SENTRY-1406:Refactor: move AuthorizationProvider out of sentry-provider-common(Colin Ma, reviewed by Dapeng Sun, Ke Jia)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/f45727ab Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/f45727ab Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/f45727ab Branch: refs/heads/master Commit: f45727ab1a70a8e108c326da38aab2d00ba00f75 Parents: ddae7c0 Author: Colin Ma <[email protected]> Authored: Mon Aug 15 15:30:34 2016 +0800 Committer: Colin Ma <[email protected]> Committed: Mon Aug 15 15:30:34 2016 +0800 ---------------------------------------------------------------------- pom.xml | 5 + .../sentry-binding-hive-common/pom.xml | 4 + sentry-binding/sentry-binding-kafka/pom.xml | 4 + sentry-binding/sentry-binding-solr/pom.xml | 4 + sentry-binding/sentry-binding-sqoop/pom.xml | 4 + sentry-dist/pom.xml | 4 + sentry-policy/sentry-policy-common/pom.xml | 4 - sentry-policy/sentry-policy-engine/pom.xml | 4 + sentry-policy/sentry-policy-indexer/pom.xml | 5 + sentry-provider/pom.xml | 1 + .../sentry-authorization-provider/pom.xml | 45 ++++ .../provider/common/AuthorizationProvider.java | 100 ++++++++ ...adoopGroupResourceAuthorizationProvider.java | 64 ++++++ .../common/NoAuthorizationProvider.java | 79 +++++++ .../common/ResourceAuthorizationProvider.java | 227 +++++++++++++++++++ ...adoopGroupResourceAuthorizationProvider.java | 51 +++++ .../provider/file/LocalGroupMappingService.java | 122 ++++++++++ ...LocalGroupResourceAuthorizationProvider.java | 41 ++++ .../provider/common/TestGetGroupMapping.java | 91 ++++++++ .../common/TestNoAuthorizationProvider.java | 38 ++++ .../provider/file/TestLocalGroupMapping.java | 74 ++++++ .../src/test/resources/log4j.properties | 31 +++ .../test-authz-provider-local-group-mapping.ini | 33 +++ sentry-provider/sentry-provider-cache/pom.xml | 4 + sentry-provider/sentry-provider-common/pom.xml | 7 +- .../provider/common/AuthorizationProvider.java | 100 -------- ...adoopGroupResourceAuthorizationProvider.java | 64 ------ .../common/NoAuthorizationProvider.java | 79 ------- .../common/ResourceAuthorizationProvider.java | 227 ------------------- ...adoopGroupResourceAuthorizationProvider.java | 51 ----- .../provider/common/TestGetGroupMapping.java | 91 -------- .../common/TestNoAuthorizationProvider.java | 40 ---- .../provider/file/LocalGroupMappingService.java | 122 ---------- ...LocalGroupResourceAuthorizationProvider.java | 41 ---- .../file/SimpleFileProviderBackend.java | 4 +- .../provider/file/TestLocalGroupMapping.java | 74 ------ sentry-service/sentry-service-server/pom.xml | 5 + 37 files changed, 1043 insertions(+), 901 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 294ddb9..b53e776 100644 --- a/pom.xml +++ b/pom.xml @@ -435,6 +435,11 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-authorization-provider</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> <version>${project.version}</version> </dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-hive-common/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-common/pom.xml b/sentry-binding/sentry-binding-hive-common/pom.xml index 685df0c..bac07ce 100644 --- a/sentry-binding/sentry-binding-hive-common/pom.xml +++ b/sentry-binding/sentry-binding-hive-common/pom.xml @@ -84,6 +84,10 @@ limitations under the License. <artifactId>mockito-all</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-authorization-provider</artifactId> + </dependency> <!-- required for SentryGrantRevokeTask --> <dependency> <groupId>org.apache.sentry</groupId> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-kafka/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-kafka/pom.xml b/sentry-binding/sentry-binding-kafka/pom.xml index f868786..b156d25 100644 --- a/sentry-binding/sentry-binding-kafka/pom.xml +++ b/sentry-binding/sentry-binding-kafka/pom.xml @@ -41,6 +41,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-authorization-provider</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-db</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-solr/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/pom.xml b/sentry-binding/sentry-binding-solr/pom.xml index cc99948..1cb5b57 100644 --- a/sentry-binding/sentry-binding-solr/pom.xml +++ b/sentry-binding/sentry-binding-solr/pom.xml @@ -40,6 +40,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-authorization-provider</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-db</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-sqoop/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/pom.xml b/sentry-binding/sentry-binding-sqoop/pom.xml index e96802f..462e8bc 100644 --- a/sentry-binding/sentry-binding-sqoop/pom.xml +++ b/sentry-binding/sentry-binding-sqoop/pom.xml @@ -40,6 +40,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-authorization-provider</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-file</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-dist/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml index 04645ad..ccd112d 100644 --- a/sentry-dist/pom.xml +++ b/sentry-dist/pom.xml @@ -84,6 +84,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-authorization-provider</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-policy/sentry-policy-common/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/pom.xml b/sentry-policy/sentry-policy-common/pom.xml index 57fc9d9..7804a0f 100644 --- a/sentry-policy/sentry-policy-common/pom.xml +++ b/sentry-policy/sentry-policy-common/pom.xml @@ -33,10 +33,6 @@ limitations under the License. <artifactId>sentry-core-common</artifactId> </dependency> <dependency> - <groupId>org.apache.shiro</groupId> - <artifactId>shiro-core</artifactId> - </dependency> - <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> </dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-policy/sentry-policy-engine/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-engine/pom.xml b/sentry-policy/sentry-policy-engine/pom.xml index e9c44d7..4e6da63 100644 --- a/sentry-policy/sentry-policy-engine/pom.xml +++ b/sentry-policy/sentry-policy-engine/pom.xml @@ -48,6 +48,10 @@ limitations under the License. <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-policy-common</artifactId> + </dependency> </dependencies> </project> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-policy/sentry-policy-indexer/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/pom.xml b/sentry-policy/sentry-policy-indexer/pom.xml index e6ef72f..fa89192 100644 --- a/sentry-policy/sentry-policy-indexer/pom.xml +++ b/sentry-policy/sentry-policy-indexer/pom.xml @@ -81,6 +81,11 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-authorization-provider</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> <scope>test</scope> <type>test-jar</type> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/pom.xml b/sentry-provider/pom.xml index a929b00..6a32f30 100644 --- a/sentry-provider/pom.xml +++ b/sentry-provider/pom.xml @@ -34,6 +34,7 @@ limitations under the License. <module>sentry-provider-file</module> <module>sentry-provider-db</module> <module>sentry-provider-cache</module> + <module>sentry-authorization-provider</module> </modules> </project> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/pom.xml b/sentry-provider/sentry-authorization-provider/pom.xml new file mode 100644 index 0000000..46b3015 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/pom.xml @@ -0,0 +1,45 @@ +<?xml version="1.0"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider</artifactId> + <version>1.8.0-SNAPSHOT</version> + </parent> + + <artifactId>sentry-authorization-provider</artifactId> + <name>Sentry Authorization Provider</name> + + <dependencies> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-policy-common</artifactId> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java new file mode 100644 index 0000000..3d6440f --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java @@ -0,0 +1,100 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.common; + +import java.util.List; +import java.util.Set; + +import javax.annotation.concurrent.ThreadSafe; + +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.exception.SentryConfigurationException; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.common.service.GroupMappingService; +import org.apache.sentry.policy.common.PolicyEngine; + +/** + * Implementations of AuthorizationProvider must be threadsafe. + */ +@ThreadSafe +public interface AuthorizationProvider { + + String SENTRY_PROVIDER = "sentry.provider"; + + /*** + * Returns validate subject privileges on given Authorizable object + * + * @param subject: UserID to validate privileges + * @param authorizableHierarchy : List of object according to namespace hierarchy. + * eg. Server->Db->Table or Server->Function + * The privileges will be validated from the higher to lower scope + * @param actions : Privileges to validate + * @param roleSet : Roles which should be used when obtaining privileges + * @return + * True if the subject is authorized to perform requested action on the given object + */ + boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, + Set<? extends Action> actions, ActiveRoleSet roleSet); + + /*** + * Get the GroupMappingService used by the AuthorizationProvider + * + * @return GroupMappingService used by the AuthorizationProvider + */ + GroupMappingService getGroupMapping(); + + /*** + * Validate the policy file format for syntax and semantic errors + * @param strictValidation + * @throws SentryConfigurationException + */ + void validateResource(boolean strictValidation) throws SentryConfigurationException; + + /*** + * Returns the list privileges for the given subject + * @param subject + * @return + * @throws SentryConfigurationException + */ + Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException; + + /** + * Returns the list privileges for the given group + * @param groupName + * @return + * @throws SentryConfigurationException + */ + Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException; + + /*** + * Returns the list of missing privileges of the last access request + * @return + */ + List<String> getLastFailedPrivileges(); + + /** + * Frees any resources held by the the provider + */ + void close(); + + /** + * Get the policy engine + */ + PolicyEngine getPolicyEngine(); +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java new file mode 100644 index 0000000..6e5dbc3 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.common; + +import java.io.IOException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.Groups; +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.service.GroupMappingService; +import org.apache.sentry.core.common.service.HadoopGroupMappingService; +import org.apache.sentry.policy.common.PolicyEngine; + +import com.google.common.annotations.VisibleForTesting; + +public class HadoopGroupResourceAuthorizationProvider extends + ResourceAuthorizationProvider { + + // if set to true in the Configuration, constructs a new Group object + // for the GroupMappingService rather than using Hadoop's static mapping. + public static final String CONF_PREFIX = HadoopGroupResourceAuthorizationProvider.class.getName(); + public static final String USE_NEW_GROUPS = CONF_PREFIX + ".useNewGroups"; + + // resource parameter present so that other AuthorizationProviders (e.g. + // LocalGroupResourceAuthorizationProvider) has the same constructor params. + public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, + Model model) throws IOException { + this(new Configuration(), resource, policy, model); + } + + public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, //NOPMD + PolicyEngine policy, Model model) throws IOException { + this(policy, new HadoopGroupMappingService(getGroups(conf)), model); + } + + @VisibleForTesting + public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy, + GroupMappingService groupService, Model model) { + super(policy, groupService, model); + } + + private static Groups getGroups(Configuration conf) { + if (conf.getBoolean(USE_NEW_GROUPS, false)) { + return new Groups(conf); + } else { + return Groups.getUserToGroupsMappingService(conf); + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java new file mode 100644 index 0000000..11dbfb7 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java @@ -0,0 +1,79 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.common; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.exception.SentryConfigurationException; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.common.service.GroupMappingService; +import org.apache.sentry.core.common.service.NoGroupMappingService; +import org.apache.sentry.policy.common.PolicyEngine; + +public class NoAuthorizationProvider implements AuthorizationProvider { + private GroupMappingService noGroupMappingService = new NoGroupMappingService(); + + @Override + public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, + Set<? extends Action> actions, ActiveRoleSet roleSet) { + return false; + } + + @Override + public GroupMappingService getGroupMapping() { + return noGroupMappingService; + } + + @Override + public void validateResource(boolean strictValidation) throws SentryConfigurationException { + } + + @Override + public Set<String> listPrivilegesForSubject(Subject subject) + throws SentryConfigurationException { + return new HashSet<String>(); + } + + @Override + public Set<String> listPrivilegesForGroup(String groupName) + throws SentryConfigurationException { + return new HashSet<String>(); + } + + @Override + public List<String> getLastFailedPrivileges() { + return new ArrayList<String>(); + } + + @Override + public void close() { + + } + + // the class is only for the test TestNoAuthorizationProvider. this method won't be called, + // just for override. Return null has no problem here. + @Override + public PolicyEngine getPolicyEngine() { + return null; + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java new file mode 100644 index 0000000..a6b2047 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java @@ -0,0 +1,227 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.common; + +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; +import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_NAME; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.apache.sentry.core.common.Action; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Model; +import org.apache.sentry.core.common.exception.SentryConfigurationException; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.common.service.GroupMappingService; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.common.Privilege; +import org.apache.sentry.policy.common.PrivilegeFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Function; +import com.google.common.base.Preconditions; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Iterables; +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; + +public abstract class ResourceAuthorizationProvider implements AuthorizationProvider { + private static final Logger LOGGER = LoggerFactory + .getLogger(ResourceAuthorizationProvider.class); + private final static ThreadLocal<List<String>> lastFailedPrivileges = + new ThreadLocal<List<String>>() { + @Override + protected List<String> initialValue() { + return new ArrayList<String>(); + } + }; + + private final GroupMappingService groupService; + private final PolicyEngine policy; + private final PrivilegeFactory privilegeFactory; + private final Model model; + + public ResourceAuthorizationProvider(PolicyEngine policy, + GroupMappingService groupService, Model model) { + this.policy = policy; + this.groupService = groupService; + this.privilegeFactory = policy.getPrivilegeFactory(); + this.model = model; + } + + /*** + * @param subject: UserID to validate privileges + * @param authorizableHierarchy : List of object according to namespace hierarchy. + * eg. Server->Db->Table or Server->Function + * The privileges will be validated from the higher to lower scope + * @param actions : Privileges to validate + * @return + * True if the subject is authorized to perform requested action on the given object + */ + @Override + public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, + Set<? extends Action> actions, ActiveRoleSet roleSet) { + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("Authorization Request for " + subject + " " + + authorizableHierarchy + " and " + actions); + } + Preconditions.checkNotNull(subject, "Subject cannot be null"); + Preconditions.checkNotNull(authorizableHierarchy, "Authorizable cannot be null"); + Preconditions.checkArgument(!authorizableHierarchy.isEmpty(), "Authorizable cannot be empty"); + Preconditions.checkNotNull(actions, "Actions cannot be null"); + Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty"); + Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null"); + return doHasAccess(subject, authorizableHierarchy, actions, roleSet); + } + + private boolean doHasAccess(Subject subject, + List<? extends Authorizable> authorizables, Set<? extends Action> actions, + ActiveRoleSet roleSet) { + Set<String> groups = getGroups(subject); + Set<String> users = Sets.newHashSet(subject.getName()); + Set<String> hierarchy = new HashSet<String>(); + for (Authorizable authorizable : authorizables) { + hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName())); + } + List<String> requestPrivileges = buildPermissions(authorizables, actions); + Iterable<Privilege> privileges = getPrivileges(groups, users, roleSet, + authorizables.toArray(new Authorizable[0])); + lastFailedPrivileges.get().clear(); + + for (String requestPrivilege : requestPrivileges) { + Privilege priv = privilegeFactory.createPrivilege(requestPrivilege); + for (Privilege permission : privileges) { + /* + * Does the permission granted in the policy file imply the requested action? + */ + boolean result = permission.implies(priv, model); + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}", + new Object[]{ permission, requestPrivilege, roleSet, result}); + } + if (result) { + return true; + } + } + } + + lastFailedPrivileges.get().addAll(requestPrivileges); + return false; + } + + private Iterable<Privilege> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable[] authorizables) { + ImmutableSet<String> privileges = policy.getPrivileges(groups, users, roleSet, authorizables); + return Iterables.transform(appendDefaultDBPriv(privileges, authorizables), + new Function<String, Privilege>() { + @Override + public Privilege apply(String privilege) { + return privilegeFactory.createPrivilege(privilege); + } + }); + } + + private ImmutableSet<String> appendDefaultDBPriv(ImmutableSet<String> privileges, Authorizable[] authorizables) { + // Only for switch db + if (authorizables != null && authorizables.length == 4 && authorizables[2].getName().equals("+") + && privileges.size() == 1 && hasOnlyServerPrivilege(privileges.asList().get(0))) { + // Assuming authorizable[0] will always be the server + // This Code is only reachable only when user fires a 'use default' + // and the user has a privilege on atleast 1 privilized Object + String defaultPriv = "Server=" + authorizables[0].getName() + + "->Db=default->Table=*->Column=*->action=select"; + Set<String> newPrivs = Sets.newHashSet(defaultPriv); + return ImmutableSet.copyOf(newPrivs); + } + return privileges; + } + + private boolean hasOnlyServerPrivilege(String priv) { + ArrayList<String> l = Lists.newArrayList(AUTHORIZABLE_SPLITTER.split(priv)); + if (l.size() == 1 && l.get(0).toLowerCase().startsWith("server")) { + return l.get(0).toLowerCase().split("=")[1].endsWith("+"); + } + return false; + } + + @Override + public GroupMappingService getGroupMapping() { + return groupService; + } + + private Set<String> getGroups(Subject subject) { + return groupService.getGroups(subject.getName()); + } + + @Override + public void validateResource(boolean strictValidation) throws SentryConfigurationException { + policy.validatePolicy(strictValidation); + } + + @Override + public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException { + return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()), + ActiveRoleSet.ALL, (Authorizable[]) null); + } + + @Override + public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException { + return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL); + } + + @Override + public List<String> getLastFailedPrivileges() { + return lastFailedPrivileges.get(); + } + + @Override + public void close() { + if (policy != null) { + policy.close(); + } + } + + private List<String> buildPermissions(List<? extends Authorizable> authorizables, + Set<? extends Action> actions) { + List<String> hierarchy = new ArrayList<String>(); + List<String> requestedPermissions = new ArrayList<String>(); + + for (Authorizable authorizable : authorizables) { + hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName())); + } + + for (Action action : actions) { + String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy); + requestPermission = AUTHORIZABLE_JOINER.join(requestPermission, + KV_JOINER.join(PRIVILEGE_NAME, action.getValue())); + requestedPermissions.add(requestPermission); + } + return requestedPermissions; + } + + @Override + public PolicyEngine getPolicyEngine() { + return policy; + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java new file mode 100644 index 0000000..bf2c5a1 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.file; + +import java.io.IOException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.Model; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.core.common.service.GroupMappingService; + +import com.google.common.annotations.VisibleForTesting; + +/** + * Kept for backwards compatibility + */ +@Deprecated +public class HadoopGroupResourceAuthorizationProvider extends + org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider { + + public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, Model model) throws IOException { + super(resource, policy, model); + } + + public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, + PolicyEngine policy, Model model) throws IOException { + super(conf, resource, policy, model); + } + + @VisibleForTesting + public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy, + GroupMappingService groupService, Model model) { + super(policy, groupService, model); + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java new file mode 100644 index 0000000..7e570ae --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.file; + +import java.io.IOException; +import java.util.HashMap; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Set; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.sentry.core.common.service.GroupMappingService; +import org.apache.sentry.core.common.utils.PolicyFiles; +import org.apache.sentry.core.common.utils.SentryConstants; +import org.apache.sentry.core.common.utils.PolicyFileConstants; +import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; +import org.apache.shiro.config.Ini; +import org.apache.shiro.config.Ini.Section; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; + +/** + * Mapping users to groups + * parse the ini file with section [users] that contains the user names. + * For each user in that list, there's section that contains the group + * name for that user If there's no user section or no group section for + * one of users, then just print a warning and continue. + * Example - + * [users] + * usr1 + * usr2 + * + * [[usr1] + * group1 + * group11 + * + * [usr2] + * group21 + * group22 + * + */ +public class LocalGroupMappingService implements GroupMappingService { + + private static final Logger LOGGER = LoggerFactory + .getLogger(LocalGroupMappingService.class); + + private final Map <String, Set<String>> groupMap = + new HashMap <String, Set<String>> (); + + public LocalGroupMappingService(Path resourcePath) throws IOException { + this(new Configuration(), resourcePath); + } + + @VisibleForTesting + public LocalGroupMappingService(Configuration configuration, Path resourcePath) + throws IOException { + // parse user/group mapping + parseGroups(resourcePath.getFileSystem(configuration), resourcePath); + } + + public LocalGroupMappingService(Configuration configuration, String resource) + throws IOException { + this(configuration, new Path(resource)); + } + + @Override + public Set<String> getGroups(String user) { + Set<String> groups = groupMap.get(user); + if (groups == null || groups.isEmpty()) { + throw new SentryGroupNotFoundException("Unable to obtain groups for " + user); + } + return groups; + } + + private void parseGroups(FileSystem fileSystem, Path resourcePath) throws IOException { + Ini ini = PolicyFiles.loadFromPath(fileSystem, resourcePath); + Section usersSection = ini.getSection(PolicyFileConstants.USERS); + if (usersSection == null) { + LOGGER.warn("No section " + PolicyFileConstants.USERS + " in the " + resourcePath); + return; + } + for (Entry<String, String> userEntry : usersSection.entrySet()) { + String userName = Strings.nullToEmpty(userEntry.getKey()).trim(); + String groupNames = Strings.nullToEmpty(userEntry.getValue()).trim(); + if (userName.isEmpty()) { + LOGGER.error("Invalid user name in the " + resourcePath); + continue; + } + if (groupNames.isEmpty()) { + LOGGER.warn("No groups available for user " + userName + + " in the " + resourcePath); + continue; + } + Set<String> groupList = Sets.newHashSet(SentryConstants.ROLE_SPLITTER.trimResults().split( + groupNames)); + LOGGER.debug("Got user mapping: " + userName + ", Groups: " + groupNames); + groupMap.put(userName, groupList); + } + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java new file mode 100644 index 0000000..a9e7836 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java @@ -0,0 +1,41 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.file; + +import java.io.IOException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.Path; +import org.apache.sentry.core.common.Model; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.provider.common.ResourceAuthorizationProvider; + + +public class LocalGroupResourceAuthorizationProvider extends + ResourceAuthorizationProvider { + + public LocalGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, + Model model) throws IOException { + super(policy, new LocalGroupMappingService(new Path(resource)), model); + } + + public LocalGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy, + Model model) throws IOException { + super(policy, new LocalGroupMappingService(conf, new Path(resource)), model); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java new file mode 100644 index 0000000..f6d8c05 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.common; + +import static org.junit.Assert.assertSame; + +import java.util.Set; + +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.exception.SentryConfigurationException; +import org.apache.sentry.core.common.service.GroupMappingService; +import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.common.PrivilegeFactory; +import org.junit.Test; + +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Sets; + +public class TestGetGroupMapping { + + private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider { + public TestResourceAuthorizationProvider(PolicyEngine policy, + GroupMappingService groupService) { + super(policy, groupService, null); + } + }; + + @Test + public void testResourceAuthorizationProvider() { + final Set<String> set = Sets.newHashSet("a", "b", "c"); + GroupMappingService mappingService = new GroupMappingService() { + @Override + public Set<String> getGroups(String user) { return set; } + }; + PolicyEngine policyEngine = new PolicyEngine() { + @Override + public PrivilegeFactory getPrivilegeFactory() { return null; } + + @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, roleSet); + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) { + return ImmutableSet.of(); + } + + @Override + public void validatePolicy(boolean strictValidation) + throws SentryConfigurationException { + } + + @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) + throws SentryConfigurationException { + return ImmutableSet.of(); + } + + @Override + public void close() {} + }; + + TestResourceAuthorizationProvider authProvider = + new TestResourceAuthorizationProvider(policyEngine, mappingService); + assertSame(authProvider.getGroupMapping(), mappingService); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java new file mode 100644 index 0000000..9762b99 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.common; + +import org.apache.sentry.core.common.service.GroupMappingService; +import org.junit.Assert; +import org.junit.Test; + +/** + * Tests around the NoAuthorizationProvider + */ +public class TestNoAuthorizationProvider { + + @Test + public void testNoAuthorizationProvider() { + NoAuthorizationProvider nap = new NoAuthorizationProvider(); + Assert.assertFalse(nap.hasAccess(null, null, null, null)); + + GroupMappingService gms = nap.getGroupMapping(); + Assert.assertEquals(gms.getGroups(null).size(), 0); + Assert.assertEquals(gms.getGroups("").size(), 0); + Assert.assertEquals(gms.getGroups("a").size(), 0); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java new file mode 100644 index 0000000..9864b82 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.file; + +import java.io.File; +import java.io.IOException; +import java.util.Set; + +import org.apache.commons.io.FileUtils; +import org.apache.hadoop.fs.Path; +import org.apache.sentry.core.common.exception.SentryGroupNotFoundException; +import org.apache.sentry.core.common.utils.PolicyFiles; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.Sets; +import com.google.common.io.Files; + +public class TestLocalGroupMapping { + + private static final String resourcePath = "test-authz-provider-local-group-mapping.ini"; + private static final Set<String> fooGroups = Sets.newHashSet("admin", "analyst"); + private static final Set<String> barGroups = Sets.newHashSet("jranalyst"); + + private LocalGroupMappingService localGroupMapping; + + private File baseDir; + + @Before + public void setup() throws IOException { + baseDir = Files.createTempDir(); + PolicyFiles.copyToDir(baseDir, resourcePath); + localGroupMapping = new LocalGroupMappingService(new Path(new File(baseDir, resourcePath).getPath())); + } + + @After + public void teardown() { + if(baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } + + @Test + public void testGroupMapping() { + Set<String> fooGroupsFromResource = localGroupMapping.getGroups("foo"); + Assert.assertEquals(fooGroupsFromResource, fooGroups); + + Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar"); + Assert.assertEquals(barGroupsFromResource, barGroups); + + try { + localGroupMapping.getGroups("unknown"); + Assert.fail("SentryGroupNotFoundException should be thrown."); + } catch (SentryGroupNotFoundException sgnfe) { + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties b/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties new file mode 100644 index 0000000..c41373c --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties @@ -0,0 +1,31 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Define some default values that can be overridden by system properties. +# +# For testing, it may also be convenient to specify + +log4j.rootLogger=DEBUG,console + +log4j.appender.console=org.apache.log4j.ConsoleAppender +log4j.appender.console.target=System.err +log4j.appender.console.layout=org.apache.log4j.PatternLayout +log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n + +log4j.logger.org.apache.hadoop.conf.Configuration=INFO http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini b/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini new file mode 100644 index 0000000..e6fc290 --- /dev/null +++ b/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[groups] +manager = analyst_role, junior_analyst_role, functions +analyst = analyst_role +jranalyst = junior_analyst_role +admin = admin + +[roles] +analyst_role = server=server1->db=customers->table=purchases->select, server=server1->db=analyst1, \ + server=server1->db=jranalyst1->table=*->select +junior_analyst_role = server=server1->db=jranalyst1 +functions = server=server1->functions +admin = server=server1 + +[users] +foo = admin,analyst +bar = jranalyst http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-cache/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/pom.xml b/sentry-provider/sentry-provider-cache/pom.xml index 694df36..d4e0b8b 100644 --- a/sentry-provider/sentry-provider-cache/pom.xml +++ b/sentry-provider/sentry-provider-cache/pom.xml @@ -72,6 +72,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-policy-engine</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-file</artifactId> <scope>test</scope> </dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/pom.xml b/sentry-provider/sentry-provider-common/pom.xml index f83f594..4c8b13e 100644 --- a/sentry-provider/sentry-provider-common/pom.xml +++ b/sentry-provider/sentry-provider-common/pom.xml @@ -29,17 +29,12 @@ limitations under the License. <dependencies> <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <scope>test</scope> - </dependency> - <dependency> <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-common</artifactId> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-policy-common</artifactId> + <artifactId>sentry-core-common</artifactId> </dependency> <dependency> <groupId>com.google.guava</groupId> http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java deleted file mode 100644 index 3d6440f..0000000 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.common; - -import java.util.List; -import java.util.Set; - -import javax.annotation.concurrent.ThreadSafe; - -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.exception.SentryConfigurationException; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.common.service.GroupMappingService; -import org.apache.sentry.policy.common.PolicyEngine; - -/** - * Implementations of AuthorizationProvider must be threadsafe. - */ -@ThreadSafe -public interface AuthorizationProvider { - - String SENTRY_PROVIDER = "sentry.provider"; - - /*** - * Returns validate subject privileges on given Authorizable object - * - * @param subject: UserID to validate privileges - * @param authorizableHierarchy : List of object according to namespace hierarchy. - * eg. Server->Db->Table or Server->Function - * The privileges will be validated from the higher to lower scope - * @param actions : Privileges to validate - * @param roleSet : Roles which should be used when obtaining privileges - * @return - * True if the subject is authorized to perform requested action on the given object - */ - boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, - Set<? extends Action> actions, ActiveRoleSet roleSet); - - /*** - * Get the GroupMappingService used by the AuthorizationProvider - * - * @return GroupMappingService used by the AuthorizationProvider - */ - GroupMappingService getGroupMapping(); - - /*** - * Validate the policy file format for syntax and semantic errors - * @param strictValidation - * @throws SentryConfigurationException - */ - void validateResource(boolean strictValidation) throws SentryConfigurationException; - - /*** - * Returns the list privileges for the given subject - * @param subject - * @return - * @throws SentryConfigurationException - */ - Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException; - - /** - * Returns the list privileges for the given group - * @param groupName - * @return - * @throws SentryConfigurationException - */ - Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException; - - /*** - * Returns the list of missing privileges of the last access request - * @return - */ - List<String> getLastFailedPrivileges(); - - /** - * Frees any resources held by the the provider - */ - void close(); - - /** - * Get the policy engine - */ - PolicyEngine getPolicyEngine(); -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java deleted file mode 100644 index 6e5dbc3..0000000 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.common; - -import java.io.IOException; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.Groups; -import org.apache.sentry.core.common.Model; -import org.apache.sentry.core.common.service.GroupMappingService; -import org.apache.sentry.core.common.service.HadoopGroupMappingService; -import org.apache.sentry.policy.common.PolicyEngine; - -import com.google.common.annotations.VisibleForTesting; - -public class HadoopGroupResourceAuthorizationProvider extends - ResourceAuthorizationProvider { - - // if set to true in the Configuration, constructs a new Group object - // for the GroupMappingService rather than using Hadoop's static mapping. - public static final String CONF_PREFIX = HadoopGroupResourceAuthorizationProvider.class.getName(); - public static final String USE_NEW_GROUPS = CONF_PREFIX + ".useNewGroups"; - - // resource parameter present so that other AuthorizationProviders (e.g. - // LocalGroupResourceAuthorizationProvider) has the same constructor params. - public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, - Model model) throws IOException { - this(new Configuration(), resource, policy, model); - } - - public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, //NOPMD - PolicyEngine policy, Model model) throws IOException { - this(policy, new HadoopGroupMappingService(getGroups(conf)), model); - } - - @VisibleForTesting - public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService, Model model) { - super(policy, groupService, model); - } - - private static Groups getGroups(Configuration conf) { - if (conf.getBoolean(USE_NEW_GROUPS, false)) { - return new Groups(conf); - } else { - return Groups.getUserToGroupsMappingService(conf); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java deleted file mode 100644 index 11dbfb7..0000000 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.common; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.exception.SentryConfigurationException; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.common.service.GroupMappingService; -import org.apache.sentry.core.common.service.NoGroupMappingService; -import org.apache.sentry.policy.common.PolicyEngine; - -public class NoAuthorizationProvider implements AuthorizationProvider { - private GroupMappingService noGroupMappingService = new NoGroupMappingService(); - - @Override - public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, - Set<? extends Action> actions, ActiveRoleSet roleSet) { - return false; - } - - @Override - public GroupMappingService getGroupMapping() { - return noGroupMappingService; - } - - @Override - public void validateResource(boolean strictValidation) throws SentryConfigurationException { - } - - @Override - public Set<String> listPrivilegesForSubject(Subject subject) - throws SentryConfigurationException { - return new HashSet<String>(); - } - - @Override - public Set<String> listPrivilegesForGroup(String groupName) - throws SentryConfigurationException { - return new HashSet<String>(); - } - - @Override - public List<String> getLastFailedPrivileges() { - return new ArrayList<String>(); - } - - @Override - public void close() { - - } - - // the class is only for the test TestNoAuthorizationProvider. this method won't be called, - // just for override. Return null has no problem here. - @Override - public PolicyEngine getPolicyEngine() { - return null; - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java deleted file mode 100644 index a6b2047..0000000 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java +++ /dev/null @@ -1,227 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.common; - -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_NAME; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.Model; -import org.apache.sentry.core.common.exception.SentryConfigurationException; -import org.apache.sentry.core.common.Subject; -import org.apache.sentry.core.common.service.GroupMappingService; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.common.Privilege; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Function; -import com.google.common.base.Preconditions; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Iterables; -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; - -public abstract class ResourceAuthorizationProvider implements AuthorizationProvider { - private static final Logger LOGGER = LoggerFactory - .getLogger(ResourceAuthorizationProvider.class); - private final static ThreadLocal<List<String>> lastFailedPrivileges = - new ThreadLocal<List<String>>() { - @Override - protected List<String> initialValue() { - return new ArrayList<String>(); - } - }; - - private final GroupMappingService groupService; - private final PolicyEngine policy; - private final PrivilegeFactory privilegeFactory; - private final Model model; - - public ResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService, Model model) { - this.policy = policy; - this.groupService = groupService; - this.privilegeFactory = policy.getPrivilegeFactory(); - this.model = model; - } - - /*** - * @param subject: UserID to validate privileges - * @param authorizableHierarchy : List of object according to namespace hierarchy. - * eg. Server->Db->Table or Server->Function - * The privileges will be validated from the higher to lower scope - * @param actions : Privileges to validate - * @return - * True if the subject is authorized to perform requested action on the given object - */ - @Override - public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, - Set<? extends Action> actions, ActiveRoleSet roleSet) { - if(LOGGER.isDebugEnabled()) { - LOGGER.debug("Authorization Request for " + subject + " " + - authorizableHierarchy + " and " + actions); - } - Preconditions.checkNotNull(subject, "Subject cannot be null"); - Preconditions.checkNotNull(authorizableHierarchy, "Authorizable cannot be null"); - Preconditions.checkArgument(!authorizableHierarchy.isEmpty(), "Authorizable cannot be empty"); - Preconditions.checkNotNull(actions, "Actions cannot be null"); - Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty"); - Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null"); - return doHasAccess(subject, authorizableHierarchy, actions, roleSet); - } - - private boolean doHasAccess(Subject subject, - List<? extends Authorizable> authorizables, Set<? extends Action> actions, - ActiveRoleSet roleSet) { - Set<String> groups = getGroups(subject); - Set<String> users = Sets.newHashSet(subject.getName()); - Set<String> hierarchy = new HashSet<String>(); - for (Authorizable authorizable : authorizables) { - hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName())); - } - List<String> requestPrivileges = buildPermissions(authorizables, actions); - Iterable<Privilege> privileges = getPrivileges(groups, users, roleSet, - authorizables.toArray(new Authorizable[0])); - lastFailedPrivileges.get().clear(); - - for (String requestPrivilege : requestPrivileges) { - Privilege priv = privilegeFactory.createPrivilege(requestPrivilege); - for (Privilege permission : privileges) { - /* - * Does the permission granted in the policy file imply the requested action? - */ - boolean result = permission.implies(priv, model); - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}", - new Object[]{ permission, requestPrivilege, roleSet, result}); - } - if (result) { - return true; - } - } - } - - lastFailedPrivileges.get().addAll(requestPrivileges); - return false; - } - - private Iterable<Privilege> getPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet, Authorizable[] authorizables) { - ImmutableSet<String> privileges = policy.getPrivileges(groups, users, roleSet, authorizables); - return Iterables.transform(appendDefaultDBPriv(privileges, authorizables), - new Function<String, Privilege>() { - @Override - public Privilege apply(String privilege) { - return privilegeFactory.createPrivilege(privilege); - } - }); - } - - private ImmutableSet<String> appendDefaultDBPriv(ImmutableSet<String> privileges, Authorizable[] authorizables) { - // Only for switch db - if (authorizables != null && authorizables.length == 4 && authorizables[2].getName().equals("+") - && privileges.size() == 1 && hasOnlyServerPrivilege(privileges.asList().get(0))) { - // Assuming authorizable[0] will always be the server - // This Code is only reachable only when user fires a 'use default' - // and the user has a privilege on atleast 1 privilized Object - String defaultPriv = "Server=" + authorizables[0].getName() - + "->Db=default->Table=*->Column=*->action=select"; - Set<String> newPrivs = Sets.newHashSet(defaultPriv); - return ImmutableSet.copyOf(newPrivs); - } - return privileges; - } - - private boolean hasOnlyServerPrivilege(String priv) { - ArrayList<String> l = Lists.newArrayList(AUTHORIZABLE_SPLITTER.split(priv)); - if (l.size() == 1 && l.get(0).toLowerCase().startsWith("server")) { - return l.get(0).toLowerCase().split("=")[1].endsWith("+"); - } - return false; - } - - @Override - public GroupMappingService getGroupMapping() { - return groupService; - } - - private Set<String> getGroups(Subject subject) { - return groupService.getGroups(subject.getName()); - } - - @Override - public void validateResource(boolean strictValidation) throws SentryConfigurationException { - policy.validatePolicy(strictValidation); - } - - @Override - public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException { - return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()), - ActiveRoleSet.ALL, (Authorizable[]) null); - } - - @Override - public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException { - return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL); - } - - @Override - public List<String> getLastFailedPrivileges() { - return lastFailedPrivileges.get(); - } - - @Override - public void close() { - if (policy != null) { - policy.close(); - } - } - - private List<String> buildPermissions(List<? extends Authorizable> authorizables, - Set<? extends Action> actions) { - List<String> hierarchy = new ArrayList<String>(); - List<String> requestedPermissions = new ArrayList<String>(); - - for (Authorizable authorizable : authorizables) { - hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName())); - } - - for (Action action : actions) { - String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy); - requestPermission = AUTHORIZABLE_JOINER.join(requestPermission, - KV_JOINER.join(PRIVILEGE_NAME, action.getValue())); - requestedPermissions.add(requestPermission); - } - return requestedPermissions; - } - - @Override - public PolicyEngine getPolicyEngine() { - return policy; - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java deleted file mode 100644 index bf2c5a1..0000000 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.file; - -import java.io.IOException; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.common.Model; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.core.common.service.GroupMappingService; - -import com.google.common.annotations.VisibleForTesting; - -/** - * Kept for backwards compatibility - */ -@Deprecated -public class HadoopGroupResourceAuthorizationProvider extends - org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider { - - public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, Model model) throws IOException { - super(resource, policy, model); - } - - public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, - PolicyEngine policy, Model model) throws IOException { - super(conf, resource, policy, model); - } - - @VisibleForTesting - public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService, Model model) { - super(policy, groupService, model); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java deleted file mode 100644 index f6d8c05..0000000 --- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.common; - -import static org.junit.Assert.assertSame; - -import java.util.Set; - -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.exception.SentryConfigurationException; -import org.apache.sentry.core.common.service.GroupMappingService; -import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.common.PrivilegeFactory; -import org.junit.Test; - -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; - -public class TestGetGroupMapping { - - private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider { - public TestResourceAuthorizationProvider(PolicyEngine policy, - GroupMappingService groupService) { - super(policy, groupService, null); - } - }; - - @Test - public void testResourceAuthorizationProvider() { - final Set<String> set = Sets.newHashSet("a", "b", "c"); - GroupMappingService mappingService = new GroupMappingService() { - @Override - public Set<String> getGroups(String user) { return set; } - }; - PolicyEngine policyEngine = new PolicyEngine() { - @Override - public PrivilegeFactory getPrivilegeFactory() { return null; } - - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, roleSet); - } - - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) { - return ImmutableSet.of(); - } - - @Override - public void validatePolicy(boolean strictValidation) - throws SentryConfigurationException { - } - - @Override - public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, users, roleSet); - } - - @Override - public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, - ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) - throws SentryConfigurationException { - return ImmutableSet.of(); - } - - @Override - public void close() {} - }; - - TestResourceAuthorizationProvider authProvider = - new TestResourceAuthorizationProvider(policyEngine, mappingService); - assertSame(authProvider.getGroupMapping(), mappingService); - } -}
