org.apache.sqoop.model.MResource Java Examples
The following examples show how to use
org.apache.sqoop.model.MResource.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RevokePrivilegeFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
private Status revokePrivilege(String action, String resourceType, String resource,
String principalType, String principal, boolean withGrant)
throws IOException {
MResource resourceObject = new MResource(resource, resourceType);
MPrivilege privilegeObject = new MPrivilege(resourceObject, action, withGrant);
MPrincipal principalObject = new MPrincipal(principal, principalType);
client.revokePrivilege(
Arrays.asList(principalObject),
Arrays.asList(privilegeObject));
if (resourceType.toUpperCase().equals(MResource.TYPE.CONNECTOR.name())) {
client.clearCache();
}
printlnResource(Constants.RES_REVOKE_PRIVILEGE_SUCCESSFUL,
action, resourceType + " " + resource,
((withGrant) ? " " + resourceString(Constants.RES_REVOKE_PRIVILEGE_SUCCESSFUL_WITH_GRANT) : ""),
principalType + " " + principal);
return Status.OK;
}
Example #2
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testGrantPrivilege() throws Exception {
/**
* user1 belongs to group group1
* admin user grant role role1 to group group1
* admin user grant read privilege on connector all to role role1
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role1 = new MRole(ROLE1);
MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.createRole(role1);
client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
// check user1 has privilege on role1
client = sqoopServerRunner.getSqoopClient(USER1);
assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
}
Example #3
| Source File: SqoopAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
public List<MPrivilege> listPrivilegeByRole(final Subject subject, final String role, final MResource resource) throws SqoopException {
Set<TSentryPrivilege> tSentryPrivileges = execute(new Command<Set<TSentryPrivilege>>() {
@Override
public Set<TSentryPrivilege> run(SentryGenericServiceClient client)
throws Exception {
if (resource == null) {
return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, sqoopServer.getName());
} else if (resource.getType().equalsIgnoreCase(MResource.TYPE.SERVER.name())) {
return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, resource.getName());
} else {
return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, sqoopServer.getName(), toAuthorizable(resource));
}
}
});
List<MPrivilege> privileges = Lists.newArrayList();
for (TSentryPrivilege tSentryPrivilege : tSentryPrivileges) {
privileges.add(toSqoopPrivilege(tSentryPrivilege));
}
return privileges;
}
Example #4
| Source File: SqoopAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
private List<TAuthorizable> toTSentryAuthorizable(MResource resource) {
List<TAuthorizable> tAuthorizables = Lists.newArrayList();
/**
* Currently Sqoop supports grant privileges on server object, but the server name must be equaled the configuration
* of org.apache.sqoop.security.authorization.server_name in the Sqoop.properties.
*/
if (resource.getType().equalsIgnoreCase(MResource.TYPE.SERVER.name())) {
if (!resource.getName().equalsIgnoreCase(sqoopServer.getName())) {
throw new IllegalArgumentException( resource.getName() + " must be equal to " + sqoopServer.getName() + "\n" +
" Currently Sqoop supports grant/revoke privileges on server object, but the server name must be equal to the configuration " +
"of org.apache.sqoop.security.authorization.server_name in the Sqoop.properties");
}
} else {
tAuthorizables.add(new TAuthorizable(resource.getType(), resource.getName()));
}
return tAuthorizables;
}
Example #5
| Source File: SqoopAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
private List<Authorizable> toAuthorizable(final MResource resource) {
List<Authorizable> authorizables = Lists.newArrayList();
if (resource == null) {
return authorizables;
}
authorizables.add(new Authorizable() {
@Override
public String getTypeName() {
return resource.getType();
}
@Override
public String getName() {
return resource.getName();
}
});
return authorizables;
}
Example #6
| Source File: ShowPrivilegeFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
private void showPrivileges(MPrincipal principal, MResource resource) {
List<MPrivilege> privileges = client.getPrivilegesByPrincipal(principal, resource);
List<String> header = new LinkedList<String>();
header.add(resourceString(Constants.RES_TABLE_HEADER_PRIVILEGE_ACTION));
header.add(resourceString(Constants.RES_TABLE_HEADER_RESOURCE_NAME));
header.add(resourceString(Constants.RES_TABLE_HEADER_RESOURCE_TYPE));
header.add(resourceString(Constants.RES_TABLE_HEADER_PRIVILEGE_WITH_GRANT));
List<String> actions = new LinkedList<String>();
List<String> resourceNames = new LinkedList<String>();
List<String> resourceTypes = new LinkedList<String>();
List<String> withGrant = new LinkedList<String>();
for (MPrivilege privilege : privileges) {
actions.add(privilege.getAction());
resourceNames.add(privilege.getResource().getName());
resourceTypes.add(privilege.getResource().getType());
withGrant.add(Boolean.toString(privilege.isWith_grant_option()));
}
TableDisplayer.display(header, actions, resourceNames, resourceTypes, withGrant);
}
Example #7
| Source File: ShowPrivilegeFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
@Override
public Object executeFunction(CommandLine line, boolean isInteractive) {
if (line.hasOption(Constants.OPT_RESOURCE) ^ line.hasOption(Constants.OPT_RESOURCE_TYPE)) {
throw new SqoopException(ShellError.SHELL_0003,
ShellEnvironment.getResourceBundle().getString(Constants.RES_SHOW_PRIVILEGE_BAD_ARGUMENTS_RESOURCE_TYPE));
}
MPrincipal principal = new MPrincipal(
line.getOptionValue(Constants.OPT_PRINCIPAL),
line.getOptionValue(Constants.OPT_PRINCIPAL_TYPE));
MResource resource = (line.hasOption(Constants.OPT_RESOURCE))
? new MResource(line.getOptionValue(Constants.OPT_RESOURCE), line.getOptionValue(Constants.OPT_RESOURCE_TYPE)) : null;
showPrivileges(principal, resource);
return Status.OK;
}
Example #8
| Source File: GrantPrivilegeFunction.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
private Status grantPrivilege(String action, String resourceType, String resource,
String principalType, String principal, boolean withGrant)
throws IOException {
MResource resourceObject = new MResource(resource, resourceType);
MPrivilege privilegeObject = new MPrivilege(resourceObject, action, withGrant);
MPrincipal principalObject = new MPrincipal(principal, principalType);
client.grantPrivilege(
Arrays.asList(principalObject),
Arrays.asList(privilegeObject));
if (resourceType.toUpperCase().equals(MResource.TYPE.CONNECTOR.name())) {
client.clearCache();
}
printlnResource(Constants.RES_GRANT_PRIVILEGE_SUCCESSFUL,
action, resourceType + " " + resource,
((withGrant) ? " " + resourceString(Constants.RES_GRANT_PRIVILEGE_SUCCESSFUL_WITH_GRANT) : ""),
principalType + " " + principal);
return Status.OK;
}
Example #9
| Source File: JobRequestHandler.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
/**
* Delete job from repository.
*
* @param ctx
* Context object
* @return Empty bean
*/
private JsonBean deleteJob(RequestContext ctx) {
Repository repository = RepositoryManager.getInstance().getRepository();
String jobIdentifier = ctx.getLastURLElement();
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier, repository);
// Authorization check
AuthorizationEngine.deleteJob(String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "delete", "job", jobIdentifier);
repository.deleteJob(jobId);
MResource resource = new MResource(String.valueOf(jobId), MResource.TYPE.JOB);
AuthorizationManager.getAuthorizationHandler().removeResource(resource);
return JsonBean.EMPTY_BEAN;
}
Example #10
| Source File: LinkRequestHandler.java From sqoop-on-spark with Apache License 2.0 | 6 votes |
|
/**
* Delete link in the repository.
*
* @param ctx Context object
* @return Empty bean
*/
private JsonBean deleteLink(RequestContext ctx) {
Repository repository = RepositoryManager.getInstance().getRepository();
String linkIdentifier = ctx.getLastURLElement();
// support linkName or linkId for the api
long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier, repository);
// Authorization check
AuthorizationEngine.deleteLink(String.valueOf(linkId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "delete", "link", linkIdentifier);
repository.deleteLink(linkId);
MResource resource = new MResource(String.valueOf(linkId), MResource.TYPE.LINK);
AuthorizationManager.getAuthorizationHandler().removeResource(resource);
return JsonBean.EMPTY_BEAN;
}
Example #11
| Source File: TestConnectorEndToEnd.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testShowAllConnector() throws Exception {
// USER3 at firstly has no privilege on any Sqoop resource
SqoopClient client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getConnectors().size() == 0);
/**
* ADMIN_USER grant read action privilege on connector all to role ROLE3
* ADMIN_USER grant role ROLE3 to group GROUP3
*/
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role3 = new MRole(ROLE3);
MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
client.createRole(role3);
client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
client.grantPrivilege(Lists.newArrayList(new MPrincipal(role3.getName(), MPrincipal.TYPE.ROLE)),
Lists.newArrayList(readPriv));
// check USER3 has the read privilege on all connector
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getConnectors().size() > 0);
}
Example #12
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testRevokePrivilege() throws Exception {
/**
* user1 belongs to group group1
* admin user grant role role1 to group group1
* admin user grant read privilege on connector all to role role1
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role1 = new MRole(ROLE1);
MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.createRole(role1);
client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
// check user1 has privilege on role1
client = sqoopServerRunner.getSqoopClient(USER1);
assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
// admin user revoke read privilege from role1
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
client.revokePrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
// check user1 has no privilege on role1
client = sqoopServerRunner.getSqoopClient(USER1);
assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 0);
}
Example #13
| Source File: SqoopAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
public void dropPrivilege(final MResource resource) throws SqoopException {
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setComponent(COMPONENT_TYPE);
privilege.setServiceName(sqoopServer.getName());
privilege.setAuthorizables(toTSentryAuthorizable(resource));
privilege.setAction(SqoopActionConstant.ALL);
client.dropPrivilege(bindingSubject.getName(), COMPONENT_TYPE, privilege);
return null;
}
});
}
Example #14
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testRevokeAllPrivilege() throws Exception {
/**
* user2 belongs to group group2
* admin user grant role role2 to group group2
* admin user grant read and write privilege on connector all to role role2
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role2 = new MRole(ROLE2);
MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.createRole(role2);
client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege, readPrivilege));
// check user2 has two privileges on role2
client = sqoopServerRunner.getSqoopClient(USER2);
assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 2);
// admin user revoke all privilege from role2
MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
client.revokePrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(allPrivilege));
// check user2 has no privilege on role2
client = sqoopServerRunner.getSqoopClient(USER2);
assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 0);
}
Example #15
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
/**
* user3 belongs to group group3
* admin user grant role role3 to group group3
* admin user grant all privilege on connector all to role role3
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role3 = new MRole(ROLE3);
MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
client.createRole(role3);
client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
// check user3 has one privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
// user3 has the all action on role3
MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
// admin user revoke the read privilege on connector all from role role3
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
client.revokePrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
// check user3 has only the write privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction().toLowerCase(), SqoopActionConstant.WRITE);
}
Example #16
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testRevokeNotExistPrivilege() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole testRole = new MRole("noexist_privilege_role1");
MPrincipal testPrinc = new MPrincipal(testRole.getName(), MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.createRole(testRole);
assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);
client.revokePrivilege(Lists.newArrayList(testPrinc), Lists.newArrayList(readPrivilege));
assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);
}
Example #17
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportRevokePrivilegeFromGroup() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal group1 = new MPrincipal("not_support_revoke_group_1", MPrincipal.TYPE.GROUP);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
try {
client.revokePrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
}
}
Example #18
| Source File: TestShowPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportShowOnUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal user1 = new MPrincipal("not_support_user1", MPrincipal.TYPE.USER);
MResource resource1 = new MResource("all", MResource.TYPE.CONNECTOR);
try {
client.getPrivilegesByPrincipal(user1, resource1);
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.SHOW_PRIVILEGE_NOT_SUPPORTED_FOR_PRINCIPAL);
}
}
Example #19
| Source File: TestShowPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportShowOnGroup() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal group1 = new MPrincipal("not_support_group1", MPrincipal.TYPE.GROUP);
MResource resource1 = new MResource("all", MResource.TYPE.CONNECTOR);
try {
client.getPrivilegesByPrincipal(group1, resource1);
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.SHOW_PRIVILEGE_NOT_SUPPORTED_FOR_PRINCIPAL);
}
}
Example #20
| Source File: TestRevokePrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportRevokePrivilegeFromUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal user1 = new MPrincipal("not_support_revoke_user_1", MPrincipal.TYPE.GROUP);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
try {
client.revokePrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
}
}
Example #21
| Source File: TestShowPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testShowPrivileges() throws Exception {
/**
* user1 belongs to group group1
* admin user grant role role1 to group group1
* admin user grant read privilege on connector all to role role1
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role1 = new MRole(ROLE1);
MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.createRole(role1);
client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPriv));
// user1 show privilege on role1
client = sqoopServerRunner.getSqoopClient(USER1);
assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
// user2 can't show privilege on role1, because user2 doesn't belong to role1
client = sqoopServerRunner.getSqoopClient(USER2);
try {
client.getPrivilegesByPrincipal(role1Princ, allConnector);
fail("expected SentryAccessDeniedException happend");
} catch (Exception e) {
assertCausedMessage(e, "SentryAccessDeniedException");
}
}
Example #22
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
/**
* user3 belongs to group group3
* admin user grant role role3 to group group3
* admin user grant all privilege on connector all to role role3
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role3 = new MRole(ROLE3);
MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
client.createRole(role3);
client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
// check user3 has one privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
// user3 has the all action on role3
MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
/**
* admin user grant read privilege on connector all to role role3
* because the role3 has already the all privilege, the read privilege granting has
* no impact on the role3
*/
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
// check user3 has only one privilege on role3
client = sqoopServerRunner.getSqoopClient(USER3);
assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
// user3 has the all action on role3
user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
}
Example #23
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testGrantPrivilegeTwice() throws Exception {
/**
* user2 belongs to group group2
* admin user grant role role2 to group group2
* admin user grant write privilege on connector all to role role2
*/
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MRole role2 = new MRole(ROLE2);
MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
client.createRole(role2);
client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
// check user2 has one privilege on role2
client = sqoopServerRunner.getSqoopClient(USER2);
assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
// grant privilege to role role2 again
client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
// check user2 has only one privilege on role2
client = sqoopServerRunner.getSqoopClient(USER2);
assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
}
Example #24
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportGrantPrivilegeToGroup() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal group1 = new MPrincipal("not_support_grant_group_1", MPrincipal.TYPE.GROUP);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
try {
client.grantPrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
}
}
Example #25
| Source File: TestGrantPrivilege.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Test
public void testNotSupportGrantPrivilegeToUser() throws Exception {
SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
MPrincipal user1 = new MPrincipal("not_support_grant_user_1", MPrincipal.TYPE.GROUP);
MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
try {
client.grantPrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
fail("expected not support exception happend");
} catch (Exception e) {
assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
}
}
Example #26
| Source File: RangerSqoopAuthorizer.java From ranger with Apache License 2.0 | 5 votes |
|
public RangerSqoopResource(MResource resource) {
if (MResource.TYPE.CONNECTOR.name().equals(resource.getType())) {
setValue(SqoopResourceMgr.CONNECTOR, resource.getName());
}
if (MResource.TYPE.LINK.name().equals(resource.getType())) {
setValue(SqoopResourceMgr.LINK, resource.getName());
}
if (MResource.TYPE.JOB.name().equals(resource.getType())) {
setValue(SqoopResourceMgr.JOB, resource.getName());
}
}
Example #27
| Source File: SqoopAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
public void renamePrivilege(final Subject subject, final MResource srcResource, final MResource dstResource) throws SqoopException {
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
client.renamePrivilege(subject.getName(), COMPONENT_TYPE, sqoopServer.getName(),
toAuthorizable(srcResource), toAuthorizable(dstResource));
return null;
}
});
}
Example #28
| Source File: SqoopAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private MResource toSqoopResource(List<TAuthorizable> authorizables) {
if (authorizables == null || authorizables.isEmpty()) {
//server resource
return new MResource(sqoopServer.getName(), MResource.TYPE.SERVER);
} else {
//currently Sqoop only has one-level hierarchy authorizable resource
return new MResource(authorizables.get(0).getName(), authorizables.get(0).getType());
}
}
Example #29
| Source File: SentryAccessController.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public List<MPrivilege> getPrivilegesByPrincipal(MPrincipal principal,
MResource resource) throws SqoopException {
/**
* Sentry Only supports get privilege by role
*/
PrincipalDesc principalDesc = PrincipalDesc.fromStr(principal.getName(), principal.getType());
if (principalDesc.getType() != PrincipalType.ROLE) {
throw new SqoopException(SecurityError.AUTH_0014,
SentrySqoopError.SHOW_PRIVILEGE_NOT_SUPPORTED_FOR_PRINCIPAL
+ principalDesc.getType().name());
}
return binding.listPrivilegeByRole(getSubject(), principalDesc.getName(), resource);
}
Example #30
| Source File: PrivilegeBean.java From sqoop-on-spark with Apache License 2.0 | 5 votes |
|
private MPrivilege restorePrivilege(Object obj) {
JSONObject object = (JSONObject) obj;
MResource resource = new MResource(
(String) object.get(RESOURCE_NAME), (String) object.get(RESOURCE_TYPE));
return new MPrivilege(resource, (String) object.get(ACTION),
Boolean.valueOf(object.get(WITH_GRANT_OPTION).toString()));
}
