You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by va...@apache.org on 2014/05/05 22:45:10 UTC

git commit: SENTRY-190: Support for getting set of roles from ProviderBackend (Gregory Chanan via Vamsee Yarlagadda)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 1d6f38c08 -> 071861d30


SENTRY-190: Support for getting set of roles from ProviderBackend (Gregory Chanan via Vamsee Yarlagadda)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/071861d3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/071861d3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/071861d3

Branch: refs/heads/master
Commit: 071861d30a638dbd4cef05ab0d8bf4bd59c376e5
Parents: 1d6f38c
Author: Vamsee <va...@cloudera.com>
Authored: Mon May 5 13:44:32 2014 -0700
Committer: Vamsee <va...@cloudera.com>
Committed: Mon May 5 13:44:32 2014 -0700

----------------------------------------------------------------------
 .../binding/solr/authz/SolrAuthzBinding.java    | 14 +++++++-
 .../binding/solr/TestSolrAuthzBinding.java      | 34 ++++++++++++++++++++
 .../src/test/resources/test-authz-provider.ini  |  6 +++-
 .../sentry/provider/common/ProviderBackend.java |  5 +++
 .../provider/db/SimpleDBProviderBackend.java    |  9 ++++++
 .../file/SimpleFileProviderBackend.java         | 22 +++++++++++++
 6 files changed, 88 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 9a6e623..5e85606 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -56,6 +56,7 @@ public class SolrAuthzBinding {
   private final SolrAuthzConf authzConf;
   private final AuthorizationProvider authProvider;
   private final GroupMappingService groupMapping;
+  private ProviderBackend providerBackend;
 
   public SolrAuthzBinding (SolrAuthzConf authzConf) throws Exception {
     this.authzConf = authzConf;
@@ -86,7 +87,7 @@ public class SolrAuthzBinding {
       initKerberos(keytabProp, principalProp);
     }
     Configuration conf = getConf();
-    ProviderBackend providerBackend =
+    providerBackend =
       (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {conf, resourceName});
 
     // load the policy engine class
@@ -130,11 +131,22 @@ public class SolrAuthzBinding {
    * Get the list of groups the user belongs to
    * @param user
    * @return list of groups the user belongs to
+   * @deprecated use getRoles instead
    */
+  @Deprecated
   public Set<String> getGroups(String user) {
     return groupMapping.getGroups(user);
   }
 
+  /**
+   * Get the roles associated with the user
+   * @param user
+   * @return The roles associated with the user
+   */
+  public Set<String> getRoles(String user) {
+    return providerBackend.getRoles(getGroups(user), ActiveRoleSet.ALL);
+  }
+
   private Configuration getConf() throws IOException {
     Configuration conf = new Configuration();
     String confDir = System.getProperty("solr.hdfs.confdir");

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index e2e3403..db5ae29 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -190,6 +190,40 @@ public class TestSolrAuthzBinding {
   }
 
   /**
+   * Test for role mapping
+   */
+  @Test
+  public void testGetRoles() throws Exception {
+    SolrAuthzConf solrAuthzConf =
+      new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
+    setUsableAuthzConf(solrAuthzConf);
+    SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+    Set<String> emptySet = Collections.emptySet();
+
+    // check non-existant users
+    assertEquals(binding.getRoles(null), emptySet);
+    assertEquals(binding.getRoles("nonExistantUser"), emptySet);
+
+    // check user with undefined group
+    assertEquals(binding.getRoles("undefinedGroupUser"), emptySet);
+    // check group with undefined role
+    assertEquals(binding.getRoles("undefinedRoleUser"), emptySet);
+
+    // check role names don't map in the other direction
+    assertEquals(binding.getRoles("corporal_role"), emptySet);
+    assertEquals(binding.getRoles("sergeant_role"), emptySet);
+    assertEquals(binding.getRoles("general_role"), emptySet);
+
+    // check valid users
+    assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role"));
+    assertEquals(binding.getRoles("sergeant1"), Sets.newHashSet("corporal_role", "sergeant_role"));
+    assertEquals(binding.getRoles("general1"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));
+
+    // check user whos groups have overlapping roles
+    assertEquals(binding.getRoles("overlappingUser"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));
+  }
+
+  /**
    * Test that a full sentry-site definition works.
    */
   @Test

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
index f8100e0..56317db 100644
--- a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
+++ b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
@@ -19,6 +19,7 @@
 corporal = corporal_role
 sergeant = corporal_role, sergeant_role
 general = corporal_role, sergeant_role, general_role
+undefinedRoleGroup = undefinedRole
 
 [roles]
 #test that specification of a bogus action doesn't affect further specifications
@@ -30,4 +31,7 @@ general_role = collection=*->action=*
 [users]
 corporal1=corporal
 sergeant1=sergeant
-general1=general, othergeneralgroup
\ No newline at end of file
+general1=general, othergeneralgroup
+undefinedGroupUser=undefinedGroup
+undefinedRoleUser=undefinedRoleGroup
+overlappingUser=general, sergeant, corporal

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
index 26c4878..a175245 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
@@ -49,6 +49,11 @@ public interface ProviderBackend {
   public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet);
 
   /**
+   * Get the roles associated with the groups from the backend.
+   */
+  public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet);
+
+  /**
    * If strictValidation is true then an error is thrown for warnings
    * as well as errors.
    *

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
index b068aca..dd4a977 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
@@ -17,6 +17,7 @@
 package org.apache.sentry.provider.db;
 
 import java.io.IOException;
+import java.lang.UnsupportedOperationException;
 import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
@@ -84,6 +85,14 @@ public class SimpleDBProviderBackend implements ProviderBackend {
     return ImmutableSet.of();
   }
 
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) {
+    throw new UnsupportedOperationException("Not yet implemented.");
+  }
+
   @Override
   public void close() {
     if (policyServiceClient != null) {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/071861d3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index e7f69ac..2dadc47 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -158,6 +158,28 @@ public class SimpleFileProviderBackend implements ProviderBackend {
     return resultBuilder.build();
   }
 
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) {
+    if (!initialized) {
+      throw new IllegalStateException("Backend has not been properly initialized");
+    }
+    ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
+    if (groups != null) {
+      for (String groupName : groups) {
+        for (Map.Entry<String, Set<String>> row : groupRolePrivilegeTable.row(groupName)
+            .entrySet()) {
+          if (roleSet.containsRole(row.getKey())) {
+            resultBuilder.add(row.getKey());
+          }
+        }
+      }
+    }
+    return resultBuilder.build();
+  }
+
   @Override
   public void close() {
     groupRolePrivilegeTable.clear();