SENTRY-1089: Move validator from sentry-policy-xxx to sentry-core-model-xxx (Colin Ma, Reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/b894ec62 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/b894ec62 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/b894ec62 Branch: refs/heads/SENTRY-999 Commit: b894ec623fe410777d5a5bd40884950b0702cc44 Parents: 048c9d6 Author: Colin Ma <co...@apache.org> Authored: Fri Feb 26 12:24:05 2016 +0800 Committer: Colin Ma <co...@apache.org> Committed: Fri Feb 26 12:24:05 2016 +0800 ---------------------------------------------------------------------- .../core/common/utils/SentryConstants.java | 1 + .../common/validator/PrivilegeValidator.java | 24 +++++++ .../validator/PrivilegeValidatorContext.java | 38 +++++++++++ .../core/model/db/DBModelAuthorizables.java | 60 ++++++++++++++++ .../validator/AbstractDBPrivilegeValidator.java | 51 ++++++++++++++ .../model/db/validator/DatabaseMustMatch.java | 46 +++++++++++++ .../validator/DatabaseRequiredInPrivilege.java | 72 ++++++++++++++++++++ .../model/db/validator/ServerNameMustMatch.java | 43 ++++++++++++ .../model/db/validator/ServersAllIsInvalid.java | 39 +++++++++++ .../indexer/IndexerModelAuthorizables.java | 46 +++++++++++++ .../AbstractIndexerPrivilegeValidator.java | 51 ++++++++++++++ .../validator/IndexerRequiredInPrivilege.java | 43 ++++++++++++ .../model/search/SearchModelAuthorizables.java | 46 +++++++++++++ .../AbstractSearchPrivilegeValidator.java | 52 ++++++++++++++ .../CollectionRequiredInPrivilege.java | 43 ++++++++++++ .../model/sqoop/SqoopModelAuthorizables.java | 52 ++++++++++++++ .../validator/ServerNameRequiredMatch.java | 70 +++++++++++++++++++ .../policy/common/PrivilegeValidator.java | 24 ------- .../common/PrivilegeValidatorContext.java | 38 ----------- .../policy/db/AbstractDBPrivilegeValidator.java | 50 -------------- .../sentry/policy/db/DBModelAuthorizables.java | 67 ------------------ .../sentry/policy/db/DatabaseMustMatch.java | 46 ------------- .../policy/db/DatabaseRequiredInPrivilege.java | 71 ------------------- .../sentry/policy/db/ServerNameMustMatch.java | 43 ------------ .../sentry/policy/db/ServersAllIsInvalid.java | 39 ----------- .../sentry/policy/db/SimpleDBPolicyEngine.java | 6 +- .../policy/db/TestDBModelAuthorizables.java | 3 +- .../policy/db/TestDatabaseRequiredInRole.java | 3 +- .../AbstractIndexerPrivilegeValidator.java | 50 -------------- .../indexer/IndexerModelAuthorizables.java | 48 ------------- .../indexer/IndexerRequiredInPrivilege.java | 43 ------------ .../indexer/SimpleIndexerPolicyEngine.java | 3 +- .../indexer/TestIndexerModelAuthorizables.java | 3 +- .../indexer/TestIndexerRequiredInRole.java | 3 +- .../AbstractSearchPrivilegeValidator.java | 51 -------------- .../search/CollectionRequiredInPrivilege.java | 43 ------------ .../policy/search/SearchModelAuthorizables.java | 48 ------------- .../policy/search/SimpleSearchPolicyEngine.java | 3 +- .../search/TestCollectionRequiredInRole.java | 3 +- .../search/TestSearchModelAuthorizables.java | 3 +- .../policy/sqoop/ServerNameRequiredMatch.java | 69 ------------------- .../policy/sqoop/SimpleSqoopPolicyEngine.java | 3 +- .../policy/sqoop/SqoopModelAuthorizables.java | 57 ---------------- .../sqoop/TestServerNameRequiredMatch.java | 3 +- .../sqoop/TestSqoopModelAuthorizables.java | 3 +- .../provider/common/ProviderBackendContext.java | 2 +- .../tools/SolrTSentryPrivilegeConvertor.java | 6 +- .../file/SimpleFileProviderBackend.java | 4 +- .../AbstractTestWithStaticConfiguration.java | 2 +- .../metastore/SentryPolicyProviderForDb.java | 2 +- 50 files changed, 812 insertions(+), 807 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java index 28ba8d3..e752c76 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java @@ -37,4 +37,5 @@ public class SentryConstants { public static final String PRIVILEGE_WILDCARD_VALUE = "*"; public static final String RESOURCE_WILDCARD_VALUE = "*"; + public static final String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile"; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidator.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidator.java new file mode 100644 index 0000000..f5643ff --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidator.java @@ -0,0 +1,24 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.common.validator; + +import org.apache.shiro.config.ConfigurationException; + +public interface PrivilegeValidator { + + void validate(PrivilegeValidatorContext context) throws ConfigurationException; +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidatorContext.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidatorContext.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidatorContext.java new file mode 100644 index 0000000..ccee977 --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/validator/PrivilegeValidatorContext.java @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.common.validator; + +import javax.annotation.Nullable; + +public class PrivilegeValidatorContext { + private final String database; + private final String privilege; + public PrivilegeValidatorContext(String privilege) { + this(null, privilege); + } + public PrivilegeValidatorContext(@Nullable String database, String privilege) { + super(); + this.database = database; + this.privilege = privilege; + } + public @Nullable String getDatabase() { + return database; + } + public String getPrivilege() { + return privilege; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizables.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizables.java new file mode 100644 index 0000000..3a05a3b --- /dev/null +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizables.java @@ -0,0 +1,60 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.db; + +import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; +import org.apache.sentry.core.common.utils.KeyValue; + +public class DBModelAuthorizables { + + public static DBModelAuthorizable from(KeyValue keyValue) { + String prefix = keyValue.getKey().toLowerCase(); + String name = keyValue.getValue(); + for(AuthorizableType type : AuthorizableType.values()) { + if(prefix.equalsIgnoreCase(type.name())) { + if (prefix.equalsIgnoreCase(AuthorizableType.URI.toString())) { + return from(type, name); + } else { + return from(type, name.toLowerCase()); + } + } + } + return null; + } + public static DBModelAuthorizable from(String s) { + return from(new KeyValue(s)); + } + + private static DBModelAuthorizable from(AuthorizableType type, String name) { + switch (type) { + case Server: + return new Server(name); + case Db: + return new Database(name); + case Table: + return new Table(name); + case View: + return new View(name); + case Column: + return new Column(name); + case URI: + return new AccessURI(name); + default: + return null; + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/AbstractDBPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/AbstractDBPrivilegeValidator.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/AbstractDBPrivilegeValidator.java new file mode 100644 index 0000000..fa28716 --- /dev/null +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/AbstractDBPrivilegeValidator.java @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.db.validator; + +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; +import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_PREFIX; + +import java.util.List; + +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.common.validator.PrivilegeValidator; +import org.apache.sentry.core.model.db.DBModelAuthorizables; +import org.apache.shiro.config.ConfigurationException; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.Lists; + +public abstract class AbstractDBPrivilegeValidator implements PrivilegeValidator { + + @VisibleForTesting + public static Iterable<DBModelAuthorizable> parsePrivilege(String string) { + List<DBModelAuthorizable> result = Lists.newArrayList(); + for(String section : AUTHORIZABLE_SPLITTER.split(string)) { + // XXX this ugly hack is because action is not an authorizeable + if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { + DBModelAuthorizable authorizable = DBModelAuthorizables.from(section); + if(authorizable == null) { + String msg = "No authorizable found for " + section; + throw new ConfigurationException(msg); + } + result.add(authorizable); + } + } + return result; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseMustMatch.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseMustMatch.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseMustMatch.java new file mode 100644 index 0000000..4276667 --- /dev/null +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseMustMatch.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.db.validator; + +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.shiro.config.ConfigurationException; + +public class DatabaseMustMatch extends AbstractDBPrivilegeValidator { + + @Override + public void validate(PrivilegeValidatorContext context) throws ConfigurationException { + String database = context.getDatabase(); + String privilege = context.getPrivilege(); + /* + * Rule only applies to rules in per database policy file + */ + if(database != null) { + Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); + for(DBModelAuthorizable authorizable : authorizables) { + if(authorizable instanceof Database && + !database.equalsIgnoreCase(authorizable.getName())) { + String msg = "Privilege " + privilege + " references db " + + authorizable.getName() + ", but is only allowed to reference " + + database; + throw new ConfigurationException(msg); + } + } + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseRequiredInPrivilege.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseRequiredInPrivilege.java new file mode 100644 index 0000000..fed3038 --- /dev/null +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/DatabaseRequiredInPrivilege.java @@ -0,0 +1,72 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.db.validator; + +import org.apache.sentry.core.common.utils.SentryConstants; +import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.shiro.config.ConfigurationException; + +public class DatabaseRequiredInPrivilege extends AbstractDBPrivilegeValidator { + + @Override + public void validate(PrivilegeValidatorContext context) throws ConfigurationException { + String database = context.getDatabase(); + String privilege = context.getPrivilege(); + /* + * Rule only applies to rules in per database policy file + */ + if(database != null) { + Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); + /* + * Each permission in a non-global file must have a database + * object except for URIs. + * + * We allow URIs to be specified in the per DB policy file for + * ease of mangeability. URIs will contain to remain server scope + * objects. + */ + boolean foundDatabaseInAuthorizables = false; + boolean foundURIInAuthorizables = false; + boolean allowURIInAuthorizables = false; + + if ("true".equalsIgnoreCase( + System.getProperty(SentryConstants.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) { + allowURIInAuthorizables = true; + } + + for(DBModelAuthorizable authorizable : authorizables) { + if(authorizable instanceof Database) { + foundDatabaseInAuthorizables = true; + } + if (authorizable instanceof AccessURI) { + if (foundDatabaseInAuthorizables) { + String msg = "URI object is specified at DB scope in " + privilege; + throw new ConfigurationException(msg); + } + foundURIInAuthorizables = true; + } + } + if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) { + String msg = "Missing database object in " + privilege; + throw new ConfigurationException(msg); + } + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServerNameMustMatch.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServerNameMustMatch.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServerNameMustMatch.java new file mode 100644 index 0000000..c79a8bf --- /dev/null +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServerNameMustMatch.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.db.validator; + +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.shiro.config.ConfigurationException; + +public class ServerNameMustMatch extends AbstractDBPrivilegeValidator { + + private final String serverName; + public ServerNameMustMatch(String serverName) { + this.serverName = serverName; + } + @Override + public void validate(PrivilegeValidatorContext context) throws ConfigurationException { + String privilege = context.getPrivilege(); + Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); + for(DBModelAuthorizable authorizable : authorizables) { + if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) { + String msg = "Server name " + authorizable.getName() + " in " + + privilege + " is invalid. Expected " + serverName; + throw new ConfigurationException(msg); + } + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServersAllIsInvalid.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServersAllIsInvalid.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServersAllIsInvalid.java new file mode 100644 index 0000000..e3f5a3a --- /dev/null +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/validator/ServersAllIsInvalid.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.db.validator; + +import org.apache.sentry.core.model.db.DBModelAuthorizable; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.shiro.config.ConfigurationException; + +public class ServersAllIsInvalid extends AbstractDBPrivilegeValidator { + + @Override + public void validate(PrivilegeValidatorContext context) throws ConfigurationException { + String privilege = context.getPrivilege(); + Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); + for(DBModelAuthorizable authorizable : authorizables) { + if(authorizable instanceof Server && + authorizable.getName().equals(Server.ALL.getName())) { + String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + privilege; + throw new ConfigurationException(msg); + } + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/IndexerModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/IndexerModelAuthorizables.java b/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/IndexerModelAuthorizables.java new file mode 100644 index 0000000..d15e911 --- /dev/null +++ b/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/IndexerModelAuthorizables.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.indexer; + +import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable.AuthorizableType; +import org.apache.sentry.core.common.utils.KeyValue; + +public class IndexerModelAuthorizables { + + public static IndexerModelAuthorizable from(KeyValue keyValue) { + String prefix = keyValue.getKey().toLowerCase(); + String name = keyValue.getValue().toLowerCase(); + for(AuthorizableType type : AuthorizableType.values()) { + if(prefix.equalsIgnoreCase(type.name())) { + return from(type, name); + } + } + return null; + } + public static IndexerModelAuthorizable from(String s) { + return from(new KeyValue(s)); + } + + private static IndexerModelAuthorizable from(AuthorizableType type, String name) { + switch (type) { + case Indexer: + return new Indexer(name); + default: + return null; + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/AbstractIndexerPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/AbstractIndexerPrivilegeValidator.java b/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/AbstractIndexerPrivilegeValidator.java new file mode 100644 index 0000000..c73fc3c --- /dev/null +++ b/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/AbstractIndexerPrivilegeValidator.java @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.indexer.validator; + +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; +import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_PREFIX; + +import java.util.List; + +import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; +import org.apache.sentry.core.common.validator.PrivilegeValidator; +import org.apache.sentry.core.model.indexer.IndexerModelAuthorizables; +import org.apache.shiro.config.ConfigurationException; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.Lists; + +public abstract class AbstractIndexerPrivilegeValidator implements PrivilegeValidator { + + @VisibleForTesting + public static Iterable<IndexerModelAuthorizable> parsePrivilege(String string) { + List<IndexerModelAuthorizable> result = Lists.newArrayList(); + for(String section : AUTHORIZABLE_SPLITTER.split(string)) { + // XXX this ugly hack is because action is not an authorizable + if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { + IndexerModelAuthorizable authorizable = IndexerModelAuthorizables.from(section); + if(authorizable == null) { + String msg = "No authorizable found for " + section; + throw new ConfigurationException(msg); + } + result.add(authorizable); + } + } + return result; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/IndexerRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/IndexerRequiredInPrivilege.java b/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/IndexerRequiredInPrivilege.java new file mode 100644 index 0000000..82bc25d --- /dev/null +++ b/sentry-core/sentry-core-model-indexer/src/main/java/org/apache/sentry/core/model/indexer/validator/IndexerRequiredInPrivilege.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.indexer.validator; + +import org.apache.sentry.core.common.SentryConfigurationException; +import org.apache.sentry.core.model.indexer.Indexer; +import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; + +public class IndexerRequiredInPrivilege extends AbstractIndexerPrivilegeValidator { + + @Override + public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { + String privilege = context.getPrivilege(); + Iterable<IndexerModelAuthorizable> authorizables = parsePrivilege(privilege); + boolean foundIndexerInAuthorizables = false; + + for(IndexerModelAuthorizable authorizable : authorizables) { + if(authorizable instanceof Indexer) { + foundIndexerInAuthorizables = true; + break; + } + } + if(!foundIndexerInAuthorizables) { + String msg = "Missing indexer object in " + privilege; + throw new SentryConfigurationException(msg); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizables.java b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizables.java new file mode 100644 index 0000000..c3292c7 --- /dev/null +++ b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizables.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.search; + +import org.apache.sentry.core.model.search.SearchModelAuthorizable.AuthorizableType; +import org.apache.sentry.core.common.utils.KeyValue; + +public class SearchModelAuthorizables { + + public static SearchModelAuthorizable from(KeyValue keyValue) { + String prefix = keyValue.getKey().toLowerCase(); + String name = keyValue.getValue().toLowerCase(); + for(AuthorizableType type : AuthorizableType.values()) { + if(prefix.equalsIgnoreCase(type.name())) { + return from(type, name); + } + } + return null; + } + public static SearchModelAuthorizable from(String s) { + return from(new KeyValue(s)); + } + + private static SearchModelAuthorizable from(AuthorizableType type, String name) { + switch (type) { + case Collection: + return new Collection(name); + default: + return null; + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/AbstractSearchPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/AbstractSearchPrivilegeValidator.java b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/AbstractSearchPrivilegeValidator.java new file mode 100644 index 0000000..c06131c --- /dev/null +++ b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/AbstractSearchPrivilegeValidator.java @@ -0,0 +1,52 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.search.validator; + +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; +import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_PREFIX; + +import java.util.List; + +import org.apache.sentry.core.model.search.SearchModelAuthorizable; +import org.apache.sentry.core.common.validator.PrivilegeValidator; +import org.apache.sentry.core.model.search.SearchModelAuthorizables; +import org.apache.shiro.config.ConfigurationException; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.Lists; + +public abstract class AbstractSearchPrivilegeValidator implements PrivilegeValidator { + + @VisibleForTesting + public static Iterable<SearchModelAuthorizable> parsePrivilege(String string) { + List<SearchModelAuthorizable> result = Lists.newArrayList(); + System.err.println("privilege = " + string); + for(String section : AUTHORIZABLE_SPLITTER.split(string)) { + // XXX this ugly hack is because action is not an authorizable + if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { + SearchModelAuthorizable authorizable = SearchModelAuthorizables.from(section); + if(authorizable == null) { + String msg = "No authorizable found for " + section; + throw new ConfigurationException(msg); + } + result.add(authorizable); + } + } + return result; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/CollectionRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/CollectionRequiredInPrivilege.java b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/CollectionRequiredInPrivilege.java new file mode 100644 index 0000000..17b87df --- /dev/null +++ b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/validator/CollectionRequiredInPrivilege.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.search.validator; + +import org.apache.sentry.core.common.SentryConfigurationException; +import org.apache.sentry.core.model.search.Collection; +import org.apache.sentry.core.model.search.SearchModelAuthorizable; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; + +public class CollectionRequiredInPrivilege extends AbstractSearchPrivilegeValidator { + + @Override + public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { + String privilege = context.getPrivilege(); + Iterable<SearchModelAuthorizable> authorizables = parsePrivilege(privilege); + boolean foundCollectionInAuthorizables = false; + + for(SearchModelAuthorizable authorizable : authorizables) { + if(authorizable instanceof Collection) { + foundCollectionInAuthorizables = true; + break; + } + } + if(!foundCollectionInAuthorizables) { + String msg = "Missing collection object in " + privilege; + throw new SentryConfigurationException(msg); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java new file mode 100644 index 0000000..11ce7ec --- /dev/null +++ b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java @@ -0,0 +1,52 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.sqoop; + +import org.apache.sentry.core.model.sqoop.SqoopAuthorizable.AuthorizableType; +import org.apache.sentry.core.common.utils.KeyValue; + +public class SqoopModelAuthorizables { + public static SqoopAuthorizable from(KeyValue keyValue) { + String prefix = keyValue.getKey().toLowerCase(); + String name = keyValue.getValue().toLowerCase(); + for (AuthorizableType type : AuthorizableType.values()) { + if(prefix.equalsIgnoreCase(type.name())) { + return from(type, name); + } + } + return null; + } + + public static SqoopAuthorizable from(String keyValue) { + return from(new KeyValue(keyValue)); + } + + public static SqoopAuthorizable from(AuthorizableType type, String name) { + switch(type) { + case SERVER: + return new Server(name); + case JOB: + return new Job(name); + case CONNECTOR: + return new Connector(name); + case LINK: + return new Link(name); + default: + return null; + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/validator/ServerNameRequiredMatch.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/validator/ServerNameRequiredMatch.java b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/validator/ServerNameRequiredMatch.java new file mode 100644 index 0000000..67347bc --- /dev/null +++ b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/validator/ServerNameRequiredMatch.java @@ -0,0 +1,70 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.sqoop.validator; + +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; +import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_PREFIX; + +import java.util.List; + +import org.apache.sentry.core.model.sqoop.Server; +import org.apache.sentry.core.model.sqoop.SqoopAuthorizable; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.sentry.core.common.validator.PrivilegeValidator; +import org.apache.sentry.core.model.sqoop.SqoopModelAuthorizables; +import org.apache.shiro.config.ConfigurationException; + +import com.google.common.collect.Lists; + +public class ServerNameRequiredMatch implements PrivilegeValidator { + private final String sqoopServerName; + public ServerNameRequiredMatch(String sqoopServerName) { + this.sqoopServerName = sqoopServerName; + } + @Override + public void validate(PrivilegeValidatorContext context) + throws ConfigurationException { + Iterable<SqoopAuthorizable> authorizables = parsePrivilege(context.getPrivilege()); + boolean match = false; + for (SqoopAuthorizable authorizable : authorizables) { + if (authorizable instanceof Server && authorizable.getName().equalsIgnoreCase(sqoopServerName)) { + match = true; + break; + } + } + if (!match) { + String msg = "server=[name] in " + context.getPrivilege() + + " is required. The name is expected " + sqoopServerName; + throw new ConfigurationException(msg); + } + } + + private Iterable<SqoopAuthorizable> parsePrivilege(String string) { + List<SqoopAuthorizable> result = Lists.newArrayList(); + for(String section : AUTHORIZABLE_SPLITTER.split(string)) { + if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { + SqoopAuthorizable authorizable = SqoopModelAuthorizables.from(section); + if(authorizable == null) { + String msg = "No authorizable found for " + section; + throw new ConfigurationException(msg); + } + result.add(authorizable); + } + } + return result; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java deleted file mode 100644 index 36abdd4..0000000 --- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.common; - -import org.apache.shiro.config.ConfigurationException; - -public interface PrivilegeValidator { - - void validate(PrivilegeValidatorContext context) throws ConfigurationException; -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java deleted file mode 100644 index 2b7fd1a..0000000 --- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.common; - -import javax.annotation.Nullable; - -public class PrivilegeValidatorContext { - private final String database; - private final String privilege; - public PrivilegeValidatorContext(String privilege) { - this(null, privilege); - } - public PrivilegeValidatorContext(@Nullable String database, String privilege) { - super(); - this.database = database; - this.privilege = privilege; - } - public @Nullable String getDatabase() { - return database; - } - public String getPrivilege() { - return privilege; - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java deleted file mode 100644 index a85f54e..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_PREFIX; - -import java.util.List; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.shiro.config.ConfigurationException; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.Lists; - -public abstract class AbstractDBPrivilegeValidator implements PrivilegeValidator { - - @VisibleForTesting - public static Iterable<DBModelAuthorizable> parsePrivilege(String string) { - List<DBModelAuthorizable> result = Lists.newArrayList(); - for(String section : AUTHORIZABLE_SPLITTER.split(string)) { - // XXX this ugly hack is because action is not an authorizeable - if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { - DBModelAuthorizable authorizable = DBModelAuthorizables.from(section); - if(authorizable == null) { - String msg = "No authorizable found for " + section; - throw new ConfigurationException(msg); - } - result.add(authorizable); - } - } - return result; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java deleted file mode 100644 index ca1ca9d..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.AccessURI; -import org.apache.sentry.core.model.db.Column; -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.core.model.db.View; -import org.apache.sentry.core.common.utils.KeyValue; - -public class DBModelAuthorizables { - - public static DBModelAuthorizable from(KeyValue keyValue) { - String prefix = keyValue.getKey().toLowerCase(); - String name = keyValue.getValue(); - for(AuthorizableType type : AuthorizableType.values()) { - if(prefix.equalsIgnoreCase(type.name())) { - if (prefix.equalsIgnoreCase(AuthorizableType.URI.toString())) { - return from(type, name); - } else { - return from(type, name.toLowerCase()); - } - } - } - return null; - } - public static DBModelAuthorizable from(String s) { - return from(new KeyValue(s)); - } - - private static DBModelAuthorizable from(AuthorizableType type, String name) { - switch (type) { - case Server: - return new Server(name); - case Db: - return new Database(name); - case Table: - return new Table(name); - case View: - return new View(name); - case Column: - return new Column(name); - case URI: - return new AccessURI(name); - default: - return null; - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java deleted file mode 100644 index d280c41..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class DatabaseMustMatch extends AbstractDBPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String database = context.getDatabase(); - String privilege = context.getPrivilege(); - /* - * Rule only applies to rules in per database policy file - */ - if(database != null) { - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Database && - !database.equalsIgnoreCase(authorizable.getName())) { - String msg = "Privilege " + privilege + " references db " + - authorizable.getName() + ", but is only allowed to reference " - + database; - throw new ConfigurationException(msg); - } - } - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java deleted file mode 100644 index e89aa16..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.AccessURI; -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Database; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class DatabaseRequiredInPrivilege extends AbstractDBPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String database = context.getDatabase(); - String privilege = context.getPrivilege(); - /* - * Rule only applies to rules in per database policy file - */ - if(database != null) { - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - /* - * Each permission in a non-global file must have a database - * object except for URIs. - * - * We allow URIs to be specified in the per DB policy file for - * ease of mangeability. URIs will contain to remain server scope - * objects. - */ - boolean foundDatabaseInAuthorizables = false; - boolean foundURIInAuthorizables = false; - boolean allowURIInAuthorizables = false; - - if ("true".equalsIgnoreCase( - System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) { - allowURIInAuthorizables = true; - } - - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Database) { - foundDatabaseInAuthorizables = true; - } - if (authorizable instanceof AccessURI) { - if (foundDatabaseInAuthorizables) { - String msg = "URI object is specified at DB scope in " + privilege; - throw new ConfigurationException(msg); - } - foundURIInAuthorizables = true; - } - } - if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) { - String msg = "Missing database object in " + privilege; - throw new ConfigurationException(msg); - } - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java deleted file mode 100644 index 1848a32..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class ServerNameMustMatch extends AbstractDBPrivilegeValidator { - - private final String serverName; - public ServerNameMustMatch(String serverName) { - this.serverName = serverName; - } - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String privilege = context.getPrivilege(); - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) { - String msg = "Server name " + authorizable.getName() + " in " - + privilege + " is invalid. Expected " + serverName; - throw new ConfigurationException(msg); - } - } - } - -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java deleted file mode 100644 index b729ec3..0000000 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.db; - -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; -import org.apache.shiro.config.ConfigurationException; - -public class ServersAllIsInvalid extends AbstractDBPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws ConfigurationException { - String privilege = context.getPrivilege(); - Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); - for(DBModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Server && - authorizable.getName().equals(Server.ALL.getName())) { - String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + privilege; - throw new ConfigurationException(msg); - } - } - } - -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java index b5b584f..7cbeb21 100644 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java +++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java @@ -21,9 +21,13 @@ import java.util.Set; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.SentryConfigurationException; +import org.apache.sentry.core.model.db.validator.DatabaseMustMatch; +import org.apache.sentry.core.model.db.validator.DatabaseRequiredInPrivilege; +import org.apache.sentry.core.model.db.validator.ServerNameMustMatch; +import org.apache.sentry.core.model.db.validator.ServersAllIsInvalid; import org.apache.sentry.policy.common.PrivilegeFactory; import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.common.PrivilegeValidator; +import org.apache.sentry.core.common.validator.PrivilegeValidator; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; import org.slf4j.Logger; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java index 16045c7..4c123b5 100644 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java +++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java @@ -21,6 +21,7 @@ import static junit.framework.Assert.assertEquals; import static junit.framework.Assert.assertNull; import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.DBModelAuthorizables; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; @@ -31,7 +32,7 @@ public class TestDBModelAuthorizables { @Test public void testServer() throws Exception { - Server server = (Server)DBModelAuthorizables.from("SeRvEr=server1"); + Server server = (Server) DBModelAuthorizables.from("SeRvEr=server1"); assertEquals("server1", server.getName()); } @Test http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java index f9b00b4..7fbef36 100644 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java +++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java @@ -20,7 +20,8 @@ package org.apache.sentry.policy.db; import junit.framework.Assert; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.sentry.core.model.db.validator.DatabaseRequiredInPrivilege; import org.apache.shiro.config.ConfigurationException; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java deleted file mode 100644 index a2cd12c..0000000 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/AbstractIndexerPrivilegeValidator.java +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.indexer; - -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_PREFIX; - -import java.util.List; - -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.shiro.config.ConfigurationException; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.Lists; - -public abstract class AbstractIndexerPrivilegeValidator implements PrivilegeValidator { - - @VisibleForTesting - public static Iterable<IndexerModelAuthorizable> parsePrivilege(String string) { - List<IndexerModelAuthorizable> result = Lists.newArrayList(); - for(String section : AUTHORIZABLE_SPLITTER.split(string)) { - // XXX this ugly hack is because action is not an authorizable - if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { - IndexerModelAuthorizable authorizable = IndexerModelAuthorizables.from(section); - if(authorizable == null) { - String msg = "No authorizable found for " + section; - throw new ConfigurationException(msg); - } - result.add(authorizable); - } - } - return result; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java deleted file mode 100644 index dafa5c1..0000000 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerModelAuthorizables.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.indexer; - -import org.apache.sentry.core.model.indexer.Indexer; -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable.AuthorizableType; -import org.apache.sentry.core.common.utils.KeyValue; - -public class IndexerModelAuthorizables { - - public static IndexerModelAuthorizable from(KeyValue keyValue) { - String prefix = keyValue.getKey().toLowerCase(); - String name = keyValue.getValue().toLowerCase(); - for(AuthorizableType type : AuthorizableType.values()) { - if(prefix.equalsIgnoreCase(type.name())) { - return from(type, name); - } - } - return null; - } - public static IndexerModelAuthorizable from(String s) { - return from(new KeyValue(s)); - } - - private static IndexerModelAuthorizable from(AuthorizableType type, String name) { - switch (type) { - case Indexer: - return new Indexer(name); - default: - return null; - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java deleted file mode 100644 index 06b815f..0000000 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/IndexerRequiredInPrivilege.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.indexer; - -import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.core.model.indexer.Indexer; -import org.apache.sentry.core.model.indexer.IndexerModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; - -public class IndexerRequiredInPrivilege extends AbstractIndexerPrivilegeValidator { - - @Override - public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { - String privilege = context.getPrivilege(); - Iterable<IndexerModelAuthorizable> authorizables = parsePrivilege(privilege); - boolean foundIndexerInAuthorizables = false; - - for(IndexerModelAuthorizable authorizable : authorizables) { - if(authorizable instanceof Indexer) { - foundIndexerInAuthorizables = true; - break; - } - } - if(!foundIndexerInAuthorizables) { - String msg = "Missing indexer object in " + privilege; - throw new SentryConfigurationException(msg); - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java index 2f4bc1d..20985eb 100644 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java +++ b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java @@ -21,9 +21,10 @@ import java.util.Set; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.SentryConfigurationException; +import org.apache.sentry.core.model.indexer.validator.IndexerRequiredInPrivilege; import org.apache.sentry.policy.common.PrivilegeFactory; import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.policy.common.PrivilegeValidator; +import org.apache.sentry.core.common.validator.PrivilegeValidator; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; import org.slf4j.Logger; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java index 7a6230b..94db756 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerModelAuthorizables.java @@ -21,13 +21,14 @@ import static junit.framework.Assert.assertEquals; import static junit.framework.Assert.assertNull; import org.apache.sentry.core.model.indexer.Indexer; +import org.apache.sentry.core.model.indexer.IndexerModelAuthorizables; import org.junit.Test; public class TestIndexerModelAuthorizables { @Test public void testIndexer() throws Exception { - Indexer indexer = (Indexer)IndexerModelAuthorizables.from("InDexEr=indexer1"); + Indexer indexer = (Indexer) IndexerModelAuthorizables.from("InDexEr=indexer1"); assertEquals("indexer1", indexer.getName()); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java index 8494a8f..9f20d03 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerRequiredInRole.java @@ -20,7 +20,8 @@ package org.apache.sentry.policy.indexer; import junit.framework.Assert; -import org.apache.sentry.policy.common.PrivilegeValidatorContext; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.sentry.core.model.indexer.validator.IndexerRequiredInPrivilege; import org.apache.shiro.config.ConfigurationException; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b894ec62/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java deleted file mode 100644 index f7efbb6..0000000 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.policy.search; - -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_PREFIX; - -import java.util.List; - -import org.apache.sentry.core.model.search.SearchModelAuthorizable; -import org.apache.sentry.policy.common.PrivilegeValidator; -import org.apache.shiro.config.ConfigurationException; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.Lists; - -public abstract class AbstractSearchPrivilegeValidator implements PrivilegeValidator { - - @VisibleForTesting - public static Iterable<SearchModelAuthorizable> parsePrivilege(String string) { - List<SearchModelAuthorizable> result = Lists.newArrayList(); - System.err.println("privilege = " + string); - for(String section : AUTHORIZABLE_SPLITTER.split(string)) { - // XXX this ugly hack is because action is not an authorizable - if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) { - SearchModelAuthorizable authorizable = SearchModelAuthorizables.from(section); - if(authorizable == null) { - String msg = "No authorizable found for " + section; - throw new ConfigurationException(msg); - } - result.add(authorizable); - } - } - return result; - } - -}
