org.apache.sqoop.model.MPrincipal Java Examples
The following examples show how to use
org.apache.sqoop.model.MPrincipal.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: SentryAccessController.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Override
public void revokeRole(List<MPrincipal> principals, List<MRole> roles)
throws SqoopException {
for (MPrincipal principal : principals) {
PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
if (principalDesc.getType() != PrincipalType.GROUP) {
throw new SqoopException(SecurityError.AUTH_0014,
SentrySqoopError.GRANT_REVOKE_ROLE_NOT_SUPPORT_FOR_PRINCIPAL
+ principalDesc.getType().name());
}
for (MRole role : roles) {
if (LOG.isDebugEnabled()) {
LOG.debug("Going to revoke role : " + role.getName() +
" from principal: " + principal);
}
binding.revokeGroupfromRole(getSubject(), principal.getName(), role);
}
}
}
Example #2
| Source File: ShowRoleFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
@Override
public Object executeFunction(CommandLine line, boolean isInteractive) {
if (line.hasOption(Constants.OPT_PRINCIPAL) ^ line.hasOption(Constants.OPT_PRINCIPAL_TYPE)) {
throw new SqoopException(ShellError.SHELL_0003,
ShellEnvironment.getResourceBundle().getString(Constants.RES_SHOW_ROLE_BAD_ARGUMENTS_PRINCIPAL_TYPE));
}
MPrincipal principal = (line.hasOption(Constants.OPT_PRINCIPAL))
? new MPrincipal(
line.getOptionValue(Constants.OPT_PRINCIPAL),
line.getOptionValue(Constants.OPT_PRINCIPAL_TYPE))
: null;
showRoles(principal);
return Status.OK;
}
Example #3
| Source File: AuthorizationResourceRequest.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
public void grantRevokePrivilege(String serverUrl, List<MPrincipal> principals, List<MPrivilege> privileges, boolean isGrant) {
PrincipalsBean principalsBean = new PrincipalsBean(principals);
// Extract all config inputs including sensitive inputs
JSONObject jsonObject = new JSONObject();
jsonObject.putAll(principalsBean.extract(false));
if (privileges != null && privileges.size() != 0) {
PrivilegesBean privilegesBean = new PrivilegesBean(privileges);
jsonObject.putAll(privilegesBean.extract(false));
}
if (isGrant) {
super.put(serverUrl + RESOURCE + PRIVILEGES + GRANT, jsonObject.toJSONString());
} else {
super.put(serverUrl + RESOURCE + PRIVILEGES + REVOKE, jsonObject.toJSONString());
}
}
Example #4
| Source File: AuthorizationRequestHandler.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
private JsonBean getRoles(RequestContext ctx) {
AuthorizationHandler handler = AuthorizationManager.getAuthorizationHandler();
AuditLoggerManager manager = AuditLoggerManager.getInstance();
String principal_name = ctx.getParameterValue(PRINCIPAL_NAME_QUERY_PARAM);
String principal_type = ctx.getParameterValue(PRINCIPAL_TYPE_QUERY_PARAM);
if (principal_name != null && principal_type != null) {
// get roles by principal
MPrincipal principal = new MPrincipal(principal_name, principal_type);
manager.logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "get", "roles by principal", principal.toString());
return new RolesBean(handler.getRolesByPrincipal(principal));
} else {
// get all roles in the system
manager.logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "get", "roles", "all");
return new RolesBean(handler.getAllRoles());
}
}
Example #5
| Source File: SentryAccessController.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Override
public void revokePrivileges(List<MPrincipal> principals, List<MPrivilege> privileges)
throws SqoopException {
for (MPrincipal principal : principals) {
PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
if (principalDesc.getType() != PrincipalType.ROLE) {
throw new SqoopException(SecurityError.AUTH_0014,
SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL
+ principalDesc.getType().name());
}
for (MPrivilege privilege : privileges) {
if (LOG.isDebugEnabled()) {
LOG.debug("Going to revoke privilege : " + privilege +
" from principal: " + principal);
}
binding.revokePrivilege(getSubject(), principal.getName(), privilege);
}
}
}
Example #6
| Source File: RevokePrivilegeFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
private Status revokePrivilege(String action, String resourceType, String resource,
String principalType, String principal, boolean withGrant)
throws IOException {
MResource resourceObject = new MResource(resource, resourceType);
MPrivilege privilegeObject = new MPrivilege(resourceObject, action, withGrant);
MPrincipal principalObject = new MPrincipal(principal, principalType);
client.revokePrivilege(
Arrays.asList(principalObject),
Arrays.asList(privilegeObject));
if (resourceType.toUpperCase().equals(MResource.TYPE.CONNECTOR.name())) {
client.clearCache();
}
printlnResource(Constants.RES_REVOKE_PRIVILEGE_SUCCESSFUL,
action, resourceType + " " + resource,
((withGrant) ? " " + resourceString(Constants.RES_REVOKE_PRIVILEGE_SUCCESSFUL_WITH_GRANT) : ""),
principalType + " " + principal);
return Status.OK;
}
Example #7
| Source File: SentryAccessController.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Override
public void grantRole(List<MPrincipal> principals, List<MRole> roles)
throws SqoopException {
for (MPrincipal principal : principals) {
PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
if (principalDesc.getType() != PrincipalType.GROUP) {
throw new SqoopException(SecurityError.AUTH_0014,
SentrySqoopError.GRANT_REVOKE_ROLE_NOT_SUPPORT_FOR_PRINCIPAL
+ principalDesc.getType().name());
}
for (MRole role : roles) {
if (LOG.isDebugEnabled()) {
LOG.debug("Going to grant role : " + role.getName() +
" to principal: " + principal);
}
binding.grantGroupToRole(getSubject(), principal.getName(), role);
}
}
}
Example #8
| Source File: ShowPrincipalFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
private void showPrincipals(MRole role) {
List<MPrincipal> principals = client.getPrincipalsByRole(role);
List<String> header = new LinkedList<String>();
header.add(resourceString(Constants.RES_TABLE_HEADER_PRINCIPAL_NAME));
header.add(resourceString(Constants.RES_TABLE_HEADER_PRINCIPAL_TYPE));
List<String> names = new LinkedList<String>();
List<String> types = new LinkedList<String>();
for (MPrincipal principal : principals) {
names.add(principal.getName());
types.add(principal.getType());
}
TableDisplayer.display(header, names, types);
}
Example #9
| Source File: ShowPrivilegeFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
@Override
public Object executeFunction(CommandLine line, boolean isInteractive) {
if (line.hasOption(Constants.OPT_RESOURCE) ^ line.hasOption(Constants.OPT_RESOURCE_TYPE)) {
throw new SqoopException(ShellError.SHELL_0003,
ShellEnvironment.getResourceBundle().getString(Constants.RES_SHOW_PRIVILEGE_BAD_ARGUMENTS_RESOURCE_TYPE));
}
MPrincipal principal = new MPrincipal(
line.getOptionValue(Constants.OPT_PRINCIPAL),
line.getOptionValue(Constants.OPT_PRINCIPAL_TYPE));
MResource resource = (line.hasOption(Constants.OPT_RESOURCE))
? new MResource(line.getOptionValue(Constants.OPT_RESOURCE), line.getOptionValue(Constants.OPT_RESOURCE_TYPE)) : null;
showPrivileges(principal, resource);
return Status.OK;
}
Example #10
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testGrantPrivilege() throws Exception {
/**
* user1 belongs to group group1
* admin user grant role role1 to group group1
* admin user grant read privilege on connector all to role role1
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role1 = new MRole(ROLE1);
MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.createRole(role1);
client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
// check user1 has privilege on role1
client = sqoopServerRunner.getSqoopClient(USER1);
assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
}
Example #11
| Source File: RangerSqoopAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerSqoopAuthorizer.checkPrivileges()");
}
try {
activatePluginClassLoader();
authorizationValidator.checkPrivileges(principal, privileges);
} finally {
deactivatePluginClassLoader();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges()");
}
}
Example #12
| Source File: SentryAuthorizationValidator.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
if (privileges == null || privileges.isEmpty()) {
return;
}
PrincipalDesc principalDesc = new PrincipalDesc(principal.getName(), principal.getType());
if (principalDesc.getType() != PrincipalType.USER) {
throw new SqoopException(SecurityError.AUTH_0014,SentrySqoopError.AUTHORIZE_CHECK_NOT_SUPPORT_FOR_PRINCIPAL);
}
for (MPrivilege privilege : privileges) {
if (LOG.isDebugEnabled()) {
LOG.debug("Going to authorize check on privilege : " + privilege +
" for principal: " + principal);
}
if (!binding.authorize(new Subject(principalDesc.getName()), privilege)) {
throw new SqoopException(SecurityError.AUTH_0014, "User " + principalDesc.getName() +
" does not have privileges for : " + privilege.toString());
}
}
}
Example #13
| Source File: AuthorizationResourceRequest.java From sqoop-on-spark with Apache License 2.0 | 5 votes |
|
public RolesBean readRolesByPrincipal(String serverUrl, MPrincipal principal) {
String response = super.get(serverUrl + RESOURCE + ROLES
+ "?principal_name=" + principal.getName()
+ "&principal_type=" + principal.getType());
JSONObject jsonObject = JSONUtils.parse(response);
RolesBean bean = new RolesBean();
bean.restore(jsonObject);
return bean;
}
Example #14
| Source File: AuthorizationResourceRequest.java From sqoop-on-spark with Apache License 2.0 | 5 votes |
|
public PrivilegesBean readPrivilegesByPrincipal(String serverUrl, MPrincipal principal, MResource resource) {
String url = serverUrl + RESOURCE + PRIVILEGES
+ "?principal_name=" + principal.getName()
+ "&principal_type=" + principal.getType();
if (resource != null) {
url += "&resource_name=" + resource.getName();
url += "&resource_type=" + resource.getType();
}
String response = super.get(url);
JSONObject jsonObject = JSONUtils.parse(response);
PrivilegesBean bean = new PrivilegesBean();
bean.restore(jsonObject);
return bean;
}
Example #15
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
/**
* user3 belongs to group group3
* admin user grant role role3 to group group3
* admin user grant all privilege on connector all to role role3
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role3 = new MRole(ROLE3);
MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
client.createRole(role3);
client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
// check user3 has one privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
// user3 has the all action on role3
MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
// admin user revoke the read privilege on connector all from role role3
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
client.revokePrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
// check user3 has only the write privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction().toLowerCase(), SqoopActionConstant.WRITE);
}
Example #16
| Source File: TestShowPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportShowOnUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal user1 = new MPrincipal("not_support_user1", MPrincipal.TYPE.USER);
MResource resource1 = new MResource("all", MResource.TYPE.CONNECTOR);
try {
client.getPrivilegesByPrincipal(user1, resource1);
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.SHOW_PRIVILEGE_NOT_SUPPORTED_FOR_PRINCIPAL);
}
}
Example #17
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportRevokePrivilegeFromUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal user1 = new MPrincipal("not_support_revoke_user_1", MPrincipal.TYPE.GROUP);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
try {
client.revokePrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
}
}
Example #18
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
/**
* user3 belongs to group group3
* admin user grant role role3 to group group3
* admin user grant all privilege on connector all to role role3
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role3 = new MRole(ROLE3);
MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
client.createRole(role3);
client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
// check user3 has one privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
// user3 has the all action on role3
MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
/**
* admin user grant read privilege on connector all to role role3
* because the role3 has already the all privilege, the read privilege granting has
* no impact on the role3
*/
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
// check user3 has only one privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
// user3 has the all action on role3
user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
}
Example #19
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testGrantPrivilegeTwice() throws Exception {
/**
* user2 belongs to group group2
* admin user grant role role2 to group group2
* admin user grant write privilege on connector all to role role2
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role2 = new MRole(ROLE2);
MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
client.createRole(role2);
client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
// check user2 has one privilege on role2
client = sqoopServerRunner.getSqoopClient(USER2);
assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
// grant privilege to role role2 again
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
// check user2 has only one privilege on role2
client = sqoopServerRunner.getSqoopClient(USER2);
assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
}
Example #20
| Source File: TestShowPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportShowOnGroup() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal group1 = new MPrincipal("not_support_group1", MPrincipal.TYPE.GROUP);
MResource resource1 = new MResource("all", MResource.TYPE.CONNECTOR);
try {
client.getPrivilegesByPrincipal(group1, resource1);
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.SHOW_PRIVILEGE_NOT_SUPPORTED_FOR_PRINCIPAL);
}
}
Example #21
| Source File: PrincipalBean.java From sqoop-on-spark with Apache License 2.0 | 5 votes |
|
@SuppressWarnings("unchecked")
protected JSONArray extractPrincipals() {
JSONArray principalsArray = new JSONArray();
if (principals != null) {
for (MPrincipal principal : principals) {
principalsArray.add(extractPrincipal(principal));
}
}
return principalsArray;
}
Example #22
| Source File: PrincipalBean.java From sqoop-on-spark with Apache License 2.0 | 5 votes |
|
@SuppressWarnings("unchecked")
private JSONObject extractPrincipal(MPrincipal principal) {
JSONObject object = new JSONObject();
object.put(NAME, principal.getName());
object.put(TYPE, principal.getType());
return object;
}
Example #23
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportGrantPrivilegeToUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal user1 = new MPrincipal("not_support_grant_user_1", MPrincipal.TYPE.GROUP);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
try {
client.grantPrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
}
}
Example #24
| Source File: TestRoleOperation.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportShowRoleonUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal user1 = new MPrincipal("showRoleOnUser", MPrincipal.TYPE.USER);
try {
client.getRolesByPrincipal(user1);
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.SHOW_GRANT_NOT_SUPPORTED_FOR_PRINCIPAL);
}
}
Example #25
| Source File: TestRoleOperation.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testAddDeleteRoleOnGroup() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
// admin user grant role3 to group3
MRole role3 = new MRole(ROLE3);
client.createRole(role3);
MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
// admin user grant role4 to group4
MRole role4 = new MRole(ROLE4);
client.createRole(role4);
MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
// use3 can show role on group3
client = sqoopServerRunner.getSqoopClient(USER3);
assertEquals(role3.getName(), client.getRolesByPrincipal(group3).get(0).getName());
// user4 can show role on group4
client = sqoopServerRunner.getSqoopClient(USER4);
assertEquals(role4.getName(), client.getRolesByPrincipal(group4).get(0).getName());
/**
* admin delete role3 from group3
* admin delete role4 from group4
*/
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
client.revokeRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
client.revokeRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
// use3 show role on group3, empty role list return
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getRolesByPrincipal(group3).isEmpty());
// use4 show role on group4, empty role list return
client = sqoopServerRunner.getSqoopClient(USER4);
assertTrue(client.getRolesByPrincipal(group4).isEmpty());
}
Example #26
| Source File: TestRoleOperation.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportAddRoleToUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role1 = new MRole("add_to_user_role");
MPrincipal user1 = new MPrincipal("add_to_user", MPrincipal.TYPE.USER);
try {
client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(user1));
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_ROLE_NOT_SUPPORT_FOR_PRINCIPAL);
}
}
Example #27
| Source File: TestShowPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testShowPrivileges() throws Exception {
/**
* user1 belongs to group group1
* admin user grant role role1 to group group1
* admin user grant read privilege on connector all to role role1
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role1 = new MRole(ROLE1);
MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.createRole(role1);
client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPriv));
// user1 show privilege on role1
client = sqoopServerRunner.getSqoopClient(USER1);
assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
// user2 can't show privilege on role1, because user2 doesn't belong to role1
client = sqoopServerRunner.getSqoopClient(USER2);
try {
client.getPrivilegesByPrincipal(role1Princ, allConnector);
fail("expected SentryAccessDeniedException happend");
} catch (Exception e) {
assertCausedMessage(e, "SentryAccessDeniedException");
}
}
Example #28
| Source File: SentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public List<MRole> getRolesByPrincipal(MPrincipal principal) throws SqoopException {
/**
* Sentry Only supports get privilege by role
*/
PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
if (principalDesc.getType() != PrincipalType.GROUP) {
throw new SqoopException(SecurityError.AUTH_0014,
SentrySqoopError.SHOW_GRANT_NOT_SUPPORTED_FOR_PRINCIPAL
+ principalDesc.getType().name());
}
return binding.listRolesByGroup(getSubject(), principalDesc.getName());
}
Example #29
| Source File: RangerSqoopAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
@Override
public void checkPrivileges(MPrincipal principal, List<MPrivilege> privileges) throws SqoopException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerSqoopAuthorizer.checkPrivileges( principal=" + principal + ", privileges="
+ privileges + ")");
}
if (CollectionUtils.isEmpty(privileges)) {
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() return because privileges is empty.");
}
return;
}
RangerSqoopPlugin plugin = sqoopPlugin;
if (plugin != null) {
for (MPrivilege privilege : privileges) {
RangerSqoopAccessRequest request = new RangerSqoopAccessRequest(principal, privilege, clientIPAddress);
RangerAccessResult result = plugin.isAccessAllowed(request);
if (result != null && !result.getIsAllowed()) {
throw new SqoopException(SecurityError.AUTH_0014, "principal=" + principal
+ " does not have privileges for : " + privilege);
}
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerSqoopAuthorizer.checkPrivileges() success without exception.");
}
}
Example #30
| Source File: DefaultAuthorizationAccessController.java From sqoop-on-spark with Apache License 2.0 | 5 votes |
|
/**
* Privilege related function
*/
@Override
public List<MPrivilege> getPrivilegesByPrincipal(MPrincipal principal, MResource resource) throws SqoopException {
LOG.debug("Get privileges by role in default authorization access controller: return null");
LOG.debug("principal: " + principal.toString());
if (resource != null) { //Get all privileges on principal
LOG.debug("resource: " + resource.toString());
}
return null;
}
