You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by va...@apache.org on 2014/05/05 22:45:10 UTC
git commit: SENTRY-190: Support for getting set of roles from
ProviderBackend (Gregory Chanan via Vamsee Yarlagadda)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 1d6f38c08 -> 071861d30
SENTRY-190: Support for getting set of roles from ProviderBackend (Gregory Chanan via Vamsee Yarlagadda)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/071861d3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/071861d3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/071861d3
Branch: refs/heads/master
Commit: 071861d30a638dbd4cef05ab0d8bf4bd59c376e5
Parents: 1d6f38c
Author: Vamsee <va...@cloudera.com>
Authored: Mon May 5 13:44:32 2014 -0700
Committer: Vamsee <va...@cloudera.com>
Committed: Mon May 5 13:44:32 2014 -0700
----------------------------------------------------------------------
.../binding/solr/authz/SolrAuthzBinding.java | 14 +++++++-
.../binding/solr/TestSolrAuthzBinding.java | 34 ++++++++++++++++++++
.../src/test/resources/test-authz-provider.ini | 6 +++-
.../sentry/provider/common/ProviderBackend.java | 5 +++
.../provider/db/SimpleDBProviderBackend.java | 9 ++++++
.../file/SimpleFileProviderBackend.java | 22 +++++++++++++
6 files changed, 88 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 9a6e623..5e85606 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -56,6 +56,7 @@ public class SolrAuthzBinding {
private final SolrAuthzConf authzConf;
private final AuthorizationProvider authProvider;
private final GroupMappingService groupMapping;
+ private ProviderBackend providerBackend;
public SolrAuthzBinding (SolrAuthzConf authzConf) throws Exception {
this.authzConf = authzConf;
@@ -86,7 +87,7 @@ public class SolrAuthzBinding {
initKerberos(keytabProp, principalProp);
}
Configuration conf = getConf();
- ProviderBackend providerBackend =
+ providerBackend =
(ProviderBackend) providerBackendConstructor.newInstance(new Object[] {conf, resourceName});
// load the policy engine class
@@ -130,11 +131,22 @@ public class SolrAuthzBinding {
* Get the list of groups the user belongs to
* @param user
* @return list of groups the user belongs to
+ * @deprecated use getRoles instead
*/
+ @Deprecated
public Set<String> getGroups(String user) {
return groupMapping.getGroups(user);
}
+ /**
+ * Get the roles associated with the user
+ * @param user
+ * @return The roles associated with the user
+ */
+ public Set<String> getRoles(String user) {
+ return providerBackend.getRoles(getGroups(user), ActiveRoleSet.ALL);
+ }
+
private Configuration getConf() throws IOException {
Configuration conf = new Configuration();
String confDir = System.getProperty("solr.hdfs.confdir");
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index e2e3403..db5ae29 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -190,6 +190,40 @@ public class TestSolrAuthzBinding {
}
/**
+ * Test for role mapping
+ */
+ @Test
+ public void testGetRoles() throws Exception {
+ SolrAuthzConf solrAuthzConf =
+ new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
+ setUsableAuthzConf(solrAuthzConf);
+ SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+ Set<String> emptySet = Collections.emptySet();
+
+ // check non-existant users
+ assertEquals(binding.getRoles(null), emptySet);
+ assertEquals(binding.getRoles("nonExistantUser"), emptySet);
+
+ // check user with undefined group
+ assertEquals(binding.getRoles("undefinedGroupUser"), emptySet);
+ // check group with undefined role
+ assertEquals(binding.getRoles("undefinedRoleUser"), emptySet);
+
+ // check role names don't map in the other direction
+ assertEquals(binding.getRoles("corporal_role"), emptySet);
+ assertEquals(binding.getRoles("sergeant_role"), emptySet);
+ assertEquals(binding.getRoles("general_role"), emptySet);
+
+ // check valid users
+ assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role"));
+ assertEquals(binding.getRoles("sergeant1"), Sets.newHashSet("corporal_role", "sergeant_role"));
+ assertEquals(binding.getRoles("general1"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));
+
+ // check user whos groups have overlapping roles
+ assertEquals(binding.getRoles("overlappingUser"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));
+ }
+
+ /**
* Test that a full sentry-site definition works.
*/
@Test
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
index f8100e0..56317db 100644
--- a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
+++ b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
@@ -19,6 +19,7 @@
corporal = corporal_role
sergeant = corporal_role, sergeant_role
general = corporal_role, sergeant_role, general_role
+undefinedRoleGroup = undefinedRole
[roles]
#test that specification of a bogus action doesn't affect further specifications
@@ -30,4 +31,7 @@ general_role = collection=*->action=*
[users]
corporal1=corporal
sergeant1=sergeant
-general1=general, othergeneralgroup
\ No newline at end of file
+general1=general, othergeneralgroup
+undefinedGroupUser=undefinedGroup
+undefinedRoleUser=undefinedRoleGroup
+overlappingUser=general, sergeant, corporal
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
index 26c4878..a175245 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
@@ -49,6 +49,11 @@ public interface ProviderBackend {
public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet);
/**
+ * Get the roles associated with the groups from the backend.
+ */
+ public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet);
+
+ /**
* If strictValidation is true then an error is thrown for warnings
* as well as errors.
*
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
index b068aca..dd4a977 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
@@ -17,6 +17,7 @@
package org.apache.sentry.provider.db;
import java.io.IOException;
+import java.lang.UnsupportedOperationException;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
@@ -84,6 +85,14 @@ public class SimpleDBProviderBackend implements ProviderBackend {
return ImmutableSet.of();
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) {
+ throw new UnsupportedOperationException("Not yet implemented.");
+ }
+
@Override
public void close() {
if (policyServiceClient != null) {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index e7f69ac..2dadc47 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -158,6 +158,28 @@ public class SimpleFileProviderBackend implements ProviderBackend {
return resultBuilder.build();
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) {
+ if (!initialized) {
+ throw new IllegalStateException("Backend has not been properly initialized");
+ }
+ ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
+ if (groups != null) {
+ for (String groupName : groups) {
+ for (Map.Entry<String, Set<String>> row : groupRolePrivilegeTable.row(groupName)
+ .entrySet()) {
+ if (roleSet.containsRole(row.getKey())) {
+ resultBuilder.add(row.getKey());
+ }
+ }
+ }
+ }
+ return resultBuilder.build();
+ }
+
@Override
public void close() {
groupRolePrivilegeTable.clear();