http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/pom.xml b/sentry-policy/sentry-policy-search/pom.xml deleted file mode 100644 index 177a62b..0000000 --- a/sentry-policy/sentry-policy-search/pom.xml +++ /dev/null @@ -1,87 +0,0 @@ -<?xml version="1.0"?> -<!-- -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---> -<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-policy</artifactId> - <version>1.8.0-SNAPSHOT</version> - </parent> - - <artifactId>sentry-policy-search</artifactId> - <name>Sentry Policy for Search</name> - - <dependencies> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-common</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-minicluster</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>log4j</groupId> - <artifactId>log4j</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-log4j12</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-model-search</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-common</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-file</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-common</artifactId> - <scope>test</scope> - <type>test-jar</type> - <version>${project.version}</version> - </dependency> - </dependencies> - -</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java deleted file mode 100644 index 054c354..0000000 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.policy.common.PolicyConstants.PRIVILEGE_PREFIX; - -import java.util.List; - -import org.apache.sentry.core.model.search.SearchModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.shiro.config.ConfigurationException; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.Lists; - -public abstract class AbstractSearchPrivilegeValidator implements PrivilegeValidator { - - @VisibleForTesting - public static Iterable<SearchModelAuthorizable> parsePrivilege(String string) { - List<SearchModelAuthorizable> result = Lists.newArrayList(); - System.err.println("privilege = " + string); - for(String section : AUTHORIZABLE_SPLITTER.split(string)) { - // XXX this ugly hack is because action is not an authorizable - if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { - SearchModelAuthorizable authorizable = SearchModelAuthorizables.from(section); - if(authorizable == null) { - String msg = "No authorizable found for " + section; - throw new ConfigurationException(msg); - } - result.add(authorizable); - } - } - return result; - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java deleted file mode 100644 index 81ff67f..0000000 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; - -public class CollectionRequiredInPrivilege extends AbstractSearchPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { - String privilege = context.getPrivilege(); - Iterable<SearchModelAuthorizable> authorizables = parsePrivilege(privilege); - boolean foundCollectionInAuthorizables = false; - - for(SearchModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Collection) { - foundCollectionInAuthorizables = true; - break; - } - } - if(!foundCollectionInAuthorizables) { - String msg = "Missing collection object in " + privilege; - throw new SentryConfigurationException(msg); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchModelAuthorizables.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchModelAuthorizables.java deleted file mode 100644 index 252f50a..0000000 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchModelAuthorizables.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAuthorizable; -import org.apache.sentry.core.model.search.SearchModelAuthorizable.AuthorizableType; -import org.apache.sentry.policy.common.KeyValue; - -public class SearchModelAuthorizables { - - public static SearchModelAuthorizable from(KeyValue keyValue) { - String prefix = keyValue.getKey().toLowerCase(); - String name = keyValue.getValue().toLowerCase(); - for(AuthorizableType type : AuthorizableType.values()) { - if(prefix.equalsIgnoreCase(type.name())) { - return from(type, name); - } - } - return null; - } - public static SearchModelAuthorizable from(String s) { - return from(new KeyValue(s)); - } - - private static SearchModelAuthorizable from(AuthorizableType type, String name) { - switch (type) { - case Collection: - return new Collection(name); - default: - return null; - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java deleted file mode 100644 index e25faf2..0000000 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java +++ /dev/null @@ -1,144 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -// copied from apache shiro - -package org.apache.sentry.policy.search; - -import java.util.List; - -import org.apache.sentry.core.model.search.SearchConstants; -import org.apache.sentry.policy.common.PolicyConstants; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.KeyValue; - -import com.google.common.base.Preconditions; -import com.google.common.base.Strings; -import com.google.common.collect.ImmutableList; -import com.google.common.collect.Lists; - -public class SearchWildcardPrivilege implements Privilege { - - private final ImmutableList<KeyValue> parts; - - public SearchWildcardPrivilege(String wildcardString) { - wildcardString = Strings.nullToEmpty(wildcardString).trim(); - if (wildcardString.isEmpty()) { - throw new IllegalArgumentException("Wildcard string cannot be null or empty."); - } - List<KeyValue>parts = Lists.newArrayList(); - for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.trimResults().split( - wildcardString)) { - if (authorizable.isEmpty()) { - throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section"); - } - parts.add(new KeyValue(authorizable)); - } - if (parts.isEmpty()) { - throw new AssertionError("Should never occur: " + wildcardString); - } - this.parts = ImmutableList.copyOf(parts); - } - - - @Override - public boolean implies(Privilege p) { - // By default only supports comparisons with other SearchWildcardPermissions - if (!(p instanceof SearchWildcardPrivilege)) { - return false; - } - - SearchWildcardPrivilege wp = (SearchWildcardPrivilege) p; - - List<KeyValue> otherParts = wp.parts; - if(equals(wp)) { - return true; - } - int index = 0; - for (KeyValue otherPart : otherParts) { - // If this privilege has less parts than the other privilege, everything - // after the number of parts contained - // in this privilege is automatically implied, so return true - if (parts.size() - 1 < index) { - return true; - } else { - KeyValue part = parts.get(index); - // are the keys even equal - if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) { - return false; - } - if (!impliesKeyValue(part, otherPart)) { - return false; - } - index++; - } - } - // If this privilege has more parts than - // the other parts, only imply it if - // all of the other parts are wildcards - for (; index < parts.size(); index++) { - KeyValue part = parts.get(index); - if (!part.getValue().equals(SearchConstants.ALL)) { - return false; - } - } - - return true; - } - - private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { - Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()), - "Please report, this method should not be called with two different keys"); - if(policyPart.getValue().equals(SearchConstants.ALL) || policyPart.equals(requestPart)) { - return true; - } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey()) - && SearchConstants.ALL.equalsIgnoreCase(requestPart.getValue())) { - /* privilege request is to match with any object of given type */ - return true; - } - return false; - } - - @Override - public String toString() { - return PolicyConstants.AUTHORIZABLE_JOINER.join(parts); - } - - @Override - public boolean equals(Object o) { - if (o instanceof SearchWildcardPrivilege) { - SearchWildcardPrivilege wp = (SearchWildcardPrivilege) o; - return parts.equals(wp.parts); - } - return false; - } - - @Override - public int hashCode() { - return parts.hashCode(); - } - - public static class SearchWildcardPrivilegeFactory implements PrivilegeFactory { - @Override - public Privilege createPrivilege(String privilege) { - return new SearchWildcardPrivilege(privilege); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java deleted file mode 100644 index c71036e..0000000 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.util.Set; - -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.sentry.provider.common.ProviderBackend; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.collect.ImmutableList; -import com.google.common.collect.ImmutableSet; - -/** - * A PolicyEngine for a search service. - */ -public class SimpleSearchPolicyEngine implements PolicyEngine { - - private static final Logger LOGGER = LoggerFactory - .getLogger(SimpleSearchPolicyEngine.class); - - private final ProviderBackend providerBackend; - - public SimpleSearchPolicyEngine(ProviderBackend providerBackend) { - this.providerBackend = providerBackend; - ProviderBackendContext context = new ProviderBackendContext(); - context.setAllowPerDatabase(false); - context.setValidators(createPrivilegeValidators()); - this.providerBackend.initialize(context); - } - - /** - * {@inheritDoc} - */ - @Override - public PrivilegeFactory getPrivilegeFactory() { - return new SearchWildcardPrivilege.SearchWildcardPrivilegeFactory(); - } - - /** - * {@inheritDoc} - */ - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, roleSet); - } - - /** - * {@inheritDoc} - */ - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizationHierarchy ) { - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("Getting permissions for {}", groups); - } - ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet); - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("result = " + result); - } - return result; - } - - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, users, roleSet); - } - - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) { - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); - } - ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet); - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("result = " + result); - } - return result; - } - - @Override - public void validatePolicy(boolean strictValidation) - throws SentryConfigurationException { - providerBackend.validatePolicy(strictValidation); - } - - public static ImmutableList<PrivilegeValidator> createPrivilegeValidators() { - return ImmutableList.<PrivilegeValidator>of(new CollectionRequiredInPrivilege()); - } - - @Override - public void close() { - if (providerBackend != null) { - providerBackend.close(); - } - } - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java deleted file mode 100644 index 1a9b1a1..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.io.File; -import java.io.IOException; -import java.util.Set; -import java.util.TreeSet; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PolicyEngine; -import org.junit.After; -import org.junit.AfterClass; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public abstract class AbstractTestSearchPolicyEngine { - private static final String ANALYST_PURCHASES_UPDATE = "collection=purchases->action=update"; - private static final String ANALYST_ANALYST1_ALL = "collection=analyst1"; - private static final String ANALYST_JRANALYST1_ACTION_ALL = "collection=jranalyst1->action=*"; - private static final String ANALYST_TMPCOLLECTION_UPDATE = "collection=tmpcollection->action=update"; - private static final String ANALYST_TMPCOLLECTION_QUERY = "collection=tmpcollection->action=query"; - private static final String JRANALYST_JRANALYST1_ALL = "collection=jranalyst1"; - private static final String JRANALYST_PURCHASES_PARTIAL_QUERY = "collection=purchases_partial->action=query"; - private static final String ADMIN_COLLECTION_ALL = "collection=*"; - - private PolicyEngine policy; - private static File baseDir; - - @BeforeClass - public static void setupClazz() throws IOException { - baseDir = Files.createTempDir(); - } - - @AfterClass - public static void teardownClazz() throws IOException { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - protected void setPolicy(PolicyEngine policy) { - this.policy = policy; - } - protected static File getBaseDir() { - return baseDir; - } - @Before - public void setup() throws IOException { - afterSetup(); - } - @After - public void teardown() throws IOException { - beforeTeardown(); - } - protected void afterSetup() throws IOException { - - } - - protected void beforeTeardown() throws IOException { - - } - - @Test - public void testManager() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, - ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, - ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL, - JRANALYST_PURCHASES_PARTIAL_QUERY)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testAnalyst() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet( - ANALYST_PURCHASES_UPDATE, ANALYST_ANALYST1_ALL, - ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE, - ANALYST_TMPCOLLECTION_QUERY)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testJuniorAnalyst() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets - .newHashSet(JRANALYST_JRANALYST1_ALL, - JRANALYST_PURCHASES_PARTIAL_QUERY)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL)) - .toString()); - } - - @Test - public void testAdmin() throws Exception { - Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL)); - Assert.assertEquals(expected.toString(), - new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL)) - .toString()); - } - - private static Set<String> set(String... values) { - return Sets.newHashSet(values); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java deleted file mode 100644 index be23e15..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.io.IOException; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.provider.file.SimpleFileProviderBackend; - -public class SearchPolicyFileBackend extends SimpleSearchPolicyEngine { - public SearchPolicyFileBackend(String resource) throws IOException{ - super(new SimpleFileProviderBackend(new Configuration(), resource)); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java deleted file mode 100644 index f0bb622..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.search; - -import org.junit.Assert; - -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; -import org.junit.Test; - -public class TestCollectionRequiredInRole { - - @Test - public void testEmptyRole() throws Exception { - CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); - - // check no db - try { - collRequiredInRole.validate(new PrivilegeValidatorContext("index=index1")); - Assert.fail("Expected ConfigurationException"); - } catch (ConfigurationException e) { - // expected - } - - // check with db - try { - collRequiredInRole.validate(new PrivilegeValidatorContext("db1","index=index2")); - Assert.fail("Expected ConfigurationException"); - } catch (ConfigurationException e) { - // expected - } - } - - @Test - public void testCollectionWithoutAction() throws Exception { - CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); - collRequiredInRole.validate(new PrivilegeValidatorContext("collection=nodb")); - collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db")); - } - - @Test - public void testCollectionWithAction() throws Exception { - CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege(); - collRequiredInRole.validate(new PrivilegeValidatorContext(null,"collection=nodb->action=query")); - collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db->action=update")); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java deleted file mode 100644 index 9e1b1a7..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java +++ /dev/null @@ -1,178 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.io.File; -import java.io.IOException; -import java.util.Arrays; -import java.util.EnumSet; -import java.util.List; -import java.util.Set; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAction; -import org.apache.sentry.provider.common.MockGroupMappingServiceProvider; -import org.apache.sentry.provider.common.ResourceAuthorizationProvider; -import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFiles; -import org.junit.After; -import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Objects; -import com.google.common.collect.HashMultimap; -import com.google.common.collect.Multimap; -import com.google.common.io.Files; - - -public class TestSearchAuthorizationProviderGeneralCases { - - private static final Logger LOGGER = LoggerFactory - .getLogger(TestSearchAuthorizationProviderGeneralCases.class); - - private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap - .create(); - - private static final Subject SUB_ADMIN = new Subject("admin1"); - private static final Subject SUB_MANAGER = new Subject("manager1"); - private static final Subject SUB_ANALYST = new Subject("analyst1"); - private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1"); - - private static final Collection COLL_PURCHASES = new Collection("purchases"); - private static final Collection COLL_ANALYST1 = new Collection("analyst1"); - private static final Collection COLL_JRANALYST1 = new Collection("jranalyst1"); - private static final Collection COLL_TMP = new Collection("tmpcollection"); - private static final Collection COLL_PURCHASES_PARTIAL = new Collection("purchases_partial"); - - private static final SearchModelAction QUERY = SearchModelAction.QUERY; - private static final SearchModelAction UPDATE = SearchModelAction.UPDATE; - - static { - USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin")); - USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager")); - USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst")); - USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(), - Arrays.asList("jranalyst")); - } - - private final ResourceAuthorizationProvider authzProvider; - private File baseDir; - - public TestSearchAuthorizationProviderGeneralCases() throws IOException { - baseDir = Files.createTempDir(); - PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini"); - authzProvider = new HadoopGroupResourceAuthorizationProvider( - new SearchPolicyFileBackend(new File(baseDir, "test-authz-provider.ini").getPath()), - new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP)); - - } - - @After - public void teardown() { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - private void doTestAuthProviderOnCollection(Subject subject, - Collection collection, Set<? extends Action> expectedPass) throws Exception { - Set<SearchModelAction> allActions = EnumSet.of(SearchModelAction.ALL, SearchModelAction.QUERY, SearchModelAction.UPDATE); - for(SearchModelAction action : allActions) { - doTestResourceAuthorizationProvider(subject, collection, - EnumSet.of(action), expectedPass.contains(action)); - } - } - - private void doTestResourceAuthorizationProvider(Subject subject, - Collection collection, - Set<? extends Action> privileges, boolean expected) throws Exception { - List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] { - collection - }); - Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters"); - helper.add("Subject", subject).add("Collection", collection) - .add("Privileges", privileges).add("authzHierarchy", authzHierarchy); - LOGGER.info("Running with " + helper.toString()); - Assert.assertEquals(helper.toString(), expected, - authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL)); - LOGGER.info("Passed " + helper.toString()); - } - - @Test - public void testAdmin() throws Exception { - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_ANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_JRANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_TMP, allActions); - doTestAuthProviderOnCollection(SUB_ADMIN, COLL_PURCHASES_PARTIAL, allActions); - } - - @Test - public void testManager() throws Exception { - Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES, updateOnly); - - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_ANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_JRANALYST1, allActions); - - Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_TMP, queryUpdateOnly); - - Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY); - doTestAuthProviderOnCollection(SUB_MANAGER, COLL_PURCHASES_PARTIAL, queryOnly); - } - - @Test - public void testAnalyst() throws Exception { - Set<SearchModelAction> updateOnly = EnumSet.of(SearchModelAction.UPDATE); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES, updateOnly); - - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_ANALYST1, allActions); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_JRANALYST1, allActions); - - Set<SearchModelAction> queryUpdateOnly = EnumSet.of(QUERY, UPDATE); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_TMP, queryUpdateOnly); - - Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_ANALYST, COLL_PURCHASES_PARTIAL, noActions); - } - - @Test - public void testJuniorAnalyst() throws Exception { - Set<SearchModelAction> allActions = EnumSet.allOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_JRANALYST1, allActions); - - Set<SearchModelAction> queryOnly = EnumSet.of(SearchModelAction.QUERY); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES_PARTIAL, queryOnly); - - Set<SearchModelAction> noActions = EnumSet.noneOf(SearchModelAction.class); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_PURCHASES, noActions); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_ANALYST1, noActions); - doTestAuthProviderOnCollection(SUB_JUNIOR_ANALYST, COLL_TMP, noActions); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java deleted file mode 100644 index 3cd0b75..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java +++ /dev/null @@ -1,82 +0,0 @@ - /* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.io.File; -import java.io.IOException; -import java.util.EnumSet; -import java.util.List; -import java.util.Set; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAction; -import org.apache.sentry.provider.common.AuthorizationProvider; -import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; - -import com.google.common.collect.ImmutableList; -import com.google.common.io.Files; - -public class TestSearchAuthorizationProviderSpecialCases { - private AuthorizationProvider authzProvider; - private PolicyFile policyFile; - private File baseDir; - private File iniFile; - private String initResource; - @Before - public void setup() throws IOException { - baseDir = Files.createTempDir(); - iniFile = new File(baseDir, "policy.ini"); - initResource = "file://" + iniFile.getPath(); - policyFile = new PolicyFile(); - } - - @After - public void teardown() throws IOException { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - @Test - public void testDuplicateEntries() throws Exception { - Subject user1 = new Subject("user1"); - Collection collection1 = new Collection("collection1"); - Set<? extends Action> actions = EnumSet.allOf(SearchModelAction.class); - policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1") - .addRolesToGroup("group1", true, "role1", "role1") - .addPermissionsToRole("role1", true, "collection=" + collection1.getName(), - "collection=" + collection1.getName()); - policyFile.write(iniFile); - SearchPolicyFileBackend policy = new SearchPolicyFileBackend(initResource); - authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy); - List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1); - Assert.assertTrue(authorizableHierarchy.toString(), - authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL)); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java deleted file mode 100644 index 94fe9f0..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.search; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNull; - -import org.apache.sentry.core.model.search.Collection; -import org.junit.Test; - -public class TestSearchModelAuthorizables { - - @Test - public void testCollection() throws Exception { - Collection coll = (Collection)SearchModelAuthorizables.from("CoLleCtiOn=collection1"); - assertEquals("collection1", coll.getName()); - } - - @Test(expected=IllegalArgumentException.class) - public void testNoKV() throws Exception { - System.out.println(SearchModelAuthorizables.from("nonsense")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(SearchModelAuthorizables.from("=v")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(SearchModelAuthorizables.from("k=")); - } - - @Test - public void testNotAuthorizable() throws Exception { - assertNull(SearchModelAuthorizables.from("k=v")); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java deleted file mode 100644 index 5c14ab6..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.io.File; -import java.io.IOException; - -import org.junit.Assert; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.hdfs.MiniDFSCluster; -import org.apache.sentry.provider.file.PolicyFiles; -import org.junit.AfterClass; -import org.junit.BeforeClass; - -public class TestSearchPolicyEngineDFS extends AbstractTestSearchPolicyEngine { - - private static MiniDFSCluster dfsCluster; - private static FileSystem fileSystem; - private static Path root; - private static Path etc; - - @BeforeClass - public static void setupLocalClazz() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - File dfsDir = new File(baseDir, "dfs"); - Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs()); - Configuration conf = new Configuration(); - conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath()); - dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build(); - fileSystem = dfsCluster.getFileSystem(); - root = new Path(fileSystem.getUri().toString()); - etc = new Path(root, "/etc"); - fileSystem.mkdirs(etc); - } - - @AfterClass - public static void teardownLocalClazz() { - if(dfsCluster != null) { - dfsCluster.shutdown(); - } - } - - @Override - protected void afterSetup() throws IOException { - fileSystem.delete(etc, true); - fileSystem.mkdirs(etc); - PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini"); - setPolicy(new SearchPolicyFileBackend(new Path(etc, - "test-authz-provider.ini").toString())); - } - - @Override - protected void beforeTeardown() throws IOException { - fileSystem.delete(etc, true); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java deleted file mode 100644 index 593afe7..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineLocalFS.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.io.File; -import java.io.IOException; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.provider.file.PolicyFiles; - -public class TestSearchPolicyEngineLocalFS extends AbstractTestSearchPolicyEngine { - - @Override - protected void afterSetup() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs()); - PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini"); - setPolicy(new SearchPolicyFileBackend(new File(baseDir, "test-authz-provider.ini").getPath())); - } - @Override - protected void beforeTeardown() throws IOException { - File baseDir = getBaseDir(); - Assert.assertNotNull(baseDir); - FileUtils.deleteQuietly(baseDir); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java deleted file mode 100644 index 0993cc4..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import java.io.File; -import java.io.IOException; -import java.util.Collections; - -import org.junit.Assert; - -import org.apache.commons.io.FileUtils; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PolicyEngine; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Charsets; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; -import com.google.common.io.Files; - -public class TestSearchPolicyNegative { - - @SuppressWarnings("unused") - private static final Logger LOGGER = LoggerFactory - .getLogger(TestSearchPolicyNegative.class); - - private File baseDir; - private File globalPolicyFile; - private File otherPolicyFile; - - @Before - public void setup() { - baseDir = Files.createTempDir(); - globalPolicyFile = new File(baseDir, "global.ini"); - otherPolicyFile = new File(baseDir, "other.ini"); - } - - @After - public void teardown() { - if(baseDir != null) { - FileUtils.deleteQuietly(baseDir); - } - } - - private void append(String from, File to) throws IOException { - Files.append(from + "\n", to, Charsets.UTF_8); - } - - @Test - public void testPerDbFileException() throws Exception { - append("[databases]", globalPolicyFile); - append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile); - append("[groups]", otherPolicyFile); - append("other_group = some_role", otherPolicyFile); - append("[roles]", otherPolicyFile); - append("some_role = collection=c1", otherPolicyFile); - SearchPolicyFileBackend policy = new SearchPolicyFileBackend(globalPolicyFile.getPath()); - Assert.assertEquals(Collections.emptySet(), - policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL)); - } - - @Test - public void testCollectionRequiredInRole() throws Exception { - append("[groups]", globalPolicyFile); - append("group = some_role", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("some_role = action=query", globalPolicyFile); - PolicyEngine policy = new SearchPolicyFileBackend(globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } - - @Test - public void testGroupIncorrect() throws Exception { - append("[groups]", globalPolicyFile); - append("group = malicious_role", globalPolicyFile); - append("[roles]", globalPolicyFile); - append("malicious_role = collection=*", globalPolicyFile); - PolicyEngine policy = new SearchPolicyFileBackend(globalPolicyFile.getPath()); - ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"), ActiveRoleSet.ALL); - Assert.assertTrue(permissions.toString(), permissions.isEmpty()); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java deleted file mode 100644 index 3cf4a39..0000000 --- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.sentry.policy.search; -import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER; -import static org.apache.sentry.policy.common.PolicyConstants.KV_SEPARATOR; - -import org.apache.sentry.core.model.search.SearchConstants; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.policy.common.KeyValue; -import org.junit.Test; - -public class TestSearchWildcardPrivilege extends org.junit.Assert { - - private static final String ALL = SearchConstants.ALL; - - @Test - public void testSimpleNoAction() throws Exception { - Privilege collection1 = create(new KeyValue("collection", "coll1")); - Privilege collection2 = create(new KeyValue("collection", "coll2")); - Privilege collection1Case = create(new KeyValue("colleCtIon", "coLl1")); - - assertTrue(collection1.implies(collection1)); - assertTrue(collection2.implies(collection2)); - assertTrue(collection1.implies(collection1Case)); - assertTrue(collection1Case.implies(collection1)); - - assertFalse(collection1.implies(collection2)); - assertFalse(collection1Case.implies(collection2)); - assertFalse(collection2.implies(collection1)); - assertFalse(collection2.implies(collection1Case)); - } - - @Test - public void testSimpleAction() throws Exception { - Privilege query = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); - Privilege update = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); - Privilege queryCase = - create(new KeyValue("colleCtIon", "coLl1"), new KeyValue("AcTiOn", "QuERy")); - - assertTrue(query.implies(query)); - assertTrue(update.implies(update)); - assertTrue(query.implies(queryCase)); - assertTrue(queryCase.implies(query)); - - assertFalse(query.implies(update)); - assertFalse(queryCase.implies(update)); - assertFalse(update.implies(query)); - assertFalse(update.implies(queryCase)); - } - - @Test - public void testRoleShorterThanRequest() throws Exception { - Privilege collection1 = create(new KeyValue("collection", "coll1")); - Privilege query = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); - Privilege update = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); - Privilege all = - create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL)); - - assertTrue(collection1.implies(query)); - assertTrue(collection1.implies(update)); - assertTrue(collection1.implies(all)); - - assertFalse(query.implies(collection1)); - assertFalse(update.implies(collection1)); - assertTrue(all.implies(collection1)); - } - - @Test - public void testCollectionAll() throws Exception { - Privilege collectionAll = create(new KeyValue("collection", ALL)); - Privilege collection1 = create(new KeyValue("collection", "coll1")); - assertTrue(collectionAll.implies(collection1)); - assertTrue(collection1.implies(collectionAll)); - - Privilege allUpdate = - create(new KeyValue("collection", ALL), new KeyValue("action", "update")); - Privilege allQuery = - create(new KeyValue("collection", ALL), new KeyValue("action", "query")); - Privilege coll1Update = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); - Privilege coll1Query = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); - assertTrue(allUpdate.implies(coll1Update)); - assertTrue(allQuery.implies(coll1Query)); - assertTrue(coll1Update.implies(allUpdate)); - assertTrue(coll1Query.implies(allQuery)); - assertFalse(allUpdate.implies(coll1Query)); - assertFalse(coll1Update.implies(coll1Query)); - assertFalse(allQuery.implies(coll1Update)); - assertFalse(coll1Query.implies(allUpdate)); - assertFalse(allUpdate.implies(allQuery)); - assertFalse(allQuery.implies(allUpdate)); - assertFalse(coll1Update.implies(coll1Query)); - assertFalse(coll1Query.implies(coll1Update)); - - // test different length paths - assertTrue(collectionAll.implies(allUpdate)); - assertTrue(collectionAll.implies(allQuery)); - assertTrue(collectionAll.implies(coll1Update)); - assertTrue(collectionAll.implies(coll1Query)); - assertFalse(allUpdate.implies(collectionAll)); - assertFalse(allQuery.implies(collectionAll)); - assertFalse(coll1Update.implies(collectionAll)); - assertFalse(coll1Query.implies(collectionAll)); - } - - @Test - public void testActionAll() throws Exception { - Privilege coll1All = - create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL)); - Privilege coll1Update = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "update")); - Privilege coll1Query = - create(new KeyValue("collection", "coll1"), new KeyValue("action", "query")); - assertTrue(coll1All.implies(coll1All)); - assertTrue(coll1All.implies(coll1Update)); - assertTrue(coll1All.implies(coll1Query)); - assertFalse(coll1Update.implies(coll1All)); - assertFalse(coll1Query.implies(coll1All)); - - // test different lengths - Privilege coll1 = - create(new KeyValue("collection", "coll1")); - assertTrue(coll1All.implies(coll1)); - assertTrue(coll1.implies(coll1All)); - } - - @Test - public void testUnexpected() throws Exception { - Privilege p = new Privilege() { - @Override - public boolean implies(Privilege p) { - return false; - } - }; - Privilege collection1 = create(new KeyValue("collection", "coll1")); - assertFalse(collection1.implies(null)); - assertFalse(collection1.implies(p)); - assertFalse(collection1.equals(null)); - assertFalse(collection1.equals(p)); - } - - @Test(expected=IllegalArgumentException.class) - public void testNullString() throws Exception { - System.out.println(create((String)null)); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyString() throws Exception { - System.out.println(create("")); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyKey() throws Exception { - System.out.println(create(KV_JOINER.join("collection", ""))); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyValue() throws Exception { - System.out.println(create(KV_JOINER.join("", "coll1"))); - } - - @Test(expected=IllegalArgumentException.class) - public void testEmptyPart() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_JOINER.join("collection1", "coll1"), ""))); - } - - @Test(expected=IllegalArgumentException.class) - public void testOnlySeperators() throws Exception { - System.out.println(create(AUTHORIZABLE_JOINER. - join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR))); - } - - static SearchWildcardPrivilege create(KeyValue... keyValues) { - return create(AUTHORIZABLE_JOINER.join(keyValues)); - - } - static SearchWildcardPrivilege create(String s) { - return new SearchWildcardPrivilege(s); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/resources/log4j.properties ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/resources/log4j.properties b/sentry-policy/sentry-policy-search/src/test/resources/log4j.properties deleted file mode 100644 index c41373c..0000000 --- a/sentry-policy/sentry-policy-search/src/test/resources/log4j.properties +++ /dev/null @@ -1,31 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -# Define some default values that can be overridden by system properties. -# -# For testing, it may also be convenient to specify - -log4j.rootLogger=DEBUG,console - -log4j.appender.console=org.apache.log4j.ConsoleAppender -log4j.appender.console.target=System.err -log4j.appender.console.layout=org.apache.log4j.PatternLayout -log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n - -log4j.logger.org.apache.hadoop.conf.Configuration=INFO http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini b/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini deleted file mode 100644 index 8af8162..0000000 --- a/sentry-policy/sentry-policy-search/src/test/resources/test-authz-provider.ini +++ /dev/null @@ -1,31 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -[groups] -manager = analyst_role, junior_analyst_role -analyst = analyst_role -jranalyst = junior_analyst_role -admin = admin - -[roles] -analyst_role = collection=purchases->action=update, \ - collection=analyst1, \ - collection=jranalyst1->action=*, \ - collection=tmpcollection->action=update, \ - collection=tmpcollection->action=query -junior_analyst_role = collection=jranalyst1, collection=purchases_partial->action=query -admin = collection=* http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-sqoop/pom.xml b/sentry-policy/sentry-policy-sqoop/pom.xml deleted file mode 100644 index 84d031a..0000000 --- a/sentry-policy/sentry-policy-sqoop/pom.xml +++ /dev/null @@ -1,80 +0,0 @@ -<?xml version="1.0"?> -<!-- -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---> -<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-policy</artifactId> - <version>1.8.0-SNAPSHOT</version> - </parent> - - <artifactId>sentry-policy-sqoop</artifactId> - <name>Sentry Policy for Sqoop</name> - - <dependencies> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-common</artifactId> - <scope>provided</scope> - </dependency> - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-minicluster</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>log4j</groupId> - <artifactId>log4j</artifactId> - </dependency> - <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-log4j12</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-model-sqoop</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-common</artifactId> - </dependency> - <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-file</artifactId> - </dependency> - </dependencies> - -</project> http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/ServerNameRequiredMatch.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/ServerNameRequiredMatch.java b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/ServerNameRequiredMatch.java deleted file mode 100644 index ef1c88b..0000000 --- a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/ServerNameRequiredMatch.java +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.sqoop; - -import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.policy.common.PolicyConstants.PRIVILEGE_PREFIX; - -import java.util.List; - -import org.apache.sentry.core.model.sqoop.Server; -import org.apache.sentry.core.model.sqoop.SqoopAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.shiro.config.ConfigurationException; - -import com.google.common.collect.Lists; - -public class ServerNameRequiredMatch implements PrivilegeValidator { - private final String sqoopServerName; - public ServerNameRequiredMatch(String sqoopServerName) { - this.sqoopServerName = sqoopServerName; - } - @Override - public void validate(PrivilegeValidatorContext context) - throws ConfigurationException { - Iterable<SqoopAuthorizable> authorizables = parsePrivilege(context.getPrivilege()); - boolean match = false; - for (SqoopAuthorizable authorizable : authorizables) { - if (authorizable instanceof Server && authorizable.getName().equalsIgnoreCase(sqoopServerName)) { - match = true; - break; - } - } - if (!match) { - String msg = "server=[name] in " + context.getPrivilege() - + " is required. The name is expected " + sqoopServerName; - throw new ConfigurationException(msg); - } - } - - private Iterable<SqoopAuthorizable> parsePrivilege(String string) { - List<SqoopAuthorizable> result = Lists.newArrayList(); - for(String section : AUTHORIZABLE_SPLITTER.split(string)) { - if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { - SqoopAuthorizable authorizable = SqoopModelAuthorizables.from(section); - if(authorizable == null) { - String msg = "No authorizable found for " + section; - throw new ConfigurationException(msg); - } - result.add(authorizable); - } - } - return result; - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java deleted file mode 100644 index 13f78c6..0000000 --- a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.sqoop; - -import java.util.Set; - -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.sentry.provider.common.ProviderBackend; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.collect.ImmutableList; -import com.google.common.collect.ImmutableSet; - -public class SimpleSqoopPolicyEngine implements PolicyEngine { - private static final Logger LOGGER = LoggerFactory.getLogger(SimpleSqoopPolicyEngine.class); - private final ProviderBackend providerBackend; - - public SimpleSqoopPolicyEngine(String sqoopServerName, ProviderBackend providerBackend) { - this.providerBackend = providerBackend; - ProviderBackendContext context = new ProviderBackendContext(); - context.setAllowPerDatabase(false); - context.setValidators(ImmutableList.<PrivilegeValidator>of(new ServerNameRequiredMatch(sqoopServerName))); - this.providerBackend.initialize(context); - } - @Override - public PrivilegeFactory getPrivilegeFactory() { - return new SqoopWildcardPrivilege.Factory(); - } - - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, roleSet); - } - - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, - ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) - throws SentryConfigurationException { - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("Getting permissions for {}", groups); - } - ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet); - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("result = " + result); - } - return result; - } - - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, users, roleSet); - } - - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) { - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); - } - ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet); - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("result = " + result); - } - return result; - } - - @Override - public void close() { - if (providerBackend != null) { - providerBackend.close(); - } - } - - @Override - public void validatePolicy(boolean strictValidation) - throws SentryConfigurationException { - if (providerBackend != null) { - providerBackend.validatePolicy(strictValidation); - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopModelAuthorizables.java b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopModelAuthorizables.java deleted file mode 100644 index b03b4dc..0000000 --- a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopModelAuthorizables.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.sqoop; - -import org.apache.sentry.core.model.sqoop.Connector; -import org.apache.sentry.core.model.sqoop.Job; -import org.apache.sentry.core.model.sqoop.Link; -import org.apache.sentry.core.model.sqoop.Server; -import org.apache.sentry.core.model.sqoop.SqoopAuthorizable; -import org.apache.sentry.core.model.sqoop.SqoopAuthorizable.AuthorizableType; -import org.apache.sentry.policy.common.KeyValue; - -public class SqoopModelAuthorizables { - public static SqoopAuthorizable from(KeyValue keyValue) { - String prefix = keyValue.getKey().toLowerCase(); - String name = keyValue.getValue().toLowerCase(); - for (AuthorizableType type : AuthorizableType.values()) { - if(prefix.equalsIgnoreCase(type.name())) { - return from(type, name); - } - } - return null; - } - - public static SqoopAuthorizable from(String keyValue) { - return from(new KeyValue(keyValue)); - } - - public static SqoopAuthorizable from(AuthorizableType type, String name) { - switch(type) { - case SERVER: - return new Server(name); - case JOB: - return new Job(name); - case CONNECTOR: - return new Connector(name); - case LINK: - return new Link(name); - default: - return null; - } - } -}
