Repository: incubator-sentry Updated Branches: refs/heads/master f764ea93d -> 3339536df
SENTRY-156: Support local privilege validation APIs ( Prasad Mujumdar via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/3339536d Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/3339536d Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/3339536d Branch: refs/heads/master Commit: 3339536df3ddce70a0fff0f46664e037386cf5e1 Parents: f764ea9 Author: Sravya Tirukkovalur <[email protected]> Authored: Fri May 16 11:12:10 2014 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Fri May 16 11:13:02 2014 -0700 ---------------------------------------------------------------------- sentry-provider/pom.xml | 1 + sentry-provider/sentry-provider-cache/pom.xml | 96 +++++++++++++++++ .../sentry/provider/cache/PrivilegeCache.java | 33 ++++++ .../cache/SimpleCacheProviderBackend.java | 86 +++++++++++++++ .../provider/cache/PrivilegeCacheTestImpl.java | 63 +++++++++++ .../provider/cache/TestCacheProvider.java | 105 +++++++++++++++++++ .../test-authz-provider-local-group-mapping.ini | 33 ++++++ .../provider/common/ProviderBackendContext.java | 10 ++ .../persistent/SentryStoreSchemaInfo.java | 1 - 9 files changed, 427 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/pom.xml b/sentry-provider/pom.xml index 9bec058..c443842 100644 --- a/sentry-provider/pom.xml +++ b/sentry-provider/pom.xml @@ -33,6 +33,7 @@ limitations under the License. <module>sentry-provider-common</module> <module>sentry-provider-file</module> <module>sentry-provider-db</module> + <module>sentry-provider-cache</module> </modules> </project> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-cache/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/pom.xml b/sentry-provider/sentry-provider-cache/pom.xml new file mode 100644 index 0000000..c3e67bd --- /dev/null +++ b/sentry-provider/sentry-provider-cache/pom.xml @@ -0,0 +1,96 @@ +<?xml version="1.0"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider</artifactId> + <version>1.3.0-incubating-SNAPSHOT</version> + </parent> + + <artifactId>sentry-provider-cache</artifactId> + <name>Sentry Provider Cache</name> + + <dependencies> + <dependency> + <groupId>commons-cli</groupId> + <artifactId>commons-cli</artifactId> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>log4j</groupId> + <artifactId>log4j</artifactId> + </dependency> + <dependency> + <groupId>org.apache.shiro</groupId> + <artifactId>shiro-core</artifactId> + </dependency> + <dependency> + <groupId>com.google.guava</groupId> + <artifactId>guava</artifactId> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-log4j12</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-common</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-db</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-common</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-file</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>ant-contrib</groupId> + <artifactId>ant-contrib</artifactId> + </dependency> + <dependency> + <groupId>com.google.guava</groupId> + <artifactId>guava</artifactId> + </dependency> + <dependency> + <groupId>org.mockito</groupId> + <artifactId>mockito-all</artifactId> + <scope>test</scope> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java new file mode 100644 index 0000000..29c6c5c --- /dev/null +++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.cache; + +import java.util.Set; + +import org.apache.sentry.core.common.ActiveRoleSet; + +public interface PrivilegeCache { + /** + * Get the privileges for the give set of groups with the give active roles + * from the cache + */ + public Set<String> listPrivileges(Set<String> groups, + ActiveRoleSet roleSet); + + public void close(); +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java new file mode 100644 index 0000000..1b0aba6 --- /dev/null +++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.cache; + +import java.util.Set; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.SentryConfigurationException; +import org.apache.sentry.provider.common.ProviderBackend; +import org.apache.sentry.provider.common.ProviderBackendContext; + +import com.google.common.collect.ImmutableSet; + +public class SimpleCacheProviderBackend implements ProviderBackend { + + private PrivilegeCache cacheHandle; + private Configuration conf; + + public SimpleCacheProviderBackend(Configuration conf, String resourcePath) { + this.conf = conf; + } + + @Override + public void initialize(ProviderBackendContext context) { + cacheHandle = (PrivilegeCache) context.getBindingHandle(); + assert cacheHandle != null; + } + + private boolean initialized() { + return cacheHandle != null; + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, + ActiveRoleSet roleSet) { + if (!initialized()) { + throw new IllegalStateException( + "Backend has not been properly initialized"); + } + return ImmutableSet.copyOf(cacheHandle.listPrivileges(groups, + roleSet)); + } + + @Override + public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) { + if (!initialized()) { + throw new IllegalStateException( + "Backend has not been properly initialized"); + } + throw new UnsupportedOperationException( + "getRoles() is not supported by Cache provider"); + } + + @Override + public void validatePolicy(boolean strictValidation) + throws SentryConfigurationException { + if (!initialized()) { + throw new IllegalStateException( + "Backend has not been properly initialized"); + } + throw new UnsupportedOperationException( + "validatePolicy() is not supported by Cache provider"); + } + + @Override + public void close() { + cacheHandle.close(); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java new file mode 100644 index 0000000..a7566e7 --- /dev/null +++ b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java @@ -0,0 +1,63 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.cache; + +import java.io.File; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.util.Set; + +import org.apache.commons.io.FileUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.provider.common.ProviderBackendContext; +import org.apache.sentry.provider.file.PolicyFiles; +import org.apache.sentry.provider.file.SimpleFileProviderBackend; + +import com.google.common.io.Files; + +/** + * Test cache provider that is a wrapper on top of File based provider + */ +public class PrivilegeCacheTestImpl implements PrivilegeCache { + private static final String resourcePath = "test-authz-provider-local-group-mapping.ini"; + + private SimpleFileProviderBackend backend; + private File baseDir; + + public PrivilegeCacheTestImpl() throws FileNotFoundException, IOException { + baseDir = Files.createTempDir(); + PolicyFiles.copyToDir(baseDir, resourcePath); + backend = new SimpleFileProviderBackend(new Configuration(), new File(baseDir, resourcePath) + .toString()); + backend.initialize(new ProviderBackendContext()); + } + + @Override + public Set<String> listPrivileges(Set<String> groups, ActiveRoleSet roleSet) { + return backend.getPrivileges(groups, roleSet); + } + + @Override + public void close() { + backend.close(); + if (baseDir != null) { + FileUtils.deleteQuietly(baseDir); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/TestCacheProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/TestCacheProvider.java b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/TestCacheProvider.java new file mode 100644 index 0000000..e5b29b8 --- /dev/null +++ b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/TestCacheProvider.java @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.cache; + +import static junit.framework.Assert.assertEquals; + +import java.io.IOException; +import java.util.HashSet; + +import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.provider.common.ProviderBackendContext; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import com.google.common.collect.Sets; + +public class TestCacheProvider { + + private SimpleCacheProviderBackend backend; + private ProviderBackendContext context; + private PrivilegeCacheTestImpl testCache; + + @Before + public void setup() throws IOException { + backend = new SimpleCacheProviderBackend(new Configuration(), ""); + context = new ProviderBackendContext(); + testCache = new PrivilegeCacheTestImpl(); + context.setBindingHandle(testCache); + } + + @After + public void teardown() { + + } + + @Test(expected = IllegalStateException.class) + public void testUninitializeGetPrivileges() { + backend.getPrivileges(new HashSet<String>(), ActiveRoleSet.ALL); + } + + @Test(expected = IllegalStateException.class) + public void testUninitializeValidatePolicy() { + backend.validatePolicy(true); + } + + @Test + public void testRoleSetAll() { + backend.initialize(context); + assertEquals(Sets.newHashSet( + "server=server1->db=customers->table=purchases->select", + "server=server1->db=analyst1", + "server=server1->db=jranalyst1->table=*->select", + "server=server1->db=jranalyst1", "server=server1->functions"), + backend.getPrivileges(Sets.newHashSet("manager"), ActiveRoleSet.ALL)); + } + + @Test + public void testRoleSetAllUnknownGroup() { + backend.initialize(context); + assertEquals(Sets.newHashSet(), backend.getPrivileges( + Sets.newHashSet("not-a-group"), ActiveRoleSet.ALL)); + } + + @Test + public void testRoleSetNone() { + backend.initialize(context); + assertEquals(Sets.newHashSet(), backend.getPrivileges( + Sets.newHashSet("manager"), new ActiveRoleSet(new HashSet<String>()))); + } + + @Test + public void testRoleSetOne() { + backend.initialize(context); + assertEquals(Sets.newHashSet("server=server1->functions"), + backend.getPrivileges(Sets.newHashSet("manager"), new ActiveRoleSet( + Sets.newHashSet("functions")))); + } + + @Test + public void testRoleSetTwo() { + backend.initialize(context); + assertEquals(Sets.newHashSet("server=server1->db=jranalyst1", + "server=server1->functions"), backend.getPrivileges( + Sets.newHashSet("manager"), + new ActiveRoleSet(Sets.newHashSet("junior_analyst_role", "functions")))); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-cache/src/test/resources/test-authz-provider-local-group-mapping.ini ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/test/resources/test-authz-provider-local-group-mapping.ini b/sentry-provider/sentry-provider-cache/src/test/resources/test-authz-provider-local-group-mapping.ini new file mode 100644 index 0000000..e6fc290 --- /dev/null +++ b/sentry-provider/sentry-provider-cache/src/test/resources/test-authz-provider-local-group-mapping.ini @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +[groups] +manager = analyst_role, junior_analyst_role, functions +analyst = analyst_role +jranalyst = junior_analyst_role +admin = admin + +[roles] +analyst_role = server=server1->db=customers->table=purchases->select, server=server1->db=analyst1, \ + server=server1->db=jranalyst1->table=*->select +junior_analyst_role = server=server1->db=jranalyst1 +functions = server=server1->functions +admin = server=server1 + +[users] +foo = admin,analyst +bar = jranalyst http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java index f45d23d..ae674aa 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java @@ -24,6 +24,7 @@ public class ProviderBackendContext { private boolean allowPerDatabase; private ImmutableList<PrivilegeValidator> validators; + private Object bindingHandle; public ProviderBackendContext() { validators = ImmutableList.of(); @@ -47,4 +48,13 @@ public class ProviderBackendContext { } this.validators = validators; } + + public Object getBindingHandle() { + return bindingHandle; + } + + public void setBindingHandle(Object bindingHandle) { + this.bindingHandle = bindingHandle; + } + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3339536d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java index 22f1b08..5936b61 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java @@ -26,7 +26,6 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; -import org.apache.hadoop.hive.metastore.HiveMetaException; import org.apache.sentry.SentryUserException; public class SentryStoreSchemaInfo {
