You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gc...@apache.org on 2014/03/05 01:14:39 UTC
[3/4] SENTRY-122: Refactor provider/policy API to allow for DB-policy
provider (Brock Noland via Gregory Chanan)
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java
deleted file mode 100644
index 48b36a6..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import javax.annotation.Nullable;
-
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.shiro.config.ConfigurationException;
-
-public class DatabaseRequiredInRole extends AbstractDBRoleValidator {
-
- @Override
- public void validate(@Nullable String database, String role) throws ConfigurationException {
- /*
- * Rule only applies to rules in per database policy file
- */
- if(database != null) {
- Iterable<DBModelAuthorizable> authorizables = parseRole(role);
- /*
- * Each permission in a non-global file must have a database
- * object except for URIs.
- *
- * We allow URIs to be specified in the per DB policy file for
- * ease of mangeability. URIs will contain to remain server scope
- * objects.
- */
- boolean foundDatabaseInAuthorizables = false;
- boolean foundURIInAuthorizables = false;
- boolean allowURIInAuthorizables = false;
-
- if ("true".equalsIgnoreCase(
- System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) {
- allowURIInAuthorizables = true;
- }
-
- for(DBModelAuthorizable authorizable : authorizables) {
- if(authorizable instanceof Database) {
- foundDatabaseInAuthorizables = true;
- }
- if (authorizable instanceof AccessURI) {
- if (foundDatabaseInAuthorizables) {
- String msg = "URI object is specified at DB scope in " + role;
- throw new ConfigurationException(msg);
- }
- foundURIInAuthorizables = true;
- }
- }
- if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) {
- String msg = "Missing database object in " + role;
- throw new ConfigurationException(msg);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
index 8ddf1dd..1848a32 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
@@ -16,25 +16,25 @@
*/
package org.apache.sentry.policy.db;
-import javax.annotation.Nullable;
-
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
import org.apache.shiro.config.ConfigurationException;
-public class ServerNameMustMatch extends AbstractDBRoleValidator {
+public class ServerNameMustMatch extends AbstractDBPrivilegeValidator {
private final String serverName;
public ServerNameMustMatch(String serverName) {
this.serverName = serverName;
}
@Override
- public void validate(@Nullable String database, String role) throws ConfigurationException {
- Iterable<DBModelAuthorizable> authorizables = parseRole(role);
+ public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
+ String privilege = context.getPrivilege();
+ Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
for(DBModelAuthorizable authorizable : authorizables) {
if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) {
String msg = "Server name " + authorizable.getName() + " in "
- + role + " is invalid. Expected " + serverName;
+ + privilege + " is invalid. Expected " + serverName;
throw new ConfigurationException(msg);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
index 9445b0b..b729ec3 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
@@ -16,21 +16,21 @@
*/
package org.apache.sentry.policy.db;
-import javax.annotation.Nullable;
-
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
import org.apache.shiro.config.ConfigurationException;
-public class ServersAllIsInvalid extends AbstractDBRoleValidator {
+public class ServersAllIsInvalid extends AbstractDBPrivilegeValidator {
@Override
- public void validate(@Nullable String database, String role) throws ConfigurationException {
- Iterable<DBModelAuthorizable> authorizables = parseRole(role);
+ public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
+ String privilege = context.getPrivilege();
+ Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
for(DBModelAuthorizable authorizable : authorizables) {
if(authorizable instanceof Server &&
authorizable.getName().equals(Server.ALL.getName())) {
- String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + role;
+ String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + privilege;
throw new ConfigurationException(msg);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
index 1d01b47..7ea5a06 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
@@ -16,33 +16,19 @@
*/
package org.apache.sentry.policy.db;
-import javax.annotation.Nullable;
+import java.util.Set;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.policy.common.PrivilegeFactory;
import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.policy.common.RoleValidator;
+import org.apache.sentry.policy.common.PrivilegeValidator;
import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.Roles;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Lists;
public class SimpleDBPolicyEngine implements PolicyEngine {
@@ -51,119 +37,47 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
public final static String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile";
- private ProviderBackend providerBackend;
- private String serverName;
- private List<? extends RoleValidator> validators;
+ private final ProviderBackend providerBackend;
public SimpleDBPolicyEngine(String serverName, ProviderBackend providerBackend) {
- validators = Lists.newArrayList(new ServersAllIsInvalid(), new DatabaseMustMatch(),
- new DatabaseRequiredInRole(), new ServerNameMustMatch(serverName));
this.providerBackend = providerBackend;
- this.providerBackend.process(validators);
- this.serverName = serverName;
+ ProviderBackendContext context = new ProviderBackendContext();
+ context.setAllowPerDatabase(true);
+ context.setValidators(createPrivilegeValidators(serverName));
+ this.providerBackend.initialize(context);
}
/**
* {@inheritDoc}
*/
@Override
- public PermissionFactory getPermissionFactory() {
- return new DBWildcardPermission.DBWildcardPermissionFactory();
+ public PrivilegeFactory getPrivilegeFactory() {
+ return new DBWildcardPrivilege.DBWildcardPrivilegeFactory();
}
/**
* {@inheritDoc}
*/
@Override
- public ImmutableSetMultimap<String, String> getPermissions(
- List<? extends Authorizable> authorizables, List<String> groups)
+ public ImmutableSet<String> getPrivileges(Set<String> groups)
throws SentryConfigurationException {
- String database = null;
- Boolean isURI = false;
- for(Authorizable authorizable : authorizables) {
- if(authorizable instanceof Database) {
- database = authorizable.getName();
- }
- if (authorizable instanceof AccessURI) {
- isURI = true;
- }
- }
-
if(LOGGER.isDebugEnabled()) {
- LOGGER.debug("Getting permissions for {} via {}", groups, database);
+ LOGGER.debug("Getting permissions for {}", groups);
}
- ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
- for(String group : groups) {
- resultBuilder.putAll(group, getDBRoles(database, group, isURI, providerBackend.getRoles()));
- }
- ImmutableSetMultimap<String, String> result = resultBuilder.build();
+ ImmutableSet<String> result = providerBackend.getPrivileges(groups);
if(LOGGER.isDebugEnabled()) {
LOGGER.debug("result = " + result);
}
return result;
}
- private ImmutableSet<String> getDBRoles(@Nullable String database,
- String group, Boolean isURI, Roles roles) {
- ImmutableSetMultimap<String, String> globalRoles = roles.getGlobalRoles();
- ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = roles.getPerDatabaseRoles();
- ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
- String allowURIPerDbFile =
- System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE);
- Boolean consultPerDbRolesForURI = isURI && ("true".equalsIgnoreCase(allowURIPerDbFile));
-
- // handle Database.ALL
- if (Database.ALL.getName().equals(database)) {
- for(Entry<String, ImmutableSetMultimap<String, String>> dbListEntry : perDatabaseRoles.entrySet()) {
- if (dbListEntry.getValue().containsKey(group)) {
- resultBuilder.addAll(dbListEntry.getValue().get(group));
- }
- }
- } else if(database != null) {
- ImmutableSetMultimap<String, String> dbPolicies = perDatabaseRoles.get(database);
- if(dbPolicies != null && dbPolicies.containsKey(group)) {
- resultBuilder.addAll(dbPolicies.get(group));
- }
- }
-
- if (consultPerDbRolesForURI) {
- for(String db : perDatabaseRoles.keySet()) {
- ImmutableSetMultimap<String, String> dbPolicies = perDatabaseRoles.get(db);
- if(dbPolicies != null && dbPolicies.containsKey(group)) {
- resultBuilder.addAll(dbPolicies.get(group));
- }
- }
- }
-
- if(globalRoles.containsKey(group)) {
- resultBuilder.addAll(globalRoles.get(group));
- }
- ImmutableSet<String> result = resultBuilder.build();
- if(LOGGER.isDebugEnabled()) {
- LOGGER.debug("Database {}, Group {}, Result {}",
- new Object[]{ database, group, result});
- }
- return result;
- }
-
@Override
public void validatePolicy(boolean strictValidation) throws SentryConfigurationException {
- this.providerBackend.validatePolicy(validators, strictValidation);
+ this.providerBackend.validatePolicy(strictValidation);
}
- @Override
- public ImmutableSet<String> listPermissions(String groupName) throws SentryConfigurationException {
- return getDBRoles(Database.ALL.getName(), groupName, true, providerBackend.getRoles());
+ public static ImmutableList<PrivilegeValidator> createPrivilegeValidators(String serverName) {
+ return ImmutableList.<PrivilegeValidator>of(new ServersAllIsInvalid(), new DatabaseMustMatch(),
+ new DatabaseRequiredInPrivilege(), new ServerNameMustMatch(serverName));
}
-
- @Override
- public ImmutableSet<String> listPermissions(List<String> groupNames)
- throws SentryConfigurationException {
- ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
- for (String groupName : groupNames) {
- resultBuilder.addAll(listPermissions(groupName));
- }
- return resultBuilder.build();
- }
-
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
index 89ca737..b4ed2e5 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
@@ -18,15 +18,12 @@ package org.apache.sentry.policy.db;
import java.io.File;
import java.io.IOException;
-import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import junit.framework.Assert;
import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.policy.common.PolicyEngine;
import org.junit.After;
import org.junit.AfterClass;
@@ -34,7 +31,6 @@ import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
-import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.common.io.Files;
@@ -49,7 +45,6 @@ public abstract class AbstractTestSimplePolicyEngine {
private static final String PERM_SERVER1_ADMIN = "server=server1";
private PolicyEngine policy;
private static File baseDir;
- private List<Authorizable> authorizables = Lists.newArrayList();
@BeforeClass
public static void setupClazz() throws IOException {
@@ -93,7 +88,7 @@ public abstract class AbstractTestSimplePolicyEngine {
PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPermissions(authorizables, list("manager")).values())
+ new TreeSet<String>(policy.getPrivileges(set("manager")))
.toString());
}
@@ -103,7 +98,7 @@ public abstract class AbstractTestSimplePolicyEngine {
PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
PERM_SERVER1_JUNIOR_ANALYST_READ));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPermissions(authorizables, list("analyst")).values())
+ new TreeSet<String>(policy.getPrivileges(set("analyst")))
.toString());
}
@@ -113,7 +108,7 @@ public abstract class AbstractTestSimplePolicyEngine {
.newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPermissions(authorizables, list("jranalyst")).values())
+ new TreeSet<String>(policy.getPrivileges(set("jranalyst")))
.toString());
}
@@ -121,43 +116,40 @@ public abstract class AbstractTestSimplePolicyEngine {
public void testAdmin() throws Exception {
Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPermissions(authorizables, list("admin")).values())
+ new TreeSet<String>(policy.getPrivileges(set("admin")))
.toString());
}
@Test
public void testOtherGroup() throws Exception {
- authorizables.add(new Database("other_group_db"));
Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPermissions(authorizables, list("other_group")).values())
+ new TreeSet<String>(policy.getPrivileges(set("other_group")))
.toString());
}
@Test
public void testDbAll() throws Exception {
- authorizables.add(new Database(Database.ALL.getName()));
Set<String> expected = Sets.newTreeSet(Sets
.newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPermissions(authorizables, list("jranalyst")).values())
+ new TreeSet<String>(policy.getPrivileges(set("jranalyst")))
.toString());
}
@Test
public void testDbAllforOtherGroup() throws Exception {
- authorizables.add(new Database(Database.ALL.getName()));
Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPermissions(authorizables, list("other_group")).values())
+ new TreeSet<String>(policy.getPrivileges(set("other_group")))
.toString());
}
- private static List<String> list(String... values) {
- return Lists.newArrayList(values);
+ private static Set<String> set(String... values) {
+ return Sets.newHashSet(values);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
index d8d68b7..661deff 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
@@ -17,10 +17,11 @@
package org.apache.sentry.policy.db;
import java.io.IOException;
+
import org.apache.sentry.provider.file.SimpleFileProviderBackend;
public class DBPolicyFileBackend extends SimpleDBPolicyEngine {
- public DBPolicyFileBackend(String resource, String server) throws IOException{
+ public DBPolicyFileBackend(String server, String resource) throws IOException{
super(server, new SimpleFileProviderBackend(resource));
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
index 23b03d4..70f5e79 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
@@ -20,13 +20,11 @@ package org.apache.sentry.policy.db;
import static junit.framework.Assert.assertEquals;
import static junit.framework.Assert.assertNull;
-
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.core.model.db.View;
-import org.apache.sentry.policy.db.DBModelAuthorizables;
import org.junit.Test;
public class TestDBModelAuthorizables {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
deleted file mode 100644
index 2024cd8..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
+++ /dev/null
@@ -1,286 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertFalse;
-import static junit.framework.Assert.assertTrue;
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.file.KeyValue;
-import org.apache.shiro.authz.Permission;
-import org.junit.Test;
-
-public class TestDBWildcardPermission {
-
- private static final String ALL = AccessConstants.ALL;
-
- private static final Permission ROLE_SERVER_SERVER1_DB_ALL =
- create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
- private static final Permission ROLE_SERVER_SERVER1_DB_DB1 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
- private static final Permission ROLE_SERVER_SERVER2_DB_ALL =
- create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
- private static final Permission ROLE_SERVER_SERVER2_DB_DB1 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
- private static final Permission ROLE_SERVER_ALL_DB_ALL =
- create(new KeyValue("server", ALL), new KeyValue("db", ALL));
- private static final Permission ROLE_SERVER_ALL_DB_DB1 =
- create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
-
- private static final Permission ROLE_SERVER_SERVER1_URI_URI1 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri1"));
- private static final Permission ROLE_SERVER_SERVER1_URI_URI2 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2/"));
- private static final Permission ROLE_SERVER_SERVER1_URI_ALL =
- create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
-
-
- private static final Permission ROLE_SERVER_SERVER1 =
- create(new KeyValue("server", "server1"));
-
-
- private static final Permission REQUEST_SERVER1_DB1 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
- private static final Permission REQUEST_SERVER2_DB1 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
- private static final Permission REQUEST_SERVER1_DB2 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
- private static final Permission REQUEST_SERVER2_DB2 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
-
- private static final Permission REQUEST_SERVER1_URI1 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri1/some/file"));
- private static final Permission REQUEST_SERVER1_URI2 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2/some/other/file"));
-
- private static final Permission REQUEST_SERVER1_OTHER =
- create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
-
- private static final Permission REQUEST_SERVER1 =
- create(new KeyValue("server", "server2"));
-
- @Test
- public void testOther() throws Exception {
- assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER));
- assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL));
- }
- @Test
- public void testRoleShorterThanRequest() throws Exception {
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2));
-
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1));
- }
- @Test
- public void testRolesAndRequests() throws Exception {
- // ROLE_SERVER_SERVER1_DB_ALL
- assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
-
- // ROLE_SERVER_SERVER1_DB_DB1
- assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
-
- // ROLE_SERVER_SERVER2_DB_ALL
- assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
-
- // ROLE_SERVER_SERVER2_DB_DB1
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
-
- // ROLE_SERVER_ALL_DB_ALL
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
-
- // ROLE_SERVER_ALL_DB_DB1
- assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
-
- // uri
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1));
- assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1));
- assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2));
- assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1));
- assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1));
- // test inverse
- assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL));
- assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1));
- assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1));
- assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2));
- };
- @Test
- public void testUnexpected() throws Exception {
- Permission p = new Permission() {
- @Override
- public boolean implies(Permission p) {
- return false;
- }
- };
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
-
- assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
- create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
- }
- @Test(expected=IllegalArgumentException.class)
- public void testNullString() throws Exception {
- System.out.println(create((String)null));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyString() throws Exception {
- System.out.println(create(""));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(create(KV_JOINER.join("", "db1")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(create(KV_JOINER.join("db", "")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyPart() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_JOINER.join("server", "server1"), "")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testOnlySeperators() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
- }
- @Test
- public void testImpliesURIPositive() throws Exception {
- assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path/to/some/dir"));
- assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path"));
- assertTrue(DBWildcardPermission.impliesURI("file:///path",
- "file:///path/to/some/dir"));
- assertTrue(DBWildcardPermission.impliesURI("file:///path",
- "file:///path"));
- }
- @Test
- public void testImpliesURINegative() throws Exception {
- // relative path
- assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path/to/../../other"));
- assertFalse(DBWildcardPermission.impliesURI("file:///path",
- "file:///path/to/../../other"));
- // bad policy
- assertFalse(DBWildcardPermission.impliesURI("blah",
- "hdfs://namenode:8020/path/to/some/dir"));
- // bad request
- assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "blah"));
- // scheme
- assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "file:///path/to/some/dir"));
- assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "file://namenode:8020/path/to/some/dir"));
- // hostname
- assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode1:8020/path",
- "hdfs://namenode2:8020/path/to/some/dir"));
- // port
- assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8021/path/to/some/dir"));
- // mangled path
- assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/pathFooBar"));
- // ends in /
- assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path/",
- "hdfs://namenode:8020/path/FooBar"));
- }
- static DBWildcardPermission create(KeyValue... keyValues) {
- return create(AUTHORIZABLE_JOINER.join(keyValues));
-
- }
- static DBWildcardPermission create(String s) {
- return new DBWildcardPermission(s);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
new file mode 100644
index 0000000..f4862e0
--- /dev/null
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
@@ -0,0 +1,286 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.db;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.KV_SEPARATOR;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.policy.common.Privilege;
+import org.apache.sentry.provider.file.KeyValue;
+import org.junit.Test;
+
+public class TestDBWildcardPrivilege {
+
+ private static final String ALL = AccessConstants.ALL;
+
+ private static final Privilege ROLE_SERVER_SERVER1_DB_ALL =
+ create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
+ private static final Privilege ROLE_SERVER_SERVER1_DB_DB1 =
+ create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
+ private static final Privilege ROLE_SERVER_SERVER2_DB_ALL =
+ create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
+ private static final Privilege ROLE_SERVER_SERVER2_DB_DB1 =
+ create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
+ private static final Privilege ROLE_SERVER_ALL_DB_ALL =
+ create(new KeyValue("server", ALL), new KeyValue("db", ALL));
+ private static final Privilege ROLE_SERVER_ALL_DB_DB1 =
+ create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
+
+ private static final Privilege ROLE_SERVER_SERVER1_URI_URI1 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri1"));
+ private static final Privilege ROLE_SERVER_SERVER1_URI_URI2 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri2/"));
+ private static final Privilege ROLE_SERVER_SERVER1_URI_ALL =
+ create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
+
+
+ private static final Privilege ROLE_SERVER_SERVER1 =
+ create(new KeyValue("server", "server1"));
+
+
+ private static final Privilege REQUEST_SERVER1_DB1 =
+ create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
+ private static final Privilege REQUEST_SERVER2_DB1 =
+ create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
+ private static final Privilege REQUEST_SERVER1_DB2 =
+ create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
+ private static final Privilege REQUEST_SERVER2_DB2 =
+ create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
+
+ private static final Privilege REQUEST_SERVER1_URI1 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri1/some/file"));
+ private static final Privilege REQUEST_SERVER1_URI2 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri2/some/other/file"));
+
+ private static final Privilege REQUEST_SERVER1_OTHER =
+ create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
+
+ private static final Privilege REQUEST_SERVER1 =
+ create(new KeyValue("server", "server2"));
+
+ @Test
+ public void testOther() throws Exception {
+ assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER));
+ assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL));
+ }
+ @Test
+ public void testRoleShorterThanRequest() throws Exception {
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2));
+ assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1));
+ assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2));
+
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1));
+ }
+ @Test
+ public void testRolesAndRequests() throws Exception {
+ // ROLE_SERVER_SERVER1_DB_ALL
+ assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1));
+ assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
+ assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
+ assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
+
+ // ROLE_SERVER_SERVER1_DB_DB1
+ assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1));
+ assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1));
+ assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2));
+ assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
+ assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
+
+ // ROLE_SERVER_SERVER2_DB_ALL
+ assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1));
+ assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1));
+ assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2));
+ assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2));
+
+ // test inverse
+ assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
+ assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
+
+ // ROLE_SERVER_SERVER2_DB_DB1
+ assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1));
+ assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1));
+ assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2));
+ assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2));
+
+ assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
+
+ // ROLE_SERVER_ALL_DB_ALL
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1));
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1));
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2));
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
+ assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
+ assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
+
+ // ROLE_SERVER_ALL_DB_DB1
+ assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1));
+ assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
+
+ // uri
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
+ assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1));
+ assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
+ assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1));
+ assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2));
+ assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2));
+ assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1));
+ assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1));
+ // test inverse
+ assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL));
+ assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL));
+ assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1));
+ assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1));
+ assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1));
+ assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2));
+ assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2));
+ };
+ @Test
+ public void testUnexpected() throws Exception {
+ Privilege p = new Privilege() {
+ @Override
+ public boolean implies(Privilege p) {
+ return false;
+ }
+ };
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
+
+ assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
+ create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testNullString() throws Exception {
+ System.out.println(create((String)null));
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyString() throws Exception {
+ System.out.println(create(""));
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(create(KV_JOINER.join("", "db1")));
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(create(KV_JOINER.join("db", "")));
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyPart() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_JOINER.join("server", "server1"), "")));
+ }
+ @Test(expected=IllegalArgumentException.class)
+ public void testOnlySeperators() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
+ }
+ @Test
+ public void testImpliesURIPositive() throws Exception {
+ assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "hdfs://namenode:8020/path/to/some/dir"));
+ assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "hdfs://namenode:8020/path"));
+ assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
+ "file:///path/to/some/dir"));
+ assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
+ "file:///path"));
+ }
+ @Test
+ public void testImpliesURINegative() throws Exception {
+ // relative path
+ assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "hdfs://namenode:8020/path/to/../../other"));
+ assertFalse(DBWildcardPrivilege.impliesURI("file:///path",
+ "file:///path/to/../../other"));
+ // bad policy
+ assertFalse(DBWildcardPrivilege.impliesURI("blah",
+ "hdfs://namenode:8020/path/to/some/dir"));
+ // bad request
+ assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "blah"));
+ // scheme
+ assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "file:///path/to/some/dir"));
+ assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "file://namenode:8020/path/to/some/dir"));
+ // hostname
+ assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode1:8020/path",
+ "hdfs://namenode2:8020/path/to/some/dir"));
+ // port
+ assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "hdfs://namenode:8021/path/to/some/dir"));
+ // mangled path
+ assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+ "hdfs://namenode:8020/pathFooBar"));
+ // ends in /
+ assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path/",
+ "hdfs://namenode:8020/path/FooBar"));
+ }
+ static DBWildcardPrivilege create(KeyValue... keyValues) {
+ return create(AUTHORIZABLE_JOINER.join(keyValues));
+
+ }
+ static DBWildcardPrivilege create(String s) {
+ return new DBWildcardPrivilege(s);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
index 948b7ac..f9b00b4 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
@@ -20,6 +20,7 @@ package org.apache.sentry.policy.db;
import junit.framework.Assert;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
import org.apache.shiro.config.ConfigurationException;
import org.junit.Test;
@@ -27,19 +28,19 @@ public class TestDatabaseRequiredInRole {
@Test
public void testURIInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInRole dbRequiredInRole = new DatabaseRequiredInRole();
+ DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
System.setProperty("sentry.allow.uri.db.policyfile", "true");
- dbRequiredInRole.validate("db1",
- "server=server1->URI=file:///user/db/warehouse/tab1");
+ dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
+ "server=server1->URI=file:///user/db/warehouse/tab1"));
System.setProperty("sentry.allow.uri.db.policyfile", "false");
}
@Test
public void testURIWithDBInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInRole dbRequiredInRole = new DatabaseRequiredInRole();
+ DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
try {
- dbRequiredInRole.validate("db1",
- "server=server1->db=db1->URI=file:///user/db/warehouse/tab1");
+ dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
+ "server=server1->db=db1->URI=file:///user/db/warehouse/tab1"));
Assert.fail("Expected ConfigurationException");
} catch (ConfigurationException e) {
;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
index f348e0e..01f428b 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
@@ -18,14 +18,10 @@ package org.apache.sentry.policy.db;
import java.io.File;
import java.io.IOException;
-import java.util.Arrays;
import junit.framework.Assert;
import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.file.PolicyFile;
import org.junit.After;
@@ -36,7 +32,7 @@ import org.slf4j.LoggerFactory;
import com.google.common.base.Charsets;
import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
import com.google.common.io.Files;
public class TestPolicyParsingNegative {
@@ -75,12 +71,8 @@ public class TestPolicyParsingNegative {
append("other_group = malicious_role", otherPolicyFile);
append("[roles]", otherPolicyFile);
append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- ImmutableSet<String> permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1"),
- new Database("other_group_db")
- }), Lists.newArrayList("other_group")).get("other_group");
+ PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"));
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@Test
@@ -93,33 +85,25 @@ public class TestPolicyParsingNegative {
policyFile.addGroupsToUser("admin1", "admin");
policyFile.write(globalPolicyFile);
policyFile.write(otherPolicyFile);
- policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1")
- }), Lists.newArrayList("admin")).get("admin");
+ policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ permissions = policy.getPrivileges(Sets.newHashSet("admin"));
Assert.assertEquals(permissions.toString(), "[server=server1]");
// test to ensure [users] fails parsing of per-db file
policyFile.addDatabase("other", otherPolicyFile.getPath());
policyFile.write(globalPolicyFile);
policyFile.write(otherPolicyFile);
- policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1")
- }), Lists.newArrayList("admin")).get("admin");
+ policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ permissions = policy.getPrivileges(Sets.newHashSet("admin"));
Assert.assertEquals(permissions.toString(), "[server=server1]");
// test to ensure [databases] fails parsing of per-db file
// by removing the user mapping from the per-db policy file
policyFile.removeGroupsFromUser("admin1", "admin")
.write(otherPolicyFile);
- policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1")
- }), Lists.newArrayList("admin")).get("admin");
+ policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ permissions = policy.getPrivileges(Sets.newHashSet("admin"));
Assert.assertEquals(permissions.toString(), "[server=server1]");
}
+
@Test
public void testDatabaseRequiredInRole() throws Exception {
append("[databases]", globalPolicyFile);
@@ -128,40 +112,30 @@ public class TestPolicyParsingNegative {
append("other_group = malicious_role", otherPolicyFile);
append("[roles]", otherPolicyFile);
append("malicious_role = server=server1", otherPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- ImmutableSet<String> permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1"),
- new Database("other_group_db")
- }), Lists.newArrayList("other_group")).get("other_group");
+ PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"));
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
+
@Test
public void testServerAll() throws Exception {
append("[groups]", globalPolicyFile);
append("group = malicious_role", globalPolicyFile);
append("[roles]", globalPolicyFile);
append("malicious_role = server=*", globalPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- ImmutableSet<String> permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- Server.ALL,
- new Database("some_db")
- }), Lists.newArrayList("group")).get("group");
+ PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
+
@Test
public void testServerIncorrect() throws Exception {
append("[groups]", globalPolicyFile);
append("group = malicious_role", globalPolicyFile);
append("[roles]", globalPolicyFile);
append("malicious_role = server=server2", globalPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- ImmutableSet<String> permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- Server.ALL,
- new Database("some_db")
- }), Lists.newArrayList("group")).get("group");
+ PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@@ -171,12 +145,8 @@ public class TestPolicyParsingNegative {
append("group = malicious_role", globalPolicyFile);
append("[roles]", globalPolicyFile);
append("malicious_role = *", globalPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
- ImmutableSet<String> permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- Server.ALL,
- new Database("some_db")
- }), Lists.newArrayList("group")).get("group");
+ PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@@ -211,30 +181,13 @@ public class TestPolicyParsingNegative {
append("[roles]", db2PolicyFile);
append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
+ PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
// verify that the db1 rule is empty
- ImmutableSet<String> permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1"),
- new Database("db1")
- }), Lists.newArrayList("db1_group")).get("db1_group");
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("db1_group"));
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1"),
- new Database("db2")
- }), Lists.newArrayList("db2_group")).get("db2_group");
+ permissions = policy.getPrivileges(Sets.newHashSet("db2_group"));
Assert.assertEquals(permissions.toString(), 1, permissions.size());
-
- permissions = policy.getPermissions(
- Arrays.asList(new Authorizable[] {
- new Server("server1"),
- new Database("db2")
- }), Lists.newArrayList("db2_group")).get("db2_group");
- Assert.assertEquals(permissions.toString(), 1, permissions.size());
-
}
-
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
index 2f4c20e..e34b3ee 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
@@ -90,7 +90,8 @@ public class TestResourceAuthorizationProviderGeneralCases {
baseDir = Files.createTempDir();
PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
authzProvider = new HadoopGroupResourceAuthorizationProvider(
- new DBPolicyFileBackend(new File(baseDir, "test-authz-provider.ini").getPath(), "server1"),
+ new DBPolicyFileBackend("server1",
+ new File(baseDir, "test-authz-provider.ini").getPath()),
new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
index 688b845..57f7575 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
@@ -25,8 +25,8 @@ import java.util.Set;
import junit.framework.Assert;
import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.DBModelAction;
@@ -73,7 +73,7 @@ public class TestResourceAuthorizationProviderSpecialCases {
.addPermissionsToRole("role1", true, "server=" + server1.getName() + "->uri=" + uri.getName(),
"server=" + server1.getName() + "->uri=" + uri.getName());
policyFile.write(iniFile);
- DBPolicyFileBackend policy = new DBPolicyFileBackend(initResource, server1.getName());
+ DBPolicyFileBackend policy = new DBPolicyFileBackend(server1.getName(), initResource);
authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
Assert.assertTrue(authorizableHierarchy.toString(),
@@ -89,7 +89,7 @@ public class TestResourceAuthorizationProviderSpecialCases {
.addRolesToGroup("group1", "role1")
.addPermissionsToRole("role1", "server=" + server1.getName() + "->uri=" + uri.getName());
policyFile.write(iniFile);
- DBPolicyFileBackend policy = new DBPolicyFileBackend(initResource, server1.getName());
+ DBPolicyFileBackend policy = new DBPolicyFileBackend(server1.getName(), initResource);
authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
// positive test
List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
index c093dde..f39eacd 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
@@ -18,7 +18,7 @@ package org.apache.sentry.policy.db;
import java.io.File;
import java.io.IOException;
-import java.util.List;
+import java.util.Set;
import junit.framework.Assert;
@@ -26,17 +26,14 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.provider.file.PolicyFile;
import org.apache.sentry.provider.file.PolicyFiles;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Lists;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
import com.google.common.io.Files;
public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine {
@@ -72,7 +69,8 @@ public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine
fileSystem.delete(etc, true);
fileSystem.mkdirs(etc);
PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
- setPolicy(new DBPolicyFileBackend(new Path(etc, "test-authz-provider.ini").toString(), "server1"));
+ setPolicy(new DBPolicyFileBackend("server1",
+ new Path(etc, "test-authz-provider.ini").toString()));
}
@Override
protected void beforeTeardown() throws IOException {
@@ -104,15 +102,12 @@ public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine
PolicyFiles.copyFilesToDir(fileSystem, etc, globalPolicyFile);
PolicyFiles.copyFilesToDir(fileSystem, etc, dbPolicyFile);
DBPolicyFileBackend multiFSEngine =
- new DBPolicyFileBackend(globalPolicyFile.getPath(), "server1");
+ new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- List<Authorizable> dbAuthorizables = Lists.newArrayList();
- dbAuthorizables.add(new Server("server1"));
- dbAuthorizables.add(new Database("db11"));
- List<String> dbGroups = Lists.newArrayList();
+ Set<String> dbGroups = Sets.newHashSet();
dbGroups.add("group1");
- ImmutableSetMultimap <String, String> dbPerms =
- multiFSEngine.getPermissions(dbAuthorizables, dbGroups);
+ ImmutableSet<String> dbPerms =
+ multiFSEngine.getPrivileges(dbGroups);
Assert.assertEquals("No DB permissions found", 1, dbPerms.size());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java
index 86ec2fa..cb4e1a2 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineLocalFS.java
@@ -32,7 +32,8 @@ public class TestSimpleDBPolicyEngineLocalFS extends AbstractTestSimplePolicyEng
Assert.assertNotNull(baseDir);
Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
- setPolicy(new DBPolicyFileBackend(new File(baseDir, "test-authz-provider.ini").getPath(), "server1"));
+ setPolicy(new DBPolicyFileBackend("server1",
+ new File(baseDir, "test-authz-provider.ini").getPath()));
}
@Override
protected void beforeTeardown() throws IOException {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java
new file mode 100644
index 0000000..a4e611c
--- /dev/null
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchPrivilegeValidator.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.search;
+
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_PREFIX;
+
+import java.util.List;
+
+import org.apache.sentry.core.model.search.SearchModelAuthorizable;
+import org.apache.sentry.policy.common.PrivilegeValidator;
+import org.apache.shiro.config.ConfigurationException;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.Lists;
+
+public abstract class AbstractSearchPrivilegeValidator implements PrivilegeValidator {
+
+ @VisibleForTesting
+ public static Iterable<SearchModelAuthorizable> parsePrivilege(String string) {
+ List<SearchModelAuthorizable> result = Lists.newArrayList();
+ System.err.println("privilege = " + string);
+ for(String section : AUTHORIZABLE_SPLITTER.split(string)) {
+ // XXX this ugly hack is because action is not an authorizable
+ if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
+ SearchModelAuthorizable authorizable = SearchModelAuthorizables.from(section);
+ if(authorizable == null) {
+ String msg = "No authorizable found for " + section;
+ throw new ConfigurationException(msg);
+ }
+ result.add(authorizable);
+ }
+ }
+ return result;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchRoleValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchRoleValidator.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchRoleValidator.java
deleted file mode 100644
index 8e7c19f..0000000
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/AbstractSearchRoleValidator.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_PREFIX;
-
-import java.util.List;
-
-import org.apache.sentry.policy.common.RoleValidator;
-import org.apache.sentry.core.model.search.SearchModelAuthorizable;
-import org.apache.shiro.config.ConfigurationException;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.Lists;
-
-public abstract class AbstractSearchRoleValidator implements RoleValidator {
-
- @VisibleForTesting
- public static Iterable<SearchModelAuthorizable> parseRole(String string) {
- List<SearchModelAuthorizable> result = Lists.newArrayList();
- for(String section : AUTHORIZABLE_SPLITTER.split(string)) {
- // XXX this ugly hack is because action is not an authorizeable
- if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
- SearchModelAuthorizable authorizable = SearchModelAuthorizables.from(section);
- if(authorizable == null) {
- String msg = "No authorizable found for " + section;
- throw new ConfigurationException(msg);
- }
- result.add(authorizable);
- }
- }
- return result;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java
new file mode 100644
index 0000000..81ff67f
--- /dev/null
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInPrivilege.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.search;
+
+import org.apache.sentry.core.common.SentryConfigurationException;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.SearchModelAuthorizable;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
+
+public class CollectionRequiredInPrivilege extends AbstractSearchPrivilegeValidator {
+
+ @Override
+ public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException {
+ String privilege = context.getPrivilege();
+ Iterable<SearchModelAuthorizable> authorizables = parsePrivilege(privilege);
+ boolean foundCollectionInAuthorizables = false;
+
+ for(SearchModelAuthorizable authorizable : authorizables) {
+ if(authorizable instanceof Collection) {
+ foundCollectionInAuthorizables = true;
+ break;
+ }
+ }
+ if(!foundCollectionInAuthorizables) {
+ String msg = "Missing collection object in " + privilege;
+ throw new SentryConfigurationException(msg);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInRole.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInRole.java
deleted file mode 100644
index 7f152d9..0000000
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/CollectionRequiredInRole.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.search;
-
-import javax.annotation.Nullable;
-
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.SearchModelAuthorizable;
-import org.apache.shiro.config.ConfigurationException;
-
-public class CollectionRequiredInRole extends AbstractSearchRoleValidator {
-
- @Override
- public void validate(@Nullable String database, String role) throws ConfigurationException {
- Iterable<SearchModelAuthorizable> authorizables = parseRole(role);
- boolean foundCollectionInAuthorizables = false;
-
- for(SearchModelAuthorizable authorizable : authorizables) {
- if(authorizable instanceof Collection) {
- foundCollectionInAuthorizables = true;
- break;
- }
- }
-
- if(!foundCollectionInAuthorizables) {
- String msg = "Missing collection object in " + role;
- throw new ConfigurationException(msg);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPermission.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPermission.java
deleted file mode 100644
index 2d2e0bb..0000000
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPermission.java
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-// copied from apache shiro
-
-package org.apache.sentry.policy.search;
-
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
-
-import java.io.Serializable;
-import java.util.List;
-
-import org.apache.sentry.core.model.search.SearchConstants;
-import org.apache.sentry.policy.common.PermissionFactory;
-import org.apache.sentry.provider.file.KeyValue;
-import org.apache.sentry.provider.file.PolicyFileConstants;
-import org.apache.shiro.authz.Permission;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Lists;
-
-public class SearchWildcardPermission implements Permission, Serializable {
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SearchWildcardPermission.class);
- private static final long serialVersionUID = -6785051263922740819L;
-
- private final ImmutableList<KeyValue> parts;
-
- public SearchWildcardPermission(String wildcardString) {
- wildcardString = Strings.nullToEmpty(wildcardString).trim();
- if (wildcardString.isEmpty()) {
- throw new IllegalArgumentException("Wildcard string cannot be null or empty.");
- }
- List<KeyValue>parts = Lists.newArrayList();
- for (String authorizable : AUTHORIZABLE_SPLITTER.trimResults().split(wildcardString)) {
- if (authorizable.isEmpty()) {
- throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section");
- }
- parts.add(new KeyValue(authorizable));
- }
- if (parts.isEmpty()) {
- throw new AssertionError("Should never occur: " + wildcardString);
- }
- this.parts = ImmutableList.copyOf(parts);
- }
-
-
- @Override
- public boolean implies(Permission p) {
- // By default only supports comparisons with other SearchWildcardPermissions
- if (!(p instanceof SearchWildcardPermission)) {
- return false;
- }
-
- SearchWildcardPermission wp = (SearchWildcardPermission) p;
-
- List<KeyValue> otherParts = wp.parts;
- if(equals(wp)) {
- return true;
- }
- int index = 0;
- for (KeyValue otherPart : otherParts) {
- // If this permission has less parts than the other permission, everything
- // after the number of parts contained
- // in this permission is automatically implied, so return true
- if (parts.size() - 1 < index) {
- return true;
- } else {
- KeyValue part = parts.get(index);
- // are the keys even equal
- if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
- return false;
- }
- if (!impliesKeyValue(part, otherPart)) {
- return false;
- }
- index++;
- }
- }
- // If this permission has more parts than
- // the other parts, only imply it if
- // all of the other parts are wildcards
- for (; index < parts.size(); index++) {
- KeyValue part = parts.get(index);
- if (!part.getValue().equals(SearchConstants.ALL)) {
- return false;
- }
- }
-
- return true;
- }
-
- private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
- Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
- "Please report, this method should not be called with two different keys");
- if(policyPart.getValue().equals(SearchConstants.ALL) || policyPart.equals(requestPart)) {
- return true;
- } else if (!PolicyFileConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
- && SearchConstants.ALL.equalsIgnoreCase(requestPart.getValue())) {
- /* permission request is to match with any object of given type */
- return true;
- }
- return false;
- }
-
- @Override
- public String toString() {
- return AUTHORIZABLE_JOINER.join(parts);
- }
-
- @Override
- public boolean equals(Object o) {
- if (o instanceof SearchWildcardPermission) {
- SearchWildcardPermission wp = (SearchWildcardPermission) o;
- return parts.equals(wp.parts);
- }
- return false;
- }
-
- @Override
- public int hashCode() {
- return parts.hashCode();
- }
-
- public static class SearchWildcardPermissionFactory implements PermissionFactory {
- @Override
- public Permission createPermission(String permission) {
- return new SearchWildcardPermission(permission);
- }
- }
-}