You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by gc...@apache.org on 2015/04/23 23:59:40 UTC
incubator-sentry git commit: SENTRY-678: Sentry-Solr Binding may not
load group mapping service correctly
Repository: incubator-sentry
Updated Branches:
refs/heads/master a3adbb391 -> 850bdb222
SENTRY-678: Sentry-Solr Binding may not load group mapping service correctly
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/850bdb22
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/850bdb22
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/850bdb22
Branch: refs/heads/master
Commit: 850bdb22262f79fb58cb559bce3073f5ddb3229a
Parents: a3adbb3
Author: Gregory Chanan <gc...@cloudera.com>
Authored: Thu Apr 23 13:01:45 2015 -0700
Committer: Gregory Chanan <gc...@cloudera.com>
Committed: Thu Apr 23 13:01:45 2015 -0700
----------------------------------------------------------------------
.../binding/solr/authz/SolrAuthzBinding.java | 17 ++++++++--
.../binding/solr/TestSolrAuthzBinding.java | 34 ++++++++++++++++++++
.../common/HadoopGroupMappingService.java | 4 ---
...adoopGroupResourceAuthorizationProvider.java | 18 ++++++++---
4 files changed, 62 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 373ee8c..7f59eaa 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -36,6 +36,7 @@ import org.apache.sentry.core.model.search.SearchModelAction;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.db.generic.service.thrift.SearchPolicyServiceClient;
import org.apache.sentry.provider.db.generic.service.thrift.SearchProviderBackend;
@@ -89,13 +90,17 @@ public class SolrAuthzBinding {
" with resource " + resourceName + ", policy engine "
+ policyEngineName + ", provider backend " + providerBackendName);
// load the provider backend class
+ if (kerberosEnabledProp.equalsIgnoreCase("true")) {
+ initKerberos(keytabProp, principalProp);
+ } else {
+ // set configuration so that group mappings are properly setup even if
+ // we don't use kerberos, for testing
+ UserGroupInformation.setConfiguration(authzConf);
+ }
Constructor<?> providerBackendConstructor =
Class.forName(providerBackendName).getDeclaredConstructor(Configuration.class, String.class);
providerBackendConstructor.setAccessible(true);
- if (kerberosEnabledProp.equalsIgnoreCase("true")) {
- initKerberos(keytabProp, principalProp);
- }
providerBackend =
(ProviderBackend) providerBackendConstructor.newInstance(new Object[] {authzConf, resourceName});
@@ -106,6 +111,12 @@ public class SolrAuthzBinding {
PolicyEngine policyEngine =
(PolicyEngine) policyConstructor.newInstance(new Object[] {providerBackend});
+ // if unset, set the hadoop auth provider to use new groups, so we don't
+ // conflict with the group mappings that may already be set up
+ if (authzConf.get(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS) == null) {
+ authzConf.setBoolean(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS ,true);
+ }
+
// load the authz provider class
Constructor<?> constrctor =
Class.forName(authProviderName).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index 1bc01a2..c37f8ff 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -21,9 +21,12 @@ import static junit.framework.Assert.assertTrue;
import java.io.File;
import java.io.FileNotFoundException;
+import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
+import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
+import java.util.List;
import java.util.Set;
import java.util.UUID;
@@ -32,6 +35,7 @@ import junit.framework.Assert;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.hadoop.security.GroupMappingServiceProvider;
import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
@@ -359,4 +363,34 @@ public class TestSolrAuthzBinding {
}
}
}
+
+ @Test
+ public void testCustomGroupMapping() throws Exception {
+ SolrAuthzConf solrAuthzConf =
+ new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
+ setUsableAuthzConf(solrAuthzConf);
+ solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider");
+ solrAuthzConf.set("hadoop.security.group.mapping",
+ FoobarGroupMappingServiceProvider.class.getName());
+ SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+ final String user = "userTestSolrAuthzBinding";
+ assertEquals(1, binding.getGroups(user).size());
+ assertTrue(binding.getGroups(user).contains("foobar"));
+ }
+
+ /**
+ * GroupMappingServiceProvider that returns "foobar" for any group
+ */
+ private static class FoobarGroupMappingServiceProvider implements GroupMappingServiceProvider {
+ @Override
+ public List<String> getGroups(String user) throws IOException {
+ return Arrays.asList("foobar");
+ }
+
+ @Override
+ public void cacheGroupsRefresh() throws IOException {}
+
+ @Override
+ public void cacheGroupsAdd(List<String> groups) throws IOException {}
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
index 14e2d05..3347ffc 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
@@ -36,10 +36,6 @@ public class HadoopGroupMappingService implements GroupMappingService {
this.groups = groups;
}
- public HadoopGroupMappingService(Configuration conf, String resource) {
- this(Groups.getUserToGroupsMappingService(conf));
- }
-
@Override
public Set<String> getGroups(String user) {
try {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
index 626fd90..c8e6c9d 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
@@ -30,16 +30,19 @@ import com.google.common.annotations.VisibleForTesting;
public class HadoopGroupResourceAuthorizationProvider extends
ResourceAuthorizationProvider {
+ // if set to true in the Configuration, constructs a new Group object
+ // for the GroupMappingService rather than using Hadoop's static mapping.
+ public static final String CONF_PREFIX = HadoopGroupResourceAuthorizationProvider.class.getName();
+ public static final String USE_NEW_GROUPS = CONF_PREFIX + ".useNewGroups";
+
// resource parameter present so that other AuthorizationProviders (e.g.
// LocalGroupResourceAuthorizationProvider) has the same constructor params.
public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException {
- this(policy, new HadoopGroupMappingService(
- Groups.getUserToGroupsMappingService(new Configuration())));
+ this(new Configuration(), resource, policy);
}
public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException {
- this(policy, new HadoopGroupMappingService(
- Groups.getUserToGroupsMappingService(conf)));
+ this(policy, new HadoopGroupMappingService(getGroups(conf)));
}
@VisibleForTesting
@@ -48,4 +51,11 @@ public class HadoopGroupResourceAuthorizationProvider extends
super(policy, groupService);
}
+ private static Groups getGroups(Configuration conf) {
+ if (conf.getBoolean(USE_NEW_GROUPS, false)) {
+ return new Groups(conf);
+ } else {
+ return Groups.getUserToGroupsMappingService(conf);
+ }
+ }
}