Repository: sqoop Updated Branches: refs/heads/sqoop2 00ab7d439 -> aca7d7558
SQOOP-2383: SQOOP2: Add do user support in authorization engine (Richard via Jarek Jarcec Cecho) Project: http://git-wip-us.apache.org/repos/asf/sqoop/repo Commit: http://git-wip-us.apache.org/repos/asf/sqoop/commit/aca7d755 Tree: http://git-wip-us.apache.org/repos/asf/sqoop/tree/aca7d755 Diff: http://git-wip-us.apache.org/repos/asf/sqoop/diff/aca7d755 Branch: refs/heads/sqoop2 Commit: aca7d75589edf3f09428dbeb2211faf03e82af3d Parents: 00ab7d4 Author: Jarek Jarcec Cecho <[email protected]> Authored: Fri Jul 10 09:18:44 2015 -0700 Committer: Jarek Jarcec Cecho <[email protected]> Committed: Fri Jul 10 09:18:44 2015 -0700 ---------------------------------------------------------------------- .../authorization/AuthorizationEngine.java | 75 ++++++++++---------- .../sqoop/handler/ConnectorRequestHandler.java | 4 +- .../apache/sqoop/handler/JobRequestHandler.java | 20 +++--- .../sqoop/handler/LinkRequestHandler.java | 14 ++-- .../sqoop/handler/SubmissionRequestHandler.java | 12 ++-- 5 files changed, 62 insertions(+), 63 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java ---------------------------------------------------------------------- diff --git a/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java b/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java index 10f02c0..57e0da5 100644 --- a/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java +++ b/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java @@ -42,13 +42,13 @@ public class AuthorizationEngine { /** * Filter resources, get all valid resources from all resources */ - public static <T extends MPersistableEntity> List<T> filterResource(final MResource.TYPE type, List<T> resources) throws SqoopException { + public static <T extends MPersistableEntity> List<T> filterResource(final String doUserName, final MResource.TYPE type, List<T> resources) throws SqoopException { Collection<T> collection = Collections2.filter(resources, new Predicate<T>() { @Override public boolean apply(T input) { try { String name = String.valueOf(input.getPersistenceId()); - checkPrivilege(getPrivilege(type, name, MPrivilege.ACTION.READ)); + checkPrivilege(doUserName, getPrivilege(type, name, MPrivilege.ACTION.READ)); // add valid resource return true; } catch (Exception e) { @@ -63,86 +63,86 @@ public class AuthorizationEngine { /** * Connector related function */ - public static void readConnector(String connectorId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); + public static void readConnector(String doUserName, String connectorId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); } /** * Link related function */ - public static void readLink(String linkId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ)); + public static void readLink(String doUserName, String linkId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ)); } - public static void createLink(String connectorId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); + public static void createLink(String doUserName, String connectorId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); } - public static void updateLink(String connectorId, String linkId) throws SqoopException { + public static void updateLink(String doUserName, String connectorId, String linkId) throws SqoopException { MPrivilege privilege1 = getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ); MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE); - checkPrivilege(privilege1, privilege2); + checkPrivilege(doUserName, privilege1, privilege2); } - public static void deleteLink(String linkId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); + public static void deleteLink(String doUserName, String linkId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); } - public static void enableDisableLink(String linkId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); + public static void enableDisableLink(String doUserName, String linkId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); } /** * Job related function */ - public static void readJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); + public static void readJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); } - public static void createJob(String linkId1, String linkId2) throws SqoopException { + public static void createJob(String doUserName, String linkId1, String linkId2) throws SqoopException { MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ); MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ); - checkPrivilege(privilege1, privilege2); + checkPrivilege(doUserName, privilege1, privilege2); } - public static void updateJob(String linkId1, String linkId2, String jobId) throws SqoopException { + public static void updateJob(String doUserName, String linkId1, String linkId2, String jobId) throws SqoopException { MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ); MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ); MPrivilege privilege3 = getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE); - checkPrivilege(privilege1, privilege2, privilege3); + checkPrivilege(doUserName, privilege1, privilege2, privilege3); } - public static void deleteJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + public static void deleteJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void enableDisableJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + public static void enableDisableJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void startJob(String jobId) throws SqoopException { + public static void startJob(String doUserName, String jobId) throws SqoopException { ; - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void stopJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + public static void stopJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void statusJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); + public static void statusJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); } /** * Filter resources, get all valid resources from all resources */ - public static List<MSubmission> filterSubmission(List<MSubmission> submissions) throws SqoopException { + public static List<MSubmission> filterSubmission(final String doUserName, List<MSubmission> submissions) throws SqoopException { Collection<MSubmission> collection = Collections2.filter(submissions, new Predicate<MSubmission>() { @Override public boolean apply(MSubmission input) { try { String jobId = String.valueOf(input.getJobId()); - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); // add valid submission return true; } catch (Exception e) { @@ -163,11 +163,10 @@ public class AuthorizationEngine { return new MPrivilege(new MResource(resourceId, resourceType), privilegeAction, false); } - private static void checkPrivilege(MPrivilege... privileges) { + private static void checkPrivilege(String doUserName, MPrivilege... privileges) { AuthorizationHandler handler = AuthorizationManager.getAuthorizationHandler(); - UserGroupInformation user = HttpUserGroupInformation.get(); - String user_name = user == null ? StringUtils.EMPTY : user.getShortUserName(); - MPrincipal principal = new MPrincipal(user_name, MPrincipal.TYPE.USER); + + MPrincipal principal = new MPrincipal(doUserName, MPrincipal.TYPE.USER); // SQOOP-2256: Hack code, do not check privilege when the user is the creator // If the user is the owner/creator of this resource, then privilege will @@ -178,12 +177,12 @@ public class AuthorizationEngine { Repository repository = RepositoryManager.getInstance().getRepository(); if (MResource.TYPE.LINK.name().equalsIgnoreCase(privilege.getResource().getType())) { MLink link = repository.findLink(Long.valueOf(privilege.getResource().getName())); - if (!user_name.equals(link.getCreationUser())) { + if (!doUserName.equals(link.getCreationUser())) { privilegesNeedCheck.add(privilege); } } else if (MResource.TYPE.JOB.name().equalsIgnoreCase(privilege.getResource().getType())) { MJob job = repository.findJob(Long.valueOf(privilege.getResource().getName())); - if (!user_name.equals(job.getCreationUser())) { + if (!doUserName.equals(job.getCreationUser())) { privilegesNeedCheck.add(privilege); } } else { http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java index 5128a27..7c428b8 100644 --- a/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java @@ -71,7 +71,7 @@ public class ConnectorRequestHandler implements RequestHandler { ctx.getRequest().getRemoteAddr(), "get", "connectors", "all"); // Authorization check - connectors = AuthorizationEngine.filterResource(MResource.TYPE.CONNECTOR, connectors); + connectors = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.CONNECTOR, connectors); return new ConnectorsBean(connectors, configParamBundles); @@ -89,7 +89,7 @@ public class ConnectorRequestHandler implements RequestHandler { ctx.getRequest().getRemoteAddr(), "get", "connector", String.valueOf(cIdentifier)); // Authorization check - AuthorizationEngine.readConnector(String.valueOf(connector.getPersistenceId())); + AuthorizationEngine.readConnector(ctx.getUserName(), String.valueOf(connector.getPersistenceId())); return new ConnectorBean(Arrays.asList(connector), configParamBundles); } http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java index d1621d8..5e314d0 100644 --- a/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java @@ -141,7 +141,7 @@ public class JobRequestHandler implements RequestHandler { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.deleteJob(String.valueOf(jobId)); + AuthorizationEngine.deleteJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "delete", "job", jobIdentifier); @@ -185,10 +185,10 @@ public class JobRequestHandler implements RequestHandler { // Authorization check if (create) { - AuthorizationEngine.createJob(String.valueOf(postedJob.getFromLinkId()), + AuthorizationEngine.createJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()), String.valueOf(postedJob.getToLinkId())); } else { - AuthorizationEngine.updateJob(String.valueOf(postedJob.getFromLinkId()), + AuthorizationEngine.updateJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()), String.valueOf(postedJob.getToLinkId()), String.valueOf(postedJob.getPersistenceId())); } @@ -284,7 +284,7 @@ public class JobRequestHandler implements RequestHandler { List<MJob> jobList = repository.findJobsForConnector(connectorId); // Authorization check - jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList); + jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList); jobBean = createJobsBean(jobList, locale); } else @@ -296,7 +296,7 @@ public class JobRequestHandler implements RequestHandler { List<MJob> jobList = repository.findJobs(); // Authorization check - jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList); + jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList); jobBean = createJobsBean(jobList, locale); } @@ -309,7 +309,7 @@ public class JobRequestHandler implements RequestHandler { MJob job = repository.findJob(jobId); // Authorization check - AuthorizationEngine.readJob(String.valueOf(job.getPersistenceId())); + AuthorizationEngine.readJob(ctx.getUserName(), String.valueOf(job.getPersistenceId())); jobBean = createJobBean(Arrays.asList(job), locale); } @@ -352,7 +352,7 @@ public class JobRequestHandler implements RequestHandler { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.enableDisableJob(String.valueOf(jobId)); + AuthorizationEngine.enableDisableJob(ctx.getUserName(), String.valueOf(jobId)); repository.enableJob(jobId, enabled); return JsonBean.EMPTY_BEAN; @@ -364,7 +364,7 @@ public class JobRequestHandler implements RequestHandler { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.startJob(String.valueOf(jobId)); + AuthorizationEngine.startJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "submit", "job", String.valueOf(jobId)); @@ -387,7 +387,7 @@ public class JobRequestHandler implements RequestHandler { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.stopJob(String.valueOf(jobId)); + AuthorizationEngine.stopJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "stop", "job", String.valueOf(jobId)); @@ -401,7 +401,7 @@ public class JobRequestHandler implements RequestHandler { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.statusJob(String.valueOf(jobId)); + AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "status", "job", String.valueOf(jobId)); http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java index 26a341b..f056686 100644 --- a/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java @@ -95,7 +95,7 @@ public class LinkRequestHandler implements RequestHandler { long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier); // Authorization check - AuthorizationEngine.deleteLink(String.valueOf(linkId)); + AuthorizationEngine.deleteLink(ctx.getUserName(), String.valueOf(linkId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "delete", "link", linkIdentifier); @@ -137,9 +137,9 @@ public class LinkRequestHandler implements RequestHandler { // Authorization check if (create) { - AuthorizationEngine.createLink(String.valueOf(postedLink.getConnectorId())); + AuthorizationEngine.createLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId())); } else { - AuthorizationEngine.updateLink(String.valueOf(postedLink.getConnectorId()), + AuthorizationEngine.updateLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()), String.valueOf(postedLink.getPersistenceId())); } @@ -207,7 +207,7 @@ public class LinkRequestHandler implements RequestHandler { List<MLink> linkList = repository.findLinksForConnector(connectorId); // Authorization check - linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList); + linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList); linkBean = createLinksBean(linkList, locale); } else { @@ -224,7 +224,7 @@ public class LinkRequestHandler implements RequestHandler { List<MLink> linkList = repository.findLinks(); // Authorization check - linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList); + linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList); linkBean = createLinksBean(linkList, locale); } @@ -237,7 +237,7 @@ public class LinkRequestHandler implements RequestHandler { MLink link = repository.findLink(linkId); // Authorization check - AuthorizationEngine.readLink(String.valueOf(link.getPersistenceId())); + AuthorizationEngine.readLink(ctx.getUserName(), String.valueOf(link.getPersistenceId())); linkBean = createLinkBean(Arrays.asList(link), locale); } @@ -274,7 +274,7 @@ public class LinkRequestHandler implements RequestHandler { long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier); // Authorization check - AuthorizationEngine.enableDisableLink(String.valueOf(linkId)); + AuthorizationEngine.enableDisableLink(ctx.getUserName(), String.valueOf(linkId)); repository.enableLink(linkId, enabled); return JsonBean.EMPTY_BEAN; http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java ---------------------------------------------------------------------- diff --git a/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java index 5a1ab51..5c349a2 100644 --- a/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java @@ -56,28 +56,28 @@ public class SubmissionRequestHandler implements RequestHandler { AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "get", "submissionsByJob", jobIdentifier); long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); - return getSubmissionsForJob(jobId); + return getSubmissionsForJob(jobId, ctx); } else { // all submissions in the system AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "get", "submissions", "all"); - return getSubmissions(); + return getSubmissions(ctx); } } - private JsonBean getSubmissions() { + private JsonBean getSubmissions(RequestContext ctx) { List<MSubmission> submissions = RepositoryManager.getInstance().getRepository() .findSubmissions(); //Authorization check - submissions = AuthorizationEngine.filterSubmission(submissions); + submissions = AuthorizationEngine.filterSubmission(ctx.getUserName(), submissions); return new SubmissionsBean(submissions); } - private JsonBean getSubmissionsForJob(long jid) { + private JsonBean getSubmissionsForJob(long jid, RequestContext ctx) { //Authorization check - AuthorizationEngine.statusJob(String.valueOf(jid)); + AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jid)); List<MSubmission> submissions = RepositoryManager.getInstance().getRepository() .findSubmissionsForJob(jid);
