You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sqoop.apache.org by ja...@apache.org on 2015/07/10 18:19:18 UTC
sqoop git commit: SQOOP-2383: SQOOP2: Add do user support in
authorization engine
Repository: sqoop
Updated Branches:
refs/heads/sqoop2 00ab7d439 -> aca7d7558
SQOOP-2383: SQOOP2: Add do user support in authorization engine
(Richard via Jarek Jarcec Cecho)
Project: http://git-wip-us.apache.org/repos/asf/sqoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/sqoop/commit/aca7d755
Tree: http://git-wip-us.apache.org/repos/asf/sqoop/tree/aca7d755
Diff: http://git-wip-us.apache.org/repos/asf/sqoop/diff/aca7d755
Branch: refs/heads/sqoop2
Commit: aca7d75589edf3f09428dbeb2211faf03e82af3d
Parents: 00ab7d4
Author: Jarek Jarcec Cecho <ja...@apache.org>
Authored: Fri Jul 10 09:18:44 2015 -0700
Committer: Jarek Jarcec Cecho <ja...@apache.org>
Committed: Fri Jul 10 09:18:44 2015 -0700
----------------------------------------------------------------------
.../authorization/AuthorizationEngine.java | 75 ++++++++++----------
.../sqoop/handler/ConnectorRequestHandler.java | 4 +-
.../apache/sqoop/handler/JobRequestHandler.java | 20 +++---
.../sqoop/handler/LinkRequestHandler.java | 14 ++--
.../sqoop/handler/SubmissionRequestHandler.java | 12 ++--
5 files changed, 62 insertions(+), 63 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java
----------------------------------------------------------------------
diff --git a/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java b/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java
index 10f02c0..57e0da5 100644
--- a/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java
+++ b/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java
@@ -42,13 +42,13 @@ public class AuthorizationEngine {
/**
* Filter resources, get all valid resources from all resources
*/
- public static <T extends MPersistableEntity> List<T> filterResource(final MResource.TYPE type, List<T> resources) throws SqoopException {
+ public static <T extends MPersistableEntity> List<T> filterResource(final String doUserName, final MResource.TYPE type, List<T> resources) throws SqoopException {
Collection<T> collection = Collections2.filter(resources, new Predicate<T>() {
@Override
public boolean apply(T input) {
try {
String name = String.valueOf(input.getPersistenceId());
- checkPrivilege(getPrivilege(type, name, MPrivilege.ACTION.READ));
+ checkPrivilege(doUserName, getPrivilege(type, name, MPrivilege.ACTION.READ));
// add valid resource
return true;
} catch (Exception e) {
@@ -63,86 +63,86 @@ public class AuthorizationEngine {
/**
* Connector related function
*/
- public static void readConnector(String connectorId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
+ public static void readConnector(String doUserName, String connectorId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
}
/**
* Link related function
*/
- public static void readLink(String linkId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ));
+ public static void readLink(String doUserName, String linkId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ));
}
- public static void createLink(String connectorId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
+ public static void createLink(String doUserName, String connectorId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
}
- public static void updateLink(String connectorId, String linkId) throws SqoopException {
+ public static void updateLink(String doUserName, String connectorId, String linkId) throws SqoopException {
MPrivilege privilege1 = getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ);
MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE);
- checkPrivilege(privilege1, privilege2);
+ checkPrivilege(doUserName, privilege1, privilege2);
}
- public static void deleteLink(String linkId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
+ public static void deleteLink(String doUserName, String linkId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
}
- public static void enableDisableLink(String linkId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
+ public static void enableDisableLink(String doUserName, String linkId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
}
/**
* Job related function
*/
- public static void readJob(String jobId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
+ public static void readJob(String doUserName, String jobId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
}
- public static void createJob(String linkId1, String linkId2) throws SqoopException {
+ public static void createJob(String doUserName, String linkId1, String linkId2) throws SqoopException {
MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ);
MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ);
- checkPrivilege(privilege1, privilege2);
+ checkPrivilege(doUserName, privilege1, privilege2);
}
- public static void updateJob(String linkId1, String linkId2, String jobId) throws SqoopException {
+ public static void updateJob(String doUserName, String linkId1, String linkId2, String jobId) throws SqoopException {
MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ);
MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ);
MPrivilege privilege3 = getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE);
- checkPrivilege(privilege1, privilege2, privilege3);
+ checkPrivilege(doUserName, privilege1, privilege2, privilege3);
}
- public static void deleteJob(String jobId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+ public static void deleteJob(String doUserName, String jobId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
- public static void enableDisableJob(String jobId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+ public static void enableDisableJob(String doUserName, String jobId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
- public static void startJob(String jobId) throws SqoopException {
+ public static void startJob(String doUserName, String jobId) throws SqoopException {
;
- checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
- public static void stopJob(String jobId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+ public static void stopJob(String doUserName, String jobId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
- public static void statusJob(String jobId) throws SqoopException {
- checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
+ public static void statusJob(String doUserName, String jobId) throws SqoopException {
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
}
/**
* Filter resources, get all valid resources from all resources
*/
- public static List<MSubmission> filterSubmission(List<MSubmission> submissions) throws SqoopException {
+ public static List<MSubmission> filterSubmission(final String doUserName, List<MSubmission> submissions) throws SqoopException {
Collection<MSubmission> collection = Collections2.filter(submissions, new Predicate<MSubmission>() {
@Override
public boolean apply(MSubmission input) {
try {
String jobId = String.valueOf(input.getJobId());
- checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
+ checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
// add valid submission
return true;
} catch (Exception e) {
@@ -163,11 +163,10 @@ public class AuthorizationEngine {
return new MPrivilege(new MResource(resourceId, resourceType), privilegeAction, false);
}
- private static void checkPrivilege(MPrivilege... privileges) {
+ private static void checkPrivilege(String doUserName, MPrivilege... privileges) {
AuthorizationHandler handler = AuthorizationManager.getAuthorizationHandler();
- UserGroupInformation user = HttpUserGroupInformation.get();
- String user_name = user == null ? StringUtils.EMPTY : user.getShortUserName();
- MPrincipal principal = new MPrincipal(user_name, MPrincipal.TYPE.USER);
+
+ MPrincipal principal = new MPrincipal(doUserName, MPrincipal.TYPE.USER);
// SQOOP-2256: Hack code, do not check privilege when the user is the creator
// If the user is the owner/creator of this resource, then privilege will
@@ -178,12 +177,12 @@ public class AuthorizationEngine {
Repository repository = RepositoryManager.getInstance().getRepository();
if (MResource.TYPE.LINK.name().equalsIgnoreCase(privilege.getResource().getType())) {
MLink link = repository.findLink(Long.valueOf(privilege.getResource().getName()));
- if (!user_name.equals(link.getCreationUser())) {
+ if (!doUserName.equals(link.getCreationUser())) {
privilegesNeedCheck.add(privilege);
}
} else if (MResource.TYPE.JOB.name().equalsIgnoreCase(privilege.getResource().getType())) {
MJob job = repository.findJob(Long.valueOf(privilege.getResource().getName()));
- if (!user_name.equals(job.getCreationUser())) {
+ if (!doUserName.equals(job.getCreationUser())) {
privilegesNeedCheck.add(privilege);
}
} else {
http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java
index 5128a27..7c428b8 100644
--- a/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java
+++ b/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java
@@ -71,7 +71,7 @@ public class ConnectorRequestHandler implements RequestHandler {
ctx.getRequest().getRemoteAddr(), "get", "connectors", "all");
// Authorization check
- connectors = AuthorizationEngine.filterResource(MResource.TYPE.CONNECTOR, connectors);
+ connectors = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.CONNECTOR, connectors);
return new ConnectorsBean(connectors, configParamBundles);
@@ -89,7 +89,7 @@ public class ConnectorRequestHandler implements RequestHandler {
ctx.getRequest().getRemoteAddr(), "get", "connector", String.valueOf(cIdentifier));
// Authorization check
- AuthorizationEngine.readConnector(String.valueOf(connector.getPersistenceId()));
+ AuthorizationEngine.readConnector(ctx.getUserName(), String.valueOf(connector.getPersistenceId()));
return new ConnectorBean(Arrays.asList(connector), configParamBundles);
}
http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java
index d1621d8..5e314d0 100644
--- a/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java
+++ b/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java
@@ -141,7 +141,7 @@ public class JobRequestHandler implements RequestHandler {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
- AuthorizationEngine.deleteJob(String.valueOf(jobId));
+ AuthorizationEngine.deleteJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "delete", "job", jobIdentifier);
@@ -185,10 +185,10 @@ public class JobRequestHandler implements RequestHandler {
// Authorization check
if (create) {
- AuthorizationEngine.createJob(String.valueOf(postedJob.getFromLinkId()),
+ AuthorizationEngine.createJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()),
String.valueOf(postedJob.getToLinkId()));
} else {
- AuthorizationEngine.updateJob(String.valueOf(postedJob.getFromLinkId()),
+ AuthorizationEngine.updateJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()),
String.valueOf(postedJob.getToLinkId()),
String.valueOf(postedJob.getPersistenceId()));
}
@@ -284,7 +284,7 @@ public class JobRequestHandler implements RequestHandler {
List<MJob> jobList = repository.findJobsForConnector(connectorId);
// Authorization check
- jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList);
+ jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList);
jobBean = createJobsBean(jobList, locale);
} else
@@ -296,7 +296,7 @@ public class JobRequestHandler implements RequestHandler {
List<MJob> jobList = repository.findJobs();
// Authorization check
- jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList);
+ jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList);
jobBean = createJobsBean(jobList, locale);
}
@@ -309,7 +309,7 @@ public class JobRequestHandler implements RequestHandler {
MJob job = repository.findJob(jobId);
// Authorization check
- AuthorizationEngine.readJob(String.valueOf(job.getPersistenceId()));
+ AuthorizationEngine.readJob(ctx.getUserName(), String.valueOf(job.getPersistenceId()));
jobBean = createJobBean(Arrays.asList(job), locale);
}
@@ -352,7 +352,7 @@ public class JobRequestHandler implements RequestHandler {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
- AuthorizationEngine.enableDisableJob(String.valueOf(jobId));
+ AuthorizationEngine.enableDisableJob(ctx.getUserName(), String.valueOf(jobId));
repository.enableJob(jobId, enabled);
return JsonBean.EMPTY_BEAN;
@@ -364,7 +364,7 @@ public class JobRequestHandler implements RequestHandler {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
- AuthorizationEngine.startJob(String.valueOf(jobId));
+ AuthorizationEngine.startJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "submit", "job", String.valueOf(jobId));
@@ -387,7 +387,7 @@ public class JobRequestHandler implements RequestHandler {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
- AuthorizationEngine.stopJob(String.valueOf(jobId));
+ AuthorizationEngine.stopJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "stop", "job", String.valueOf(jobId));
@@ -401,7 +401,7 @@ public class JobRequestHandler implements RequestHandler {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
- AuthorizationEngine.statusJob(String.valueOf(jobId));
+ AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "status", "job", String.valueOf(jobId));
http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java
index 26a341b..f056686 100644
--- a/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java
+++ b/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java
@@ -95,7 +95,7 @@ public class LinkRequestHandler implements RequestHandler {
long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier);
// Authorization check
- AuthorizationEngine.deleteLink(String.valueOf(linkId));
+ AuthorizationEngine.deleteLink(ctx.getUserName(), String.valueOf(linkId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "delete", "link", linkIdentifier);
@@ -137,9 +137,9 @@ public class LinkRequestHandler implements RequestHandler {
// Authorization check
if (create) {
- AuthorizationEngine.createLink(String.valueOf(postedLink.getConnectorId()));
+ AuthorizationEngine.createLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()));
} else {
- AuthorizationEngine.updateLink(String.valueOf(postedLink.getConnectorId()),
+ AuthorizationEngine.updateLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()),
String.valueOf(postedLink.getPersistenceId()));
}
@@ -207,7 +207,7 @@ public class LinkRequestHandler implements RequestHandler {
List<MLink> linkList = repository.findLinksForConnector(connectorId);
// Authorization check
- linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList);
+ linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList);
linkBean = createLinksBean(linkList, locale);
} else {
@@ -224,7 +224,7 @@ public class LinkRequestHandler implements RequestHandler {
List<MLink> linkList = repository.findLinks();
// Authorization check
- linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList);
+ linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList);
linkBean = createLinksBean(linkList, locale);
}
@@ -237,7 +237,7 @@ public class LinkRequestHandler implements RequestHandler {
MLink link = repository.findLink(linkId);
// Authorization check
- AuthorizationEngine.readLink(String.valueOf(link.getPersistenceId()));
+ AuthorizationEngine.readLink(ctx.getUserName(), String.valueOf(link.getPersistenceId()));
linkBean = createLinkBean(Arrays.asList(link), locale);
}
@@ -274,7 +274,7 @@ public class LinkRequestHandler implements RequestHandler {
long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier);
// Authorization check
- AuthorizationEngine.enableDisableLink(String.valueOf(linkId));
+ AuthorizationEngine.enableDisableLink(ctx.getUserName(), String.valueOf(linkId));
repository.enableLink(linkId, enabled);
return JsonBean.EMPTY_BEAN;
http://git-wip-us.apache.org/repos/asf/sqoop/blob/aca7d755/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java
----------------------------------------------------------------------
diff --git a/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java
index 5a1ab51..5c349a2 100644
--- a/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java
+++ b/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java
@@ -56,28 +56,28 @@ public class SubmissionRequestHandler implements RequestHandler {
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "get", "submissionsByJob", jobIdentifier);
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
- return getSubmissionsForJob(jobId);
+ return getSubmissionsForJob(jobId, ctx);
} else {
// all submissions in the system
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "get", "submissions", "all");
- return getSubmissions();
+ return getSubmissions(ctx);
}
}
- private JsonBean getSubmissions() {
+ private JsonBean getSubmissions(RequestContext ctx) {
List<MSubmission> submissions = RepositoryManager.getInstance().getRepository()
.findSubmissions();
//Authorization check
- submissions = AuthorizationEngine.filterSubmission(submissions);
+ submissions = AuthorizationEngine.filterSubmission(ctx.getUserName(), submissions);
return new SubmissionsBean(submissions);
}
- private JsonBean getSubmissionsForJob(long jid) {
+ private JsonBean getSubmissionsForJob(long jid, RequestContext ctx) {
//Authorization check
- AuthorizationEngine.statusJob(String.valueOf(jid));
+ AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jid));
List<MSubmission> submissions = RepositoryManager.getInstance().getRepository()
.findSubmissionsForJob(jid);