You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by br...@apache.org on 2014/02/13 17:21:38 UTC
git commit: SENTRY-115: Give bindings the ability to access the group
mappings (Gregory Chanan via Brock)
Updated Branches:
refs/heads/master 7e1ce212f -> 796b4cb56
SENTRY-115: Give bindings the ability to access the group mappings (Gregory Chanan via Brock)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/796b4cb5
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/796b4cb5
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/796b4cb5
Branch: refs/heads/master
Commit: 796b4cb567e9c9d8616d94a284ef2bae69e0a668
Parents: 7e1ce21
Author: Brock Noland <br...@apache.org>
Authored: Thu Feb 13 08:21:25 2014 -0800
Committer: Brock Noland <br...@apache.org>
Committed: Thu Feb 13 08:21:25 2014 -0800
----------------------------------------------------------------------
.../binding/solr/authz/SolrAuthzBinding.java | 13 +++++
.../binding/solr/TestSolrAuthzBinding.java | 28 ++++++++++
.../src/test/resources/test-authz-provider.ini | 2 +-
sentry-provider/sentry-provider-common/pom.xml | 5 ++
.../provider/common/AuthorizationProvider.java | 6 +++
.../common/NoAuthorizationProvider.java | 5 ++
.../provider/common/NoGroupMappingService.java | 33 ++++++++++++
.../common/TestNoAuthorizationProvider.java | 39 ++++++++++++++
.../file/ResourceAuthorizationProvider.java | 5 ++
.../provider/file/TestGetGroupMapping.java | 54 ++++++++++++++++++++
10 files changed, 189 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 995f376..c6ce53e 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -20,6 +20,7 @@ import java.io.File;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.util.Arrays;
+import java.util.List;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
@@ -32,6 +33,7 @@ import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.common.ProviderBackend;
import org.slf4j.Logger;
@@ -54,10 +56,12 @@ public class SolrAuthzBinding {
private final SolrAuthzConf authzConf;
private final AuthorizationProvider authProvider;
+ private final GroupMappingService groupMapping;
public SolrAuthzBinding (SolrAuthzConf authzConf) throws Exception {
this.authzConf = authzConf;
this.authProvider = getAuthProvider();
+ this.groupMapping = authProvider.getGroupMapping();
}
// Instantiate the configured authz provider
@@ -122,6 +126,15 @@ public class SolrAuthzBinding {
}
}
+ /**
+ * Get the list of groups the user belongs to
+ * @param user
+ * @return list of groups the user belongs to
+ */
+ public List<String> getGroups(String user) {
+ return groupMapping.getGroups(user);
+ }
+
private Configuration getConf() throws IOException {
Configuration conf = new Configuration();
String confDir = System.getProperty("solr.hdfs.confdir");
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index 494a430..b061eec 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -25,6 +25,7 @@ import java.util.List;
import java.lang.reflect.InvocationTargetException;
import junit.framework.Assert;
+import static junit.framework.Assert.assertEquals;
import static junit.framework.Assert.assertTrue;
import org.apache.commons.io.FileUtils;
@@ -161,6 +162,33 @@ public class TestSolrAuthzBinding {
}
/**
+ * Test for group mapping
+ */
+ @Test
+ public void testGroupMapping() throws Exception {
+ SolrAuthzConf solrAuthzConf =
+ new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
+ setUsableAuthzConf(solrAuthzConf);
+ SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+ List<String> emptyList = Arrays.asList();
+
+ // check non-existant users
+ assertEquals(binding.getGroups(null), emptyList);
+ assertEquals(binding.getGroups("nonExistantUser"), emptyList);
+
+ // check group names don't map to user names
+ assertEquals(binding.getGroups("corporal"), emptyList);
+ assertEquals(binding.getGroups("sergeant"), emptyList);
+ assertEquals(binding.getGroups("general"), emptyList);
+ assertEquals(binding.getGroups("othergeneralgroup"), emptyList);
+
+ // check valid group names
+ assertEquals(binding.getGroups("corporal1"), Arrays.asList("corporal"));
+ assertEquals(binding.getGroups("sergeant1"), Arrays.asList("sergeant"));
+ assertEquals(binding.getGroups("general1"), Arrays.asList("general", "othergeneralgroup"));
+ }
+
+ /**
* Test that a full sentry-site definition works.
*/
@Test
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
index db9af6e..f8100e0 100644
--- a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
+++ b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
@@ -30,4 +30,4 @@ general_role = collection=*->action=*
[users]
corporal1=corporal
sergeant1=sergeant
-general1=general
\ No newline at end of file
+general1=general, othergeneralgroup
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/pom.xml b/sentry-provider/sentry-provider-common/pom.xml
index 321f7c6..1e9dc1b 100644
--- a/sentry-provider/sentry-provider-common/pom.xml
+++ b/sentry-provider/sentry-provider-common/pom.xml
@@ -29,6 +29,11 @@ limitations under the License.
<dependencies>
<dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-core-common</artifactId>
</dependency>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
index 4351c3f..1244755 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -38,4 +38,10 @@ public interface AuthorizationProvider {
*/
public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, Set<? extends Action> actions);
+ /***
+ * Get the GroupMappingService used by the AuthorizationProvider
+ *
+ * @return GroupMappingService used by the AuthorizationProvider
+ */
+ public GroupMappingService getGroupMapping();
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
index 9cdda97..f48eafe 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
@@ -24,6 +24,7 @@ import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Subject;
public class NoAuthorizationProvider implements AuthorizationProvider {
+ private GroupMappingService noGroupMappingService = new NoGroupMappingService();
@Override
public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
@@ -31,4 +32,8 @@ public class NoAuthorizationProvider implements AuthorizationProvider {
return false;
}
+ @Override
+ public GroupMappingService getGroupMapping() {
+ return noGroupMappingService;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
new file mode 100644
index 0000000..e1bc6d2
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * GroupMappingService that always returns an empty list of groups
+ */
+public class NoGroupMappingService implements GroupMappingService {
+
+ /**
+ * @return empty list of groups for every user
+ */
+ public List<String> getGroups(String user) {
+ return new LinkedList<String>();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
new file mode 100644
index 0000000..3f48f49
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+
+/**
+ * Tests around the NoAuthorizationProvider
+ */
+public class TestNoAuthorizationProvider {
+
+ @Test
+ public void testNoAuthorizationProvider() {
+ NoAuthorizationProvider nap = new NoAuthorizationProvider();
+ assertFalse(nap.hasAccess(null, null, null));
+
+ GroupMappingService gms = nap.getGroupMapping();
+ assertEquals(gms.getGroups(null).size(), 0);
+ assertEquals(gms.getGroups("").size(), 0);
+ assertEquals(gms.getGroups("a").size(), 0);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index c7d983d..205d012 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@ -116,4 +116,9 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
}
});
}
+
+ @Override
+ public GroupMappingService getGroupMapping() {
+ return groupService;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
new file mode 100644
index 0000000..a4d4bb3
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.file;
+
+import java.util.Arrays;
+import java.util.List;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.GroupMappingService;
+import com.google.common.collect.ImmutableSetMultimap;
+import org.junit.Test;
+import static org.junit.Assert.assertSame;
+
+public class TestGetGroupMapping {
+
+ private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider {
+ public TestResourceAuthorizationProvider(PolicyEngine policy,
+ GroupMappingService groupService) {
+ super(policy, groupService);
+ }
+ };
+
+ @Test
+ public void testResourceAuthorizationProvider() {
+ final List<String> list = Arrays.asList("a", "b", "c");
+ GroupMappingService mappingService = new GroupMappingService() {
+ public List<String> getGroups(String user) { return list; }
+ };
+ PolicyEngine policyEngine = new PolicyEngine() {
+ public PermissionFactory getPermissionFactory() { return null; }
+
+ public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) { return null; }
+ };
+
+ TestResourceAuthorizationProvider authProvider =
+ new TestResourceAuthorizationProvider(policyEngine, mappingService);
+ assertSame(authProvider.getGroupMapping(), mappingService);
+ }
+}