Repository: incubator-sentry Updated Branches: refs/heads/master 1d6f38c08 -> 071861d30
SENTRY-190: Support for getting set of roles from ProviderBackend (Gregory Chanan via Vamsee Yarlagadda) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/071861d3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/071861d3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/071861d3 Branch: refs/heads/master Commit: 071861d30a638dbd4cef05ab0d8bf4bd59c376e5 Parents: 1d6f38c Author: Vamsee <[email protected]> Authored: Mon May 5 13:44:32 2014 -0700 Committer: Vamsee <[email protected]> Committed: Mon May 5 13:44:32 2014 -0700 ---------------------------------------------------------------------- .../binding/solr/authz/SolrAuthzBinding.java | 14 +++++++- .../binding/solr/TestSolrAuthzBinding.java | 34 ++++++++++++++++++++ .../src/test/resources/test-authz-provider.ini | 6 +++- .../sentry/provider/common/ProviderBackend.java | 5 +++ .../provider/db/SimpleDBProviderBackend.java | 9 ++++++ .../file/SimpleFileProviderBackend.java | 22 +++++++++++++ 6 files changed, 88 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java index 9a6e623..5e85606 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java @@ -56,6 +56,7 @@ public class SolrAuthzBinding { private final SolrAuthzConf authzConf; private final AuthorizationProvider authProvider; private final GroupMappingService groupMapping; + private ProviderBackend providerBackend; public SolrAuthzBinding (SolrAuthzConf authzConf) throws Exception { this.authzConf = authzConf; @@ -86,7 +87,7 @@ public class SolrAuthzBinding { initKerberos(keytabProp, principalProp); } Configuration conf = getConf(); - ProviderBackend providerBackend = + providerBackend = (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {conf, resourceName}); // load the policy engine class @@ -130,11 +131,22 @@ public class SolrAuthzBinding { * Get the list of groups the user belongs to * @param user * @return list of groups the user belongs to + * @deprecated use getRoles instead */ + @Deprecated public Set<String> getGroups(String user) { return groupMapping.getGroups(user); } + /** + * Get the roles associated with the user + * @param user + * @return The roles associated with the user + */ + public Set<String> getRoles(String user) { + return providerBackend.getRoles(getGroups(user), ActiveRoleSet.ALL); + } + private Configuration getConf() throws IOException { Configuration conf = new Configuration(); String confDir = System.getProperty("solr.hdfs.confdir"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java index e2e3403..db5ae29 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java @@ -190,6 +190,40 @@ public class TestSolrAuthzBinding { } /** + * Test for role mapping + */ + @Test + public void testGetRoles() throws Exception { + SolrAuthzConf solrAuthzConf = + new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + setUsableAuthzConf(solrAuthzConf); + SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); + Set<String> emptySet = Collections.emptySet(); + + // check non-existant users + assertEquals(binding.getRoles(null), emptySet); + assertEquals(binding.getRoles("nonExistantUser"), emptySet); + + // check user with undefined group + assertEquals(binding.getRoles("undefinedGroupUser"), emptySet); + // check group with undefined role + assertEquals(binding.getRoles("undefinedRoleUser"), emptySet); + + // check role names don't map in the other direction + assertEquals(binding.getRoles("corporal_role"), emptySet); + assertEquals(binding.getRoles("sergeant_role"), emptySet); + assertEquals(binding.getRoles("general_role"), emptySet); + + // check valid users + assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role")); + assertEquals(binding.getRoles("sergeant1"), Sets.newHashSet("corporal_role", "sergeant_role")); + assertEquals(binding.getRoles("general1"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role")); + + // check user whos groups have overlapping roles + assertEquals(binding.getRoles("overlappingUser"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role")); + } + + /** * Test that a full sentry-site definition works. */ @Test http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini index f8100e0..56317db 100644 --- a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini +++ b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini @@ -19,6 +19,7 @@ corporal = corporal_role sergeant = corporal_role, sergeant_role general = corporal_role, sergeant_role, general_role +undefinedRoleGroup = undefinedRole [roles] #test that specification of a bogus action doesn't affect further specifications @@ -30,4 +31,7 @@ general_role = collection=*->action=* [users] corporal1=corporal sergeant1=sergeant -general1=general, othergeneralgroup \ No newline at end of file +general1=general, othergeneralgroup +undefinedGroupUser=undefinedGroup +undefinedRoleUser=undefinedRoleGroup +overlappingUser=general, sergeant, corporal http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java index 26c4878..a175245 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java @@ -49,6 +49,11 @@ public interface ProviderBackend { public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet); /** + * Get the roles associated with the groups from the backend. + */ + public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet); + + /** * If strictValidation is true then an error is thrown for warnings * as well as errors. * http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java index b068aca..dd4a977 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java @@ -17,6 +17,7 @@ package org.apache.sentry.provider.db; import java.io.IOException; +import java.lang.UnsupportedOperationException; import java.util.Set; import org.apache.hadoop.conf.Configuration; @@ -84,6 +85,14 @@ public class SimpleDBProviderBackend implements ProviderBackend { return ImmutableSet.of(); } + /** + * {@inheritDoc} + */ + @Override + public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) { + throw new UnsupportedOperationException("Not yet implemented."); + } + @Override public void close() { if (policyServiceClient != null) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java index e7f69ac..2dadc47 100644 --- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java +++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java @@ -158,6 +158,28 @@ public class SimpleFileProviderBackend implements ProviderBackend { return resultBuilder.build(); } + /** + * {@inheritDoc} + */ + @Override + public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) { + if (!initialized) { + throw new IllegalStateException("Backend has not been properly initialized"); + } + ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder(); + if (groups != null) { + for (String groupName : groups) { + for (Map.Entry<String, Set<String>> row : groupRolePrivilegeTable.row(groupName) + .entrySet()) { + if (roleSet.containsRole(row.getKey())) { + resultBuilder.add(row.getKey()); + } + } + } + } + return resultBuilder.build(); + } + @Override public void close() { groupRolePrivilegeTable.clear();
