You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gc...@apache.org on 2015/04/23 23:59:40 UTC

incubator-sentry git commit: SENTRY-678: Sentry-Solr Binding may not load group mapping service correctly

Repository: incubator-sentry
Updated Branches:
  refs/heads/master a3adbb391 -> 850bdb222


SENTRY-678: Sentry-Solr Binding may not load group mapping service correctly


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/850bdb22
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/850bdb22
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/850bdb22

Branch: refs/heads/master
Commit: 850bdb22262f79fb58cb559bce3073f5ddb3229a
Parents: a3adbb3
Author: Gregory Chanan <gc...@cloudera.com>
Authored: Thu Apr 23 13:01:45 2015 -0700
Committer: Gregory Chanan <gc...@cloudera.com>
Committed: Thu Apr 23 13:01:45 2015 -0700

----------------------------------------------------------------------
 .../binding/solr/authz/SolrAuthzBinding.java    | 17 ++++++++--
 .../binding/solr/TestSolrAuthzBinding.java      | 34 ++++++++++++++++++++
 .../common/HadoopGroupMappingService.java       |  4 ---
 ...adoopGroupResourceAuthorizationProvider.java | 18 ++++++++---
 4 files changed, 62 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 373ee8c..7f59eaa 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -36,6 +36,7 @@ import org.apache.sentry.core.model.search.SearchModelAction;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.AuthorizationProvider;
 import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
 import org.apache.sentry.provider.common.ProviderBackend;
 import org.apache.sentry.provider.db.generic.service.thrift.SearchPolicyServiceClient;
 import org.apache.sentry.provider.db.generic.service.thrift.SearchProviderBackend;
@@ -89,13 +90,17 @@ public class SolrAuthzBinding {
       " with resource " + resourceName + ", policy engine "
       + policyEngineName + ", provider backend " + providerBackendName);
     // load the provider backend class
+    if (kerberosEnabledProp.equalsIgnoreCase("true")) {
+      initKerberos(keytabProp, principalProp);
+    } else {
+      // set configuration so that group mappings are properly setup even if
+      // we don't use kerberos, for testing
+      UserGroupInformation.setConfiguration(authzConf);
+    }
     Constructor<?> providerBackendConstructor =
       Class.forName(providerBackendName).getDeclaredConstructor(Configuration.class, String.class);
     providerBackendConstructor.setAccessible(true);
 
-    if (kerberosEnabledProp.equalsIgnoreCase("true")) {
-      initKerberos(keytabProp, principalProp);
-    }
     providerBackend =
       (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {authzConf, resourceName});
 
@@ -106,6 +111,12 @@ public class SolrAuthzBinding {
     PolicyEngine policyEngine =
       (PolicyEngine) policyConstructor.newInstance(new Object[] {providerBackend});
 
+    // if unset, set the hadoop auth provider to use new groups, so we don't
+    // conflict with the group mappings that may already be set up
+    if (authzConf.get(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS) == null) {
+      authzConf.setBoolean(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS ,true);
+    }
+
     // load the authz provider class
     Constructor<?> constrctor =
       Class.forName(authProviderName).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index 1bc01a2..c37f8ff 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -21,9 +21,12 @@ import static junit.framework.Assert.assertTrue;
 
 import java.io.File;
 import java.io.FileNotFoundException;
+import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.EnumSet;
+import java.util.List;
 import java.util.Set;
 import java.util.UUID;
 
@@ -32,6 +35,7 @@ import junit.framework.Assert;
 import org.apache.commons.io.FileUtils;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.security.GroupMappingServiceProvider;
 import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
 import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
 import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
@@ -359,4 +363,34 @@ public class TestSolrAuthzBinding {
       }
     }
   }
+
+  @Test
+  public void testCustomGroupMapping() throws Exception {
+    SolrAuthzConf solrAuthzConf =
+      new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
+    setUsableAuthzConf(solrAuthzConf);
+    solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider");
+    solrAuthzConf.set("hadoop.security.group.mapping",
+      FoobarGroupMappingServiceProvider.class.getName());
+    SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+    final String user = "userTestSolrAuthzBinding";
+    assertEquals(1, binding.getGroups(user).size());
+    assertTrue(binding.getGroups(user).contains("foobar"));
+  }
+
+  /**
+   * GroupMappingServiceProvider that returns "foobar" for any group
+   */
+  private static class FoobarGroupMappingServiceProvider implements GroupMappingServiceProvider {
+    @Override
+    public List<String> getGroups(String user) throws IOException {
+      return Arrays.asList("foobar");
+    }
+
+    @Override
+    public void cacheGroupsRefresh() throws IOException {}
+
+    @Override
+    public void cacheGroupsAdd(List<String> groups) throws IOException {}
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
index 14e2d05..3347ffc 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
@@ -36,10 +36,6 @@ public class HadoopGroupMappingService implements GroupMappingService {
     this.groups = groups;
   }
 
-  public HadoopGroupMappingService(Configuration conf, String resource) {
-    this(Groups.getUserToGroupsMappingService(conf));
-  }
-
   @Override
   public Set<String> getGroups(String user) {
     try {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
index 626fd90..c8e6c9d 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
@@ -30,16 +30,19 @@ import com.google.common.annotations.VisibleForTesting;
 public class HadoopGroupResourceAuthorizationProvider extends
   ResourceAuthorizationProvider {
 
+  // if set to true in the Configuration, constructs a new Group object
+  // for the GroupMappingService rather than using Hadoop's static mapping.
+  public static final String CONF_PREFIX = HadoopGroupResourceAuthorizationProvider.class.getName();
+  public static final String USE_NEW_GROUPS = CONF_PREFIX + ".useNewGroups";
+
   // resource parameter present so that other AuthorizationProviders (e.g.
   // LocalGroupResourceAuthorizationProvider) has the same constructor params.
   public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException {
-    this(policy, new HadoopGroupMappingService(
-        Groups.getUserToGroupsMappingService(new Configuration())));
+    this(new Configuration(), resource, policy);
   }
 
   public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException {
-    this(policy, new HadoopGroupMappingService(
-        Groups.getUserToGroupsMappingService(conf)));
+    this(policy, new HadoopGroupMappingService(getGroups(conf)));
   }
 
   @VisibleForTesting
@@ -48,4 +51,11 @@ public class HadoopGroupResourceAuthorizationProvider extends
     super(policy, groupService);
   }
 
+  private static Groups getGroups(Configuration conf) {
+    if (conf.getBoolean(USE_NEW_GROUPS, false)) {
+      return new Groups(conf);
+    } else {
+      return Groups.getUserToGroupsMappingService(conf);
+    }
+  }
 }