github/sqoop
5
0
Fork 0
mirror of https://github.com/apache/sqoop.git synced 2025-05-17 01:11:07 +08:00
Code Issues Projects Releases Wiki Activity

SQOOP-2383: SQOOP2: Add do user support in authorization engine

Browse Source 
(Richard via Jarek Jarcec Cecho)
This commit is contained in:
Jarek Jarcec Cecho 2015-07-10 09:18:44 -07:00
parent 00ab7d439c
commit aca7d75589
5 changed files with 62 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java
View File

@ -42,13 +42,13 @@ public class AuthorizationEngine {
/**
* Filter resources, get all valid resources from all resources
*/
public static <T extends MPersistableEntity> List<T> filterResource(final MResource.TYPE type, List<T> resources) throws SqoopException {
public static <T extends MPersistableEntity> List<T> filterResource(final String doUserName, final MResource.TYPE type, List<T> resources) throws SqoopException {
Collection<T> collection = Collections2.filter(resources, new Predicate<T>() {
@Override
public boolean apply(T input) {
try {
String name = String.valueOf(input.getPersistenceId());
checkPrivilege(getPrivilege(type, name, MPrivilege.ACTION.READ));
checkPrivilege(doUserName, getPrivilege(type, name, MPrivilege.ACTION.READ));
// add valid resource
return true;
} catch (Exception e) {
@ -63,86 +63,86 @@ public boolean apply(T input) {
/**
* Connector related function
*/
public static void readConnector(String connectorId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
public static void readConnector(String doUserName, String connectorId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
}
/**
* Link related function
*/
public static void readLink(String linkId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ));
public static void readLink(String doUserName, String linkId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ));
}
public static void createLink(String connectorId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
public static void createLink(String doUserName, String connectorId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
}
public static void updateLink(String connectorId, String linkId) throws SqoopException {
public static void updateLink(String doUserName, String connectorId, String linkId) throws SqoopException {
MPrivilege privilege1 = getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ);
MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE);
checkPrivilege(privilege1, privilege2);
checkPrivilege(doUserName, privilege1, privilege2);
}
public static void deleteLink(String linkId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
public static void deleteLink(String doUserName, String linkId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
}
public static void enableDisableLink(String linkId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
public static void enableDisableLink(String doUserName, String linkId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
}
/**
* Job related function
*/
public static void readJob(String jobId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
public static void readJob(String doUserName, String jobId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
}
public static void createJob(String linkId1, String linkId2) throws SqoopException {
public static void createJob(String doUserName, String linkId1, String linkId2) throws SqoopException {
MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ);
MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ);
checkPrivilege(privilege1, privilege2);
checkPrivilege(doUserName, privilege1, privilege2);
}
public static void updateJob(String linkId1, String linkId2, String jobId) throws SqoopException {
public static void updateJob(String doUserName, String linkId1, String linkId2, String jobId) throws SqoopException {
MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ);
MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ);
MPrivilege privilege3 = getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE);
checkPrivilege(privilege1, privilege2, privilege3);
checkPrivilege(doUserName, privilege1, privilege2, privilege3);
}
public static void deleteJob(String jobId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
public static void deleteJob(String doUserName, String jobId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
public static void enableDisableJob(String jobId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
public static void enableDisableJob(String doUserName, String jobId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
public static void startJob(String jobId) throws SqoopException {
public static void startJob(String doUserName, String jobId) throws SqoopException {
;
checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
public static void stopJob(String jobId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
public static void stopJob(String doUserName, String jobId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
}
public static void statusJob(String jobId) throws SqoopException {
checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
public static void statusJob(String doUserName, String jobId) throws SqoopException {
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
}
/**
* Filter resources, get all valid resources from all resources
*/
public static List<MSubmission> filterSubmission(List<MSubmission> submissions) throws SqoopException {
public static List<MSubmission> filterSubmission(final String doUserName, List<MSubmission> submissions) throws SqoopException {
Collection<MSubmission> collection = Collections2.filter(submissions, new Predicate<MSubmission>() {
@Override
public boolean apply(MSubmission input) {
try {
String jobId = String.valueOf(input.getJobId());
checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
// add valid submission
return true;
} catch (Exception e) {
@ -163,11 +163,10 @@ private static MPrivilege getPrivilege(MResource.TYPE resourceType,
return new MPrivilege(new MResource(resourceId, resourceType), privilegeAction, false);
}
private static void checkPrivilege(MPrivilege... privileges) {
private static void checkPrivilege(String doUserName, MPrivilege... privileges) {
AuthorizationHandler handler = AuthorizationManager.getAuthorizationHandler();
UserGroupInformation user = HttpUserGroupInformation.get();
String user_name = user == null ? StringUtils.EMPTY : user.getShortUserName();
MPrincipal principal = new MPrincipal(user_name, MPrincipal.TYPE.USER);
MPrincipal principal = new MPrincipal(doUserName, MPrincipal.TYPE.USER);
// SQOOP-2256: Hack code, do not check privilege when the user is the creator
// If the user is the owner/creator of this resource, then privilege will
@ -178,12 +177,12 @@ private static void checkPrivilege(MPrivilege... privileges) {
Repository repository = RepositoryManager.getInstance().getRepository();
if (MResource.TYPE.LINK.name().equalsIgnoreCase(privilege.getResource().getType())) {
MLink link = repository.findLink(Long.valueOf(privilege.getResource().getName()));
if (!user_name.equals(link.getCreationUser())) {
if (!doUserName.equals(link.getCreationUser())) {
privilegesNeedCheck.add(privilege);
}
} else if (MResource.TYPE.JOB.name().equalsIgnoreCase(privilege.getResource().getType())) {
MJob job = repository.findJob(Long.valueOf(privilege.getResource().getName()));
if (!user_name.equals(job.getCreationUser())) {
if (!doUserName.equals(job.getCreationUser())) {
privilegesNeedCheck.add(privilege);
}
} else {

4
server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java
View File

@ -71,7 +71,7 @@ public JsonBean handleEvent(RequestContext ctx) {
ctx.getRequest().getRemoteAddr(), "get", "connectors", "all");
// Authorization check
connectors = AuthorizationEngine.filterResource(MResource.TYPE.CONNECTOR, connectors);
connectors = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.CONNECTOR, connectors);
return new ConnectorsBean(connectors, configParamBundles);
@ -89,7 +89,7 @@ public JsonBean handleEvent(RequestContext ctx) {
ctx.getRequest().getRemoteAddr(), "get", "connector", String.valueOf(cIdentifier));
// Authorization check
AuthorizationEngine.readConnector(String.valueOf(connector.getPersistenceId()));
AuthorizationEngine.readConnector(ctx.getUserName(), String.valueOf(connector.getPersistenceId()));
return new ConnectorBean(Arrays.asList(connector), configParamBundles);
}

20
server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java
View File

@ -141,7 +141,7 @@ private JsonBean deleteJob(RequestContext ctx) {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
AuthorizationEngine.deleteJob(String.valueOf(jobId));
AuthorizationEngine.deleteJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "delete", "job", jobIdentifier);
@ -185,10 +185,10 @@ private JsonBean createUpdateJob(RequestContext ctx, boolean create) {
// Authorization check
if (create) {
AuthorizationEngine.createJob(String.valueOf(postedJob.getFromLinkId()),
AuthorizationEngine.createJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()),
String.valueOf(postedJob.getToLinkId()));
} else {
AuthorizationEngine.updateJob(String.valueOf(postedJob.getFromLinkId()),
AuthorizationEngine.updateJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()),
String.valueOf(postedJob.getToLinkId()),
String.valueOf(postedJob.getPersistenceId()));
}
@ -284,7 +284,7 @@ private JsonBean getJobs(RequestContext ctx) {
List<MJob> jobList = repository.findJobsForConnector(connectorId);
// Authorization check
jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList);
jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList);
jobBean = createJobsBean(jobList, locale);
} else
@ -296,7 +296,7 @@ private JsonBean getJobs(RequestContext ctx) {
List<MJob> jobList = repository.findJobs();
// Authorization check
jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList);
jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList);
jobBean = createJobsBean(jobList, locale);
}
@ -309,7 +309,7 @@ private JsonBean getJobs(RequestContext ctx) {
MJob job = repository.findJob(jobId);
// Authorization check
AuthorizationEngine.readJob(String.valueOf(job.getPersistenceId()));
AuthorizationEngine.readJob(ctx.getUserName(), String.valueOf(job.getPersistenceId()));
jobBean = createJobBean(Arrays.asList(job), locale);
}
@ -352,7 +352,7 @@ private JsonBean enableJob(RequestContext ctx, boolean enabled) {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
AuthorizationEngine.enableDisableJob(String.valueOf(jobId));
AuthorizationEngine.enableDisableJob(ctx.getUserName(), String.valueOf(jobId));
repository.enableJob(jobId, enabled);
return JsonBean.EMPTY_BEAN;
@ -364,7 +364,7 @@ private JsonBean startJob(RequestContext ctx) {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
AuthorizationEngine.startJob(String.valueOf(jobId));
AuthorizationEngine.startJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "submit", "job", String.valueOf(jobId));
@ -387,7 +387,7 @@ private JsonBean stopJob(RequestContext ctx) {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
AuthorizationEngine.stopJob(String.valueOf(jobId));
AuthorizationEngine.stopJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "stop", "job", String.valueOf(jobId));
@ -401,7 +401,7 @@ private JsonBean getJobStatus(RequestContext ctx) {
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
// Authorization check
AuthorizationEngine.statusJob(String.valueOf(jobId));
AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jobId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "status", "job", String.valueOf(jobId));

14
server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java
View File

@ -95,7 +95,7 @@ private JsonBean deleteLink(RequestContext ctx) {
long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier);
// Authorization check
AuthorizationEngine.deleteLink(String.valueOf(linkId));
AuthorizationEngine.deleteLink(ctx.getUserName(), String.valueOf(linkId));
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "delete", "link", linkIdentifier);
@ -137,9 +137,9 @@ private JsonBean createUpdateLink(RequestContext ctx, boolean create) {
// Authorization check
if (create) {
AuthorizationEngine.createLink(String.valueOf(postedLink.getConnectorId()));
AuthorizationEngine.createLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()));
} else {
AuthorizationEngine.updateLink(String.valueOf(postedLink.getConnectorId()),
AuthorizationEngine.updateLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()),
String.valueOf(postedLink.getPersistenceId()));
}
@ -207,7 +207,7 @@ private JsonBean getLinks(RequestContext ctx) {
List<MLink> linkList = repository.findLinksForConnector(connectorId);
// Authorization check
linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList);
linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList);
linkBean = createLinksBean(linkList, locale);
} else {
@ -224,7 +224,7 @@ private JsonBean getLinks(RequestContext ctx) {
List<MLink> linkList = repository.findLinks();
// Authorization check
linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList);
linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList);
linkBean = createLinksBean(linkList, locale);
}
@ -237,7 +237,7 @@ private JsonBean getLinks(RequestContext ctx) {
MLink link = repository.findLink(linkId);
// Authorization check
AuthorizationEngine.readLink(String.valueOf(link.getPersistenceId()));
AuthorizationEngine.readLink(ctx.getUserName(), String.valueOf(link.getPersistenceId()));
linkBean = createLinkBean(Arrays.asList(link), locale);
}
@ -274,7 +274,7 @@ private JsonBean enableLink(RequestContext ctx, boolean enabled) {
long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier);
// Authorization check
AuthorizationEngine.enableDisableLink(String.valueOf(linkId));
AuthorizationEngine.enableDisableLink(ctx.getUserName(), String.valueOf(linkId));
repository.enableLink(linkId, enabled);
return JsonBean.EMPTY_BEAN;

12
server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java
View File

@ -56,28 +56,28 @@ public JsonBean handleEvent(RequestContext ctx) {
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "get", "submissionsByJob", jobIdentifier);
long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
return getSubmissionsForJob(jobId);
return getSubmissionsForJob(jobId, ctx);
} else {
// all submissions in the system
AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
ctx.getRequest().getRemoteAddr(), "get", "submissions", "all");
return getSubmissions();
return getSubmissions(ctx);
}
}
private JsonBean getSubmissions() {
private JsonBean getSubmissions(RequestContext ctx) {
List<MSubmission> submissions = RepositoryManager.getInstance().getRepository()
.findSubmissions();
//Authorization check
submissions = AuthorizationEngine.filterSubmission(submissions);
submissions = AuthorizationEngine.filterSubmission(ctx.getUserName(), submissions);
return new SubmissionsBean(submissions);
}
private JsonBean getSubmissionsForJob(long jid) {
private JsonBean getSubmissionsForJob(long jid, RequestContext ctx) {
//Authorization check
AuthorizationEngine.statusJob(String.valueOf(jid));
AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jid));
List<MSubmission> submissions = RepositoryManager.getInstance().getRepository()
.findSubmissionsForJob(jid);