groupService); + super(policy, groupService, null); } }; http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-provider/sentry-provider-db/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index 38e0924..f9236e8 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -101,6 +101,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-policy-engine</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-policy-search</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/2561272d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java index 489daf4..a9e7836 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java @@ -21,6 +21,7 @@ import java.io.IOException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.Path; +import org.apache.sentry.core.common.Model; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.ResourceAuthorizationProvider; @@ -28,11 +29,13 @@ import org.apache.sentry.provider.common.ResourceAuthorizationProvider; public class LocalGroupResourceAuthorizationProvider extends ResourceAuthorizationProvider { - public LocalGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException { - super(policy, new LocalGroupMappingService(new Path(resource))); + public LocalGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, + Model model) throws IOException { + super(policy, new LocalGroupMappingService(new Path(resource)), model); } - public LocalGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException { - super(policy, new LocalGroupMappingService(conf, new Path(resource))); + public LocalGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy, + Model model) throws IOException { + super(policy, new LocalGroupMappingService(conf, new Path(resource)), model); } }
