You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/04/22 08:28:22 UTC
[02/13] sentry git commit: SENTRY-999: Refactor the sentry to
integrate with external components quickly (Colin Ma, reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java
deleted file mode 100644
index ae89cf4..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SqoopWildcardPrivilege.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER;
-
-import java.util.List;
-
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.policy.common.Privilege;
-import org.apache.sentry.policy.common.PrivilegeFactory;
-import org.apache.sentry.policy.common.KeyValue;
-
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Lists;
-
-public class SqoopWildcardPrivilege implements Privilege {
-
- public static class Factory implements PrivilegeFactory {
- @Override
- public Privilege createPrivilege(String permission) {
- return new SqoopWildcardPrivilege(permission);
- }
- }
-
- private final ImmutableList<KeyValue> parts;
-
- public SqoopWildcardPrivilege(String permission) {
- if (Strings.isNullOrEmpty(permission)) {
- throw new IllegalArgumentException("permission string cannot be null or empty.");
- }
- List<KeyValue>parts = Lists.newArrayList();
- for (String authorizable : AUTHORIZABLE_SPLITTER.trimResults().split(permission.trim())) {
- if (authorizable.isEmpty()) {
- throw new IllegalArgumentException("Privilege '" + permission + "' has an empty section");
- }
- parts.add(new KeyValue(authorizable));
- }
- if (parts.isEmpty()) {
- throw new AssertionError("Should never occur: " + permission);
- }
- this.parts = ImmutableList.copyOf(parts);
- }
-
- @Override
- public boolean implies(Privilege p) {
- if (!(p instanceof SqoopWildcardPrivilege)) {
- return false;
- }
- SqoopWildcardPrivilege wp = (SqoopWildcardPrivilege)p;
- List<KeyValue> otherParts = wp.parts;
- if(equals(wp)) {
- return true;
- }
- int index = 0;
- for (KeyValue otherPart : otherParts) {
- // If this privilege has less parts than the other privilege, everything
- // after the number of parts contained
- // in this privilege is automatically implied, so return true
- if (parts.size() - 1 < index) {
- return true;
- } else {
- KeyValue part = parts.get(index);
- // Support for action inheritance from parent to child
- if (part.getKey().equalsIgnoreCase(SqoopActionConstant.NAME)
- && !(otherPart.getKey().equalsIgnoreCase(SqoopActionConstant.NAME))) {
- continue;
- }
- // are the keys even equal
- if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
- return false;
- }
- if (!impliesKeyValue(part, otherPart)) {
- return false;
- }
- index++;
- }
- }
- // If this privilege has more parts than
- // the other parts, only imply it if
- // all of the other parts are "*" or "ALL"
- for (; index < parts.size(); index++) {
- KeyValue part = parts.get(index);
- if (!part.getValue().equals(SqoopActionConstant.ALL)) {
- return false;
- }
- }
- return true;
- }
-
- private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
- Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
- "Please report, this method should not be called with two different keys");
- if(policyPart.getValue().equalsIgnoreCase(SqoopActionConstant.ALL) ||
- policyPart.getValue().equalsIgnoreCase(SqoopActionConstant.ALL_NAME) ||
- policyPart.equals(requestPart)) {
- return true;
- } else if (!SqoopActionConstant.NAME.equalsIgnoreCase(policyPart.getKey())
- && SqoopActionConstant.ALL.equalsIgnoreCase(requestPart.getValue())) {
- /* privilege request is to match with any object of given type */
- return true;
- }
- return false;
-
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
deleted file mode 100644
index 49b9bc1..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.junit.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public abstract class AbstractTestSqoopPolicyEngine {
- private static final String OPERATOR_JDBC_CONNECTORS_READ = "server=server1->connector=generic-jdbc-connector->action=read";
- private static final String OPERATOR_HDFS_CONNECTORS_READ = "server=server1->connector=hdfs-connector->action=read";
- private static final String OPERATOR_KAFKA_CONNECTORS_READ = "server=server1->connector=kafka-connector->action=read";
- private static final String OPERATOR_KITE_CONNECTORS_READ = "server=server1->connector=kite-connector->action=read";
- private static final String ANALYST_JOBS_ALL = "server=server1->job=all->action=*";
- private static final String OPERATOR_JOB1_READ = "server=server1->job=job1->action=read";
- private static final String OPERATOR_JOB2_READ = "server=server1->job=job2->action=read";
- private static final String ANALYST_LINKS_ALL = "server=server1->link=all->action=*";
- private static final String OPERATOR_LINK1_READ = "server=server1->link=link1->action=read";
- private static final String OPERATOR_LINK2_READ = "server=server1->link=link2->action=read";
- private static final String ADMIN = "server=server1->action=*";
-
- private PolicyEngine policy;
- private static File baseDir;
-
- protected String sqoopServerName = "server1";
-
- @BeforeClass
- public static void setupClazz() throws IOException {
- baseDir = Files.createTempDir();
- }
-
- @AfterClass
- public static void teardownClazz() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- protected void setPolicy(PolicyEngine policy) {
- this.policy = policy;
- }
- protected static File getBaseDir() {
- return baseDir;
- }
- @Before
- public void setup() throws IOException {
- afterSetup();
- }
- @After
- public void teardown() throws IOException {
- beforeTeardown();
- }
- protected void afterSetup() throws IOException {
-
- }
-
- protected void beforeTeardown() throws IOException {
-
- }
-
- @Test
- public void testDeveloper() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- OPERATOR_JDBC_CONNECTORS_READ, OPERATOR_HDFS_CONNECTORS_READ,
- OPERATOR_KAFKA_CONNECTORS_READ, OPERATOR_KITE_CONNECTORS_READ,
- ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
- Assert.assertEquals(expected.toString(),
- Sets.newTreeSet(policy.getPrivileges(set("developer"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testConnectorOperator() throws Exception {
-
- }
-
- @Test
- public void testJobOperator() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(OPERATOR_JOB1_READ,OPERATOR_JOB2_READ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("job1_2_operator"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testLinkOperator() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(OPERATOR_LINK1_READ, OPERATOR_LINK2_READ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("link1_2_operator"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
- .toString());
- }
-
- private static Set<String> set(String... values) {
- return Sets.newHashSet(values);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java
deleted file mode 100644
index fd577d6..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/MockGroupMappingServiceProvider.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.util.Set;
-
-import org.apache.sentry.provider.common.GroupMappingService;
-
-import com.google.common.collect.Multimap;
-import com.google.common.collect.Sets;
-
-public class MockGroupMappingServiceProvider implements GroupMappingService {
- private final Multimap<String, String> userToGroupMap;
-
- public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
- this.userToGroupMap = userToGroupMap;
- }
- @Override
- public Set<String> getGroups(String user) {
- return Sets.newHashSet(userToGroupMap.get(user));
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyFileProviderBackend.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyFileProviderBackend.java
deleted file mode 100644
index 5da63a3..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyFileProviderBackend.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.IOException;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class SqoopPolicyFileProviderBackend extends SimpleSqoopPolicyEngine {
- private static final Logger LOGGER = LoggerFactory.getLogger(SqoopPolicyFileProviderBackend.class);
- public SqoopPolicyFileProviderBackend(String sqoopServerName,
- String resource) throws IOException {
- super(sqoopServerName, new SimpleFileProviderBackend(new Configuration(), resource));
- LOGGER.warn("The DB providerbackend is the preferred option over file providerbackend as the sqoop policy engine");
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
deleted file mode 100644
index b6e9893..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import org.junit.Assert;
-
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.Test;
-
-public class TestServerNameRequiredMatch {
- @Test
- public void testWithoutServerName() {
- ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
- try {
- serverNameMatch.validate(new PrivilegeValidatorContext("connector=c1->action=read"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException ex) {
- }
- }
- @Test
- public void testServerNameNotMatch() throws Exception {
- ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
- try {
- serverNameMatch.validate(new PrivilegeValidatorContext("server=server2->connector=c1->action=read"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException ex) {
- }
- }
- @Test
- public void testServerNameMatch() throws Exception {
- ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
- try {
- serverNameMatch.validate(new PrivilegeValidatorContext("server=server1->connector=c1->action=read"));
- } catch (ConfigurationException ex) {
- Assert.fail("Not expected ConfigurationException");
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
deleted file mode 100644
index 3bdf6f7..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Set;
-
-import org.junit.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.sqoop.Connector;
-import org.apache.sentry.core.model.sqoop.Job;
-import org.apache.sentry.core.model.sqoop.Link;
-import org.apache.sentry.core.model.sqoop.Server;
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
-import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
-import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.After;
-import org.junit.Test;
-
-import com.google.common.base.Objects;
-import com.google.common.collect.HashMultimap;
-import com.google.common.collect.Multimap;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSqoopAuthorizationProviderGeneralCases {
- private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap.create();
-
- private static final Subject SUB_ADMIN = new Subject("admin1");
- private static final Subject SUB_DEVELOPER = new Subject("developer1");
- private static final Subject SUB_ANALYST = new Subject("analyst1");
- private static final Subject SUB_JOB_OPERATOR = new Subject("job_operator1");
- private static final Subject SUB_LINK_OPERATOR = new Subject("link_operator1");
- private static final Subject SUB_CONNECTOR_OPERATOR = new Subject("connector_operator1");
-
-
-
- private static final Server server1 = new Server("server1");
- private static final Connector jdbc_connector = new Connector("generic-jdbc-connector");
- private static final Connector hdfs_connector = new Connector("hdfs-connector");
- private static final Connector kafka_connector = new Connector("kafka-connector");
- private static final Connector kite_connector = new Connector("kite-connector");
- private static final Link link1 = new Link("link1");
- private static final Link link2 = new Link("link2");
- private static final Job job1 = new Job("job1");
- private static final Job job2 = new Job("job2");
-
- private static final SqoopAction ALL = new SqoopAction(SqoopActionConstant.ALL);
- private static final SqoopAction READ = new SqoopAction(SqoopActionConstant.READ);
- private static final SqoopAction WRITE = new SqoopAction(SqoopActionConstant.WRITE);
-
- private static final String ADMIN = "admin";
- private static final String DEVELOPER = "developer";
- private static final String ANALYST = "analyst";
- private static final String JOB_OPERATOR = "job1_2_operator";
- private static final String LINK_OPERATOR ="link1_2_operator";
- private static final String CONNECTOR_OPERATOR = "connectors_operator";
-
- static {
- USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList(ADMIN));
- USER_TO_GROUP_MAP.putAll(SUB_DEVELOPER.getName(), Arrays.asList(DEVELOPER));
- USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList(ANALYST));
- USER_TO_GROUP_MAP.putAll(SUB_JOB_OPERATOR.getName(),Arrays.asList(JOB_OPERATOR));
- USER_TO_GROUP_MAP.putAll(SUB_LINK_OPERATOR.getName(),Arrays.asList(LINK_OPERATOR));
- USER_TO_GROUP_MAP.putAll(SUB_CONNECTOR_OPERATOR.getName(),Arrays.asList(CONNECTOR_OPERATOR));
- }
-
- private final ResourceAuthorizationProvider authzProvider;
- private File baseDir;
-
- public TestSqoopAuthorizationProviderGeneralCases() throws IOException {
- baseDir = Files.createTempDir();
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini");
- authzProvider = new HadoopGroupResourceAuthorizationProvider(
- new SqoopPolicyFileProviderBackend(server1.getName(), new File(baseDir, "test-authz-provider.ini").getPath()),
- new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void doTestResourceAuthorizationProvider(Subject subject, List<? extends Authorizable> authorizableHierarchy,
- Set<? extends Action> actions, boolean expected) throws Exception {
- Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
- helper.add("Subject", subject).add("authzHierarchy", authorizableHierarchy).add("action", actions);
- Assert.assertEquals(helper.toString(), expected,
- authzProvider.hasAccess(subject, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<? extends Action> allActions = Sets.newHashSet(ALL, READ, WRITE);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,hdfs_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,jdbc_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kafka_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kite_connector), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link1), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link2), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job1), allActions, true);
- doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job2), allActions, true);
- }
-
- @Test
- public void testDeveloper() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- //developer only has the read action on all connectors
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
- }
- }
-
- for (Link link : Sets.newHashSet(link1, link2)) {
- //developer has the all action on all links
- doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, link), allActions, true);
- }
-
- for (Job job : Sets.newHashSet(job1,job2)) {
- //developer has the all action on all jobs
- doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, job), allActions, true);
- }
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- //analyst has not the any action on all connectors
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
- }
- }
-
- for (Link link : Sets.newHashSet(link1, link2)) {
- //analyst has the all action on all links
- doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, link), allActions, true);
- }
-
- for (Job job : Sets.newHashSet(job1,job2)) {
- //analyst has the all action on all jobs
- doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, job), allActions, true);
- }
- }
-
- @Test
- public void testJobOperator() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- for (Job job : Sets.newHashSet(job1,job2)) {
- //Job operator has the read action on all jobs
- doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), READ.equals(action));
- }
- for (Link link : Sets.newHashSet(link1, link2)) {
- doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
- }
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
- }
- }
- }
-
- @Test
- public void testLinkOperator() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- for (Link link : Sets.newHashSet(link1, link2)) {
- //Link operator has the read action on all links
- doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), READ.equals(action));
- }
- for (Job job : Sets.newHashSet(job1,job2)) {
- doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
- }
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
- }
- }
- }
-
- @Test
- public void testConnectorOperator() throws Exception {
- Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
- for (SqoopAction action : allActions) {
- for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
- doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
- }
- for (Job job : Sets.newHashSet(job1,job2)) {
- doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
- }
- for (Link link : Sets.newHashSet(link1, link2)) {
- doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
deleted file mode 100644
index 9fee5a7..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.List;
-import java.util.Set;
-
-import org.junit.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.sqoop.Connector;
-import org.apache.sentry.core.model.sqoop.Server;
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
-import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSqoopAuthorizationProviderSpecialCases {
- private AuthorizationProvider authzProvider;
- private PolicyFile policyFile;
- private File baseDir;
- private File iniFile;
- private String initResource;
- @Before
- public void setup() throws IOException {
- baseDir = Files.createTempDir();
- iniFile = new File(baseDir, "policy.ini");
- initResource = "file://" + iniFile.getPath();
- policyFile = new PolicyFile();
- }
-
- @After
- public void teardown() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- @Test
- public void testDuplicateEntries() throws Exception {
- Subject user1 = new Subject("user1");
- Server server1 = new Server("server1");
- Connector connector1 = new Connector("c1");
- Set<? extends Action> actions = Sets.newHashSet(new SqoopAction(SqoopActionConstant.READ));
- policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
- .addRolesToGroup("group1", true, "role1", "role1")
- .addPermissionsToRole("role1", true, "server=server1->connector=c1->action=read",
- "server=server1->connector=c1->action=read");
- policyFile.write(iniFile);
- SqoopPolicyFileProviderBackend policy = new SqoopPolicyFileProviderBackend(server1.getName(), initResource);
- authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
- List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, connector1);
- Assert.assertTrue(authorizableHierarchy.toString(),
- authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
deleted file mode 100644
index 99a5ae2..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
-import org.apache.sentry.core.model.sqoop.Server;
-import org.junit.Test;
-
-public class TestSqoopModelAuthorizables {
-
- @Test
- public void testServer() throws Exception {
- Server server1 = (Server)SqoopModelAuthorizables.from("SERVER=server1");
- assertEquals("server1", server1.getName());
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNoKV() throws Exception {
- System.out.println(SqoopModelAuthorizables.from("nonsense"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(SqoopModelAuthorizables.from("=server1"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(SqoopModelAuthorizables.from("SERVER="));
- }
-
- @Test
- public void testNotAuthorizable() throws Exception {
- assertNull(SqoopModelAuthorizables.from("k=v"));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
deleted file mode 100644
index ff4c9a8..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-
-import org.junit.Assert;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-
-public class TestSqoopPolicyEngineDFS extends AbstractTestSqoopPolicyEngine {
- private static MiniDFSCluster dfsCluster;
- private static FileSystem fileSystem;
- private static Path root;
- private static Path etc;
-
- @BeforeClass
- public static void setupLocalClazz() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- File dfsDir = new File(baseDir, "dfs");
- Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
- Configuration conf = new Configuration();
- conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
- dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
- fileSystem = dfsCluster.getFileSystem();
- root = new Path(fileSystem.getUri().toString());
- etc = new Path(root, "/etc");
- fileSystem.mkdirs(etc);
- }
-
- @AfterClass
- public static void teardownLocalClazz() {
- if(dfsCluster != null) {
- dfsCluster.shutdown();
- }
- }
-
- @Override
- protected void afterSetup() throws IOException {
- fileSystem.delete(etc, true);
- fileSystem.mkdirs(etc);
- PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini");
- setPolicy(new SqoopPolicyFileProviderBackend(sqoopServerName, new Path(etc,
- "test-authz-provider.ini").toString()));
- }
-
- @Override
- protected void beforeTeardown() throws IOException {
- fileSystem.delete(etc, true);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
deleted file mode 100644
index ca5a198..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-
-import org.junit.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.provider.file.PolicyFiles;
-
-public class TestSqoopPolicyEngineLocalFS extends AbstractTestSqoopPolicyEngine {
- @Override
- protected void afterSetup() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
- PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini");
- setPolicy(new SqoopPolicyFileProviderBackend(sqoopServerName, new File(baseDir, "test-authz-provider.ini").getPath()));
- }
- @Override
- protected void beforeTeardown() throws IOException {
- File baseDir = getBaseDir();
- Assert.assertNotNull(baseDir);
- FileUtils.deleteQuietly(baseDir);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
deleted file mode 100644
index da922a5..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.sqoop;
-
-import java.io.File;
-import java.io.IOException;
-
-import org.junit.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSqoopPolicyNegative {
- @SuppressWarnings("unused")
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestSqoopPolicyNegative.class);
-
- private File baseDir;
- private File globalPolicyFile;
-
- @Before
- public void setup() {
- baseDir = Files.createTempDir();
- globalPolicyFile = new File(baseDir, "global.ini");
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void append(String from, File to) throws IOException {
- Files.append(from + "\n", to, Charsets.UTF_8);
- }
-
- @Test
- public void testauthorizedSqoopInPolicyFile() throws Exception {
- append("[groups]", globalPolicyFile);
- append("other_group = other_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("other_role = server=server1->connector=c1->action=read, server=server1->link=l1->action=read", globalPolicyFile);
- PolicyEngine policy = new SqoopPolicyFileProviderBackend("server1", globalPolicyFile.getPath());
- //malicious_group has no privilege
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("malicious_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- //other_group has two privileges
- permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.size() == 2);
- }
-
- @Test
- public void testNoServerNameConfig() throws Exception {
- append("[groups]", globalPolicyFile);
- append("other_group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = connector=c1->action=read,link=l1->action=read", globalPolicyFile);
- PolicyEngine policy = new SqoopPolicyFileProviderBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerAllName() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=*", globalPolicyFile);
- PolicyEngine policy = new SqoopPolicyFileProviderBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerIncorrect() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=server2", globalPolicyFile);
- PolicyEngine policy = new SqoopPolicyFileProviderBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = *", globalPolicyFile);
- PolicyEngine policy = new SqoopPolicyFileProviderBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopWildcardPrivilege.java b/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopWildcardPrivilege.java
deleted file mode 100644
index 84a25a7..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopWildcardPrivilege.java
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.sqoop;
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.policy.common.Privilege;
-import org.apache.sentry.policy.common.KeyValue;
-import org.junit.Test;
-
-public class TestSqoopWildcardPrivilege extends org.junit.Assert {
- private static final Privilege SQOOP_SERVER1_ALL =
- create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.ALL));
- private static final Privilege SQOOP_SERVER1_READ =
- create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.READ));
- private static final Privilege SQOOP_SERVER1_WRITE =
- create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.WRITE));
-
- private static final Privilege SQOOP_SERVER1_JOB1_ALL =
- create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"), new KeyValue("action", SqoopActionConstant.ALL));
- private static final Privilege SQOOP_SERVER1_JOB1_READ =
- create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"), new KeyValue("action", SqoopActionConstant.READ));
- private static final Privilege SQOOP_SERVER1_JOB1_WRITE =
- create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"), new KeyValue("action", SqoopActionConstant.WRITE));
-
- private static final Privilege SQOOP_SERVER1_LINK1_ALL =
- create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"), new KeyValue("action", SqoopActionConstant.ALL));
- private static final Privilege SQOOP_SERVER1_LINK1_READ =
- create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"), new KeyValue("action", SqoopActionConstant.READ));
- private static final Privilege SQOOP_SERVER1_LINK1_WRITE =
- create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"), new KeyValue("action", SqoopActionConstant.WRITE));
-
- private static final Privilege SQOOP_SERVER1_CONNECTOR1_ALL =
- create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"), new KeyValue("action", SqoopActionConstant.ALL));
- private static final Privilege SQOOP_SERVER1_CONNECTOR1_READ =
- create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"), new KeyValue("action", SqoopActionConstant.READ));
- private static final Privilege SQOOP_SERVER1_CONNECTOR1_WRITE =
- create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"), new KeyValue("action", SqoopActionConstant.WRITE));
-
-
- @Test
- public void testSimpleAction() throws Exception {
- //server
- assertFalse(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_READ));
- assertFalse(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_WRITE));
- //connector
- assertFalse(SQOOP_SERVER1_CONNECTOR1_WRITE.implies(SQOOP_SERVER1_CONNECTOR1_READ));
- assertFalse(SQOOP_SERVER1_CONNECTOR1_READ.implies(SQOOP_SERVER1_CONNECTOR1_WRITE));
- //job
- assertFalse(SQOOP_SERVER1_JOB1_READ.implies(SQOOP_SERVER1_JOB1_WRITE));
- assertFalse(SQOOP_SERVER1_JOB1_WRITE.implies(SQOOP_SERVER1_JOB1_READ));
- //link
- assertFalse(SQOOP_SERVER1_LINK1_READ.implies(SQOOP_SERVER1_LINK1_WRITE));
- assertFalse(SQOOP_SERVER1_LINK1_WRITE.implies(SQOOP_SERVER1_LINK1_READ));
- }
-
- @Test
- public void testShorterThanRequest() throws Exception {
- //job
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_ALL));
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_READ));
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_WRITE));
-
- assertFalse(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_READ));
- assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_JOB1_READ));
- assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_JOB1_WRITE));
-
- //link
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_ALL));
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_READ));
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_WRITE));
-
- assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_LINK1_READ));
- assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_LINK1_WRITE));
-
- //connector
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_ALL));
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_READ));
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_WRITE));
-
- assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_CONNECTOR1_READ));
- assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_CONNECTOR1_WRITE));
- }
-
- @Test
- public void testActionAll() throws Exception {
- //server
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_READ));
- assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_WRITE));
-
- //job
- assertTrue(SQOOP_SERVER1_JOB1_ALL.implies(SQOOP_SERVER1_JOB1_READ));
- assertTrue(SQOOP_SERVER1_JOB1_ALL.implies(SQOOP_SERVER1_JOB1_WRITE));
-
- //link
- assertTrue(SQOOP_SERVER1_LINK1_ALL.implies(SQOOP_SERVER1_LINK1_READ));
- assertTrue(SQOOP_SERVER1_LINK1_ALL.implies(SQOOP_SERVER1_LINK1_WRITE));
-
- //connector
- assertTrue(SQOOP_SERVER1_CONNECTOR1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_READ));
- assertTrue(SQOOP_SERVER1_CONNECTOR1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_WRITE));
- }
-
- @Test
- public void testUnexpected() throws Exception {
- Privilege p = new Privilege() {
- @Override
- public boolean implies(Privilege p) {
- return false;
- }
- };
- Privilege job1 = create(new KeyValue("SERVER", "server"), new KeyValue("JOB", "job1"));
- assertFalse(job1.implies(null));
- assertFalse(job1.implies(p));
- assertFalse(job1.equals(null));
- assertFalse(job1.equals(p));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNullString() throws Exception {
- System.out.println(create((String)null));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyString() throws Exception {
- System.out.println(create(""));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(create(KV_JOINER.join("", "server1")));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(create(KV_JOINER.join("SERVER", "")));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyPart() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_JOINER.join("SERVER", "server1"), "")));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testOnlySeperators() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
- }
-
- static SqoopWildcardPrivilege create(KeyValue... keyValues) {
- return create(AUTHORIZABLE_JOINER.join(keyValues));
-
- }
- static SqoopWildcardPrivilege create(String s) {
- return new SqoopWildcardPrivilege(s);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/resources/log4j.properties b/sentry-policy/sentry-policy-sqoop/src/test/resources/log4j.properties
deleted file mode 100644
index 7703069..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/resources/log4j.properties
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-# Define some default values that can be overridden by system properties.
-#
-# For testing, it may also be convenient to specify
-
-log4j.rootLogger=DEBUG,console
-
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.target=System.err
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n
-
-log4j.logger.org.apache.hadoop.conf.Configuration=INFO
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini b/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini
deleted file mode 100644
index a4ab5d1..0000000
--- a/sentry-policy/sentry-policy-sqoop/src/test/resources/test-authz-provider.ini
+++ /dev/null
@@ -1,40 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-developer = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role,\
- jobs_analyst_role,links_analyst_role
-analyst = jobs_analyst_role,links_analyst_role
-connectors_operator = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role
-jobs_analyst = jobs_analyst_role
-job1_2_operator = job1_role,job2_role
-links_analyst = links_analyst_role
-link1_2_operator = link1_role,link2_role
-admin = admin_role
-
-[roles]
-admin_role = server=server1->action=*
-jdbc_connector_role = server=server1->connector=generic-jdbc-connector->action=read
-hdfs_connector_role = server=server1->connector=hdfs-connector->action=read
-kafka_connector_role = server=server1->connector=kafka-connector->action=read
-kite_connector_role = server=server1->connector=kite-connector->action=read
-jobs_analyst_role = server=server1->job=all->action=*
-job1_role = server=server1->job=job1->action=read
-job2_role = server=server1->job=job2->action=read
-links_analyst_role = server=server1->link=all->action=*
-link1_role = server=server1->link=link1->action=read
-link2_role = server=server1->link=link2->action=read
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
index bcd3312..e45799f 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
@@ -21,6 +21,7 @@ import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.Groups;
+import org.apache.sentry.core.common.Model;
import org.apache.sentry.policy.common.PolicyEngine;
import com.google.common.annotations.VisibleForTesting;
@@ -35,18 +36,20 @@ public class HadoopGroupResourceAuthorizationProvider extends
// resource parameter present so that other AuthorizationProviders (e.g.
// LocalGroupResourceAuthorizationProvider) has the same constructor params.
- public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException {
- this(new Configuration(), resource, policy);
+ public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy,
+ Model model) throws IOException {
+ this(new Configuration(), resource, policy, model);
}
- public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException { //NOPMD
- this(policy, new HadoopGroupMappingService(getGroups(conf)));
+ public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, //NOPMD
+ PolicyEngine policy, Model model) throws IOException {
+ this(policy, new HadoopGroupMappingService(getGroups(conf)), model);
}
@VisibleForTesting
public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
- GroupMappingService groupService) {
- super(policy, groupService);
+ GroupMappingService groupService, Model model) {
+ super(policy, groupService, model);
}
private static Groups getGroups(Configuration conf) {
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java
index ae674aa..4cf629b 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java
@@ -16,7 +16,7 @@
*/
package org.apache.sentry.provider.common;
-import org.apache.sentry.policy.common.PrivilegeValidator;
+import org.apache.sentry.core.common.validator.PrivilegeValidator;
import com.google.common.collect.ImmutableList;
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
index b023c9a..95b4b98 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
@@ -16,10 +16,10 @@
*/
package org.apache.sentry.provider.common;
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.PRIVILEGE_NAME;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_NAME;
import java.util.ArrayList;
import java.util.HashSet;
@@ -29,6 +29,7 @@ import java.util.Set;
import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Model;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.policy.common.PolicyEngine;
@@ -58,12 +59,14 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
private final GroupMappingService groupService;
private final PolicyEngine policy;
private final PrivilegeFactory privilegeFactory;
+ private final Model model;
public ResourceAuthorizationProvider(PolicyEngine policy,
- GroupMappingService groupService) {
+ GroupMappingService groupService, Model model) {
this.policy = policy;
this.groupService = groupService;
this.privilegeFactory = policy.getPrivilegeFactory();
+ this.model = model;
}
/***
@@ -110,7 +113,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
/*
* Does the permission granted in the policy file imply the requested action?
*/
- boolean result = permission.implies(privilegeFactory.createPrivilege(requestPrivilege));
+ boolean result = permission.implies(privilegeFactory.createPrivilege(requestPrivilege), model);
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}",
new Object[]{ permission, requestPrivilege, roleSet, result});
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
index 8674700..2214867 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
@@ -20,6 +20,7 @@ package org.apache.sentry.provider.file;
import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.Model;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.GroupMappingService;
@@ -32,18 +33,19 @@ import com.google.common.annotations.VisibleForTesting;
public class HadoopGroupResourceAuthorizationProvider extends
org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider {
- public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException {
- super(resource, policy);
+ public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, Model model) throws IOException {
+ super(resource, policy, model);
}
- public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException {
- super(conf, resource, policy);
+ public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource,
+ PolicyEngine policy, Model model) throws IOException {
+ super(conf, resource, policy, model);
}
@VisibleForTesting
public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
- GroupMappingService groupService) {
- super(policy, groupService);
+ GroupMappingService groupService, Model model) {
+ super(policy, groupService, model);
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
index 402574e..2b402a0 100644
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
@@ -35,7 +35,7 @@ public class TestGetGroupMapping {
private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider {
public TestResourceAuthorizationProvider(PolicyEngine policy,
GroupMappingService groupService) {
- super(policy, groupService);
+ super(policy, groupService, null);
}
};
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml
index eb9de88..86e27e4 100644
--- a/sentry-provider/sentry-provider-db/pom.xml
+++ b/sentry-provider/sentry-provider-db/pom.xml
@@ -104,11 +104,7 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-policy-search</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-policy-kafka</artifactId>
+ <artifactId>sentry-policy-engine</artifactId>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
index 3c00d23..0ac39f4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
@@ -17,8 +17,8 @@
*/
package org.apache.sentry.provider.db.generic.service.persistent;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
import java.util.List;
import org.apache.sentry.core.common.Authorizable;
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
index 58be24d..19c8dd8 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
@@ -17,8 +17,8 @@
*/
package org.apache.sentry.provider.db.generic.service.thrift;
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
import java.lang.reflect.Constructor;
import java.util.HashSet;
@@ -29,9 +29,9 @@ import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.policy.common.KeyValue;
-import org.apache.sentry.policy.common.PolicyConstants;
+import org.apache.sentry.core.common.utils.KeyValue;
import org.apache.sentry.provider.common.AuthorizationComponent;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.provider.db.SentryAlreadyExistsException;
@@ -271,11 +271,11 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
for (Authorizable authorizable : authorizables) {
- privileges.add(PolicyConstants.KV_JOINER.join(authorizable.getTypeName(),
+ privileges.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(),
authorizable.getName()));
}
- return PolicyConstants.AUTHORIZABLE_JOINER.join(privileges);
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
} else {
return "";
}
@@ -307,7 +307,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
return authorizables;
}
- for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
KeyValue tempKV = new KeyValue(authorizable);
final String key = tempKV.getKey();
final String value = tempKV.getValue();
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java
index ca88c25..af73755 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java
@@ -19,12 +19,12 @@
package org.apache.sentry.provider.db.generic.tools;
import com.google.common.collect.Lists;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
-import org.apache.sentry.policy.common.KeyValue;
-import org.apache.sentry.policy.common.PolicyConstants;
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.sentry.policy.kafka.KafkaModelAuthorizables;
-import org.apache.sentry.policy.kafka.KafkaPrivilegeValidator;
+import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
+import org.apache.sentry.core.model.kafka.validator.KafkaPrivilegeValidator;
import org.apache.sentry.provider.common.PolicyFileConstants;
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
@@ -48,7 +48,7 @@ public class KafkaTSentryPrivilegeConvertor implements TSentryPrivilegeConverto
validatePrivilegeHierarchy(privilegeStr);
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
KeyValue keyValue = new KeyValue(authorizable);
String key = keyValue.getKey();
String value = keyValue.getValue();
@@ -84,23 +84,23 @@ public class KafkaTSentryPrivilegeConvertor implements TSentryPrivilegeConverto
if (it != null) {
while (it.hasNext()) {
TAuthorizable tAuthorizable = it.next();
- privileges.add(PolicyConstants.KV_JOINER.join(
+ privileges.add(SentryConstants.KV_JOINER.join(
tAuthorizable.getType(), tAuthorizable.getName()));
}
}
if (!authorizables.isEmpty()) {
- privileges.add(PolicyConstants.KV_JOINER.join(
+ privileges.add(SentryConstants.KV_JOINER.join(
PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
}
// only append the grant option to privilege string if it's true
if ("true".equals(grantOption)) {
- privileges.add(PolicyConstants.KV_JOINER.join(
+ privileges.add(SentryConstants.KV_JOINER.join(
PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
}
}
- return PolicyConstants.AUTHORIZABLE_JOINER.join(privileges);
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
}
private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
index bf91f52..d25ce4b 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
@@ -27,9 +27,9 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.KeyValue;
-import org.apache.sentry.policy.common.PolicyConstants;
-import org.apache.sentry.policy.search.SimpleSearchPolicyEngine;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.model.search.SearchPrivilegeModel;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
@@ -88,7 +88,7 @@ public class SentryConfigToolSolr extends SentryConfigToolCommon {
SimpleFileProviderBackend policyFileBackend =
new SimpleFileProviderBackend(conf, policyFile);
ProviderBackendContext context = new ProviderBackendContext();
- context.setValidators(SimpleSearchPolicyEngine.createPrivilegeValidators());
+ context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators());
policyFileBackend.initialize(context);
if (validate) {
validatePolicy(policyFileBackend);
@@ -123,7 +123,7 @@ public class SentryConfigToolSolr extends SentryConfigToolCommon {
for (String permission : privileges) {
String action = null;
- for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.
trimResults().split(permission)) {
KeyValue kv = new KeyValue(authorizable);
String key = kv.getKey();
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConvertor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConvertor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConvertor.java
index 8dffe94..12c833e 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConvertor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConvertor.java
@@ -20,14 +20,14 @@ package org.apache.sentry.provider.db.generic.tools;
import com.google.common.collect.Lists;
+import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.model.search.Collection;
import org.apache.sentry.core.model.search.SearchModelAuthorizable;
-import org.apache.sentry.policy.common.PolicyConstants;
-import org.apache.sentry.policy.common.PrivilegeValidator;
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.sentry.policy.search.SearchModelAuthorizables;
-import org.apache.sentry.policy.search.SimpleSearchPolicyEngine;
-import org.apache.sentry.policy.common.KeyValue;
+import org.apache.sentry.core.common.validator.PrivilegeValidator;
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.search.SearchModelAuthorizables;
+import org.apache.sentry.core.model.search.SearchPrivilegeModel;
+import org.apache.sentry.core.common.utils.KeyValue;
import org.apache.sentry.provider.common.PolicyFileConstants;
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
@@ -61,7 +61,7 @@ public class SolrTSentryPrivilegeConvertor implements TSentryPrivilegeConvertor
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
KeyValue keyValue = new KeyValue(authorizable);
String key = keyValue.getKey();
String value = keyValue.getValue();
@@ -104,27 +104,27 @@ public class SolrTSentryPrivilegeConvertor implements TSentryPrivilegeConvertor
if (it != null) {
while (it.hasNext()) {
TAuthorizable tAuthorizable = it.next();
- privileges.add(PolicyConstants.KV_JOINER.join(
+ privileges.add(SentryConstants.KV_JOINER.join(
tAuthorizable.getType(), tAuthorizable.getName()));
}
}
if (!authorizables.isEmpty()) {
- privileges.add(PolicyConstants.KV_JOINER.join(
+ privileges.add(SentryConstants.KV_JOINER.join(
PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
}
// only append the grant option to privilege string if it's true
if ("true".equals(grantOption)) {
- privileges.add(PolicyConstants.KV_JOINER.join(
+ privileges.add(SentryConstants.KV_JOINER.join(
PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
}
}
- return PolicyConstants.AUTHORIZABLE_JOINER.join(privileges);
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
}
private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
- List<PrivilegeValidator> validators = SimpleSearchPolicyEngine.createPrivilegeValidators();
+ List<PrivilegeValidator> validators = SearchPrivilegeModel.getInstance().getPrivilegeValidators();
PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
for (PrivilegeValidator validator : validators) {
try {
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
index 13b48ea..59161f0 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
@@ -17,8 +17,8 @@ vim * Licensed to the Apache Software Foundation (ASF) under one
*/
package org.apache.sentry.provider.db.service.model;
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
import java.lang.reflect.Field;
import java.util.HashSet;