diff --git a/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java b/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java index 10f02c0d..57e0da59 100644 --- a/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java +++ b/security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java @@ -42,13 +42,13 @@ public class AuthorizationEngine { /** * Filter resources, get all valid resources from all resources */ - public static List filterResource(final MResource.TYPE type, List resources) throws SqoopException { + public static List filterResource(final String doUserName, final MResource.TYPE type, List resources) throws SqoopException { Collection collection = Collections2.filter(resources, new Predicate() { @Override public boolean apply(T input) { try { String name = String.valueOf(input.getPersistenceId()); - checkPrivilege(getPrivilege(type, name, MPrivilege.ACTION.READ)); + checkPrivilege(doUserName, getPrivilege(type, name, MPrivilege.ACTION.READ)); // add valid resource return true; } catch (Exception e) { @@ -63,86 +63,86 @@ public boolean apply(T input) { /** * Connector related function */ - public static void readConnector(String connectorId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); + public static void readConnector(String doUserName, String connectorId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); } /** * Link related function */ - public static void readLink(String linkId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ)); + public static void readLink(String doUserName, String linkId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ)); } - public static void createLink(String connectorId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); + public static void createLink(String doUserName, String connectorId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ)); } - public static void updateLink(String connectorId, String linkId) throws SqoopException { + public static void updateLink(String doUserName, String connectorId, String linkId) throws SqoopException { MPrivilege privilege1 = getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ); MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE); - checkPrivilege(privilege1, privilege2); + checkPrivilege(doUserName, privilege1, privilege2); } - public static void deleteLink(String linkId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); + public static void deleteLink(String doUserName, String linkId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); } - public static void enableDisableLink(String linkId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); + public static void enableDisableLink(String doUserName, String linkId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE)); } /** * Job related function */ - public static void readJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); + public static void readJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); } - public static void createJob(String linkId1, String linkId2) throws SqoopException { + public static void createJob(String doUserName, String linkId1, String linkId2) throws SqoopException { MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ); MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ); - checkPrivilege(privilege1, privilege2); + checkPrivilege(doUserName, privilege1, privilege2); } - public static void updateJob(String linkId1, String linkId2, String jobId) throws SqoopException { + public static void updateJob(String doUserName, String linkId1, String linkId2, String jobId) throws SqoopException { MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ); MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ); MPrivilege privilege3 = getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE); - checkPrivilege(privilege1, privilege2, privilege3); + checkPrivilege(doUserName, privilege1, privilege2, privilege3); } - public static void deleteJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + public static void deleteJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void enableDisableJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + public static void enableDisableJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void startJob(String jobId) throws SqoopException { + public static void startJob(String doUserName, String jobId) throws SqoopException { ; - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void stopJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); + public static void stopJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE)); } - public static void statusJob(String jobId) throws SqoopException { - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); + public static void statusJob(String doUserName, String jobId) throws SqoopException { + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); } /** * Filter resources, get all valid resources from all resources */ - public static List filterSubmission(List submissions) throws SqoopException { + public static List filterSubmission(final String doUserName, List submissions) throws SqoopException { Collection collection = Collections2.filter(submissions, new Predicate() { @Override public boolean apply(MSubmission input) { try { String jobId = String.valueOf(input.getJobId()); - checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); + checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ)); // add valid submission return true; } catch (Exception e) { @@ -163,11 +163,10 @@ private static MPrivilege getPrivilege(MResource.TYPE resourceType, return new MPrivilege(new MResource(resourceId, resourceType), privilegeAction, false); } - private static void checkPrivilege(MPrivilege... privileges) { + private static void checkPrivilege(String doUserName, MPrivilege... privileges) { AuthorizationHandler handler = AuthorizationManager.getAuthorizationHandler(); - UserGroupInformation user = HttpUserGroupInformation.get(); - String user_name = user == null ? StringUtils.EMPTY : user.getShortUserName(); - MPrincipal principal = new MPrincipal(user_name, MPrincipal.TYPE.USER); + + MPrincipal principal = new MPrincipal(doUserName, MPrincipal.TYPE.USER); // SQOOP-2256: Hack code, do not check privilege when the user is the creator // If the user is the owner/creator of this resource, then privilege will @@ -178,12 +177,12 @@ private static void checkPrivilege(MPrivilege... privileges) { Repository repository = RepositoryManager.getInstance().getRepository(); if (MResource.TYPE.LINK.name().equalsIgnoreCase(privilege.getResource().getType())) { MLink link = repository.findLink(Long.valueOf(privilege.getResource().getName())); - if (!user_name.equals(link.getCreationUser())) { + if (!doUserName.equals(link.getCreationUser())) { privilegesNeedCheck.add(privilege); } } else if (MResource.TYPE.JOB.name().equalsIgnoreCase(privilege.getResource().getType())) { MJob job = repository.findJob(Long.valueOf(privilege.getResource().getName())); - if (!user_name.equals(job.getCreationUser())) { + if (!doUserName.equals(job.getCreationUser())) { privilegesNeedCheck.add(privilege); } } else { diff --git a/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java index 5128a27b..7c428b8d 100644 --- a/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java @@ -71,7 +71,7 @@ public JsonBean handleEvent(RequestContext ctx) { ctx.getRequest().getRemoteAddr(), "get", "connectors", "all"); // Authorization check - connectors = AuthorizationEngine.filterResource(MResource.TYPE.CONNECTOR, connectors); + connectors = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.CONNECTOR, connectors); return new ConnectorsBean(connectors, configParamBundles); @@ -89,7 +89,7 @@ public JsonBean handleEvent(RequestContext ctx) { ctx.getRequest().getRemoteAddr(), "get", "connector", String.valueOf(cIdentifier)); // Authorization check - AuthorizationEngine.readConnector(String.valueOf(connector.getPersistenceId())); + AuthorizationEngine.readConnector(ctx.getUserName(), String.valueOf(connector.getPersistenceId())); return new ConnectorBean(Arrays.asList(connector), configParamBundles); } diff --git a/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java index d1621d8d..5e314d00 100644 --- a/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java @@ -141,7 +141,7 @@ private JsonBean deleteJob(RequestContext ctx) { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.deleteJob(String.valueOf(jobId)); + AuthorizationEngine.deleteJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "delete", "job", jobIdentifier); @@ -185,10 +185,10 @@ private JsonBean createUpdateJob(RequestContext ctx, boolean create) { // Authorization check if (create) { - AuthorizationEngine.createJob(String.valueOf(postedJob.getFromLinkId()), + AuthorizationEngine.createJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()), String.valueOf(postedJob.getToLinkId())); } else { - AuthorizationEngine.updateJob(String.valueOf(postedJob.getFromLinkId()), + AuthorizationEngine.updateJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()), String.valueOf(postedJob.getToLinkId()), String.valueOf(postedJob.getPersistenceId())); } @@ -284,7 +284,7 @@ private JsonBean getJobs(RequestContext ctx) { List jobList = repository.findJobsForConnector(connectorId); // Authorization check - jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList); + jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList); jobBean = createJobsBean(jobList, locale); } else @@ -296,7 +296,7 @@ private JsonBean getJobs(RequestContext ctx) { List jobList = repository.findJobs(); // Authorization check - jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList); + jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList); jobBean = createJobsBean(jobList, locale); } @@ -309,7 +309,7 @@ private JsonBean getJobs(RequestContext ctx) { MJob job = repository.findJob(jobId); // Authorization check - AuthorizationEngine.readJob(String.valueOf(job.getPersistenceId())); + AuthorizationEngine.readJob(ctx.getUserName(), String.valueOf(job.getPersistenceId())); jobBean = createJobBean(Arrays.asList(job), locale); } @@ -352,7 +352,7 @@ private JsonBean enableJob(RequestContext ctx, boolean enabled) { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.enableDisableJob(String.valueOf(jobId)); + AuthorizationEngine.enableDisableJob(ctx.getUserName(), String.valueOf(jobId)); repository.enableJob(jobId, enabled); return JsonBean.EMPTY_BEAN; @@ -364,7 +364,7 @@ private JsonBean startJob(RequestContext ctx) { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.startJob(String.valueOf(jobId)); + AuthorizationEngine.startJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "submit", "job", String.valueOf(jobId)); @@ -387,7 +387,7 @@ private JsonBean stopJob(RequestContext ctx) { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.stopJob(String.valueOf(jobId)); + AuthorizationEngine.stopJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "stop", "job", String.valueOf(jobId)); @@ -401,7 +401,7 @@ private JsonBean getJobStatus(RequestContext ctx) { long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); // Authorization check - AuthorizationEngine.statusJob(String.valueOf(jobId)); + AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jobId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "status", "job", String.valueOf(jobId)); diff --git a/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java index 26a341b2..f056686f 100644 --- a/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java @@ -95,7 +95,7 @@ private JsonBean deleteLink(RequestContext ctx) { long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier); // Authorization check - AuthorizationEngine.deleteLink(String.valueOf(linkId)); + AuthorizationEngine.deleteLink(ctx.getUserName(), String.valueOf(linkId)); AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "delete", "link", linkIdentifier); @@ -137,9 +137,9 @@ private JsonBean createUpdateLink(RequestContext ctx, boolean create) { // Authorization check if (create) { - AuthorizationEngine.createLink(String.valueOf(postedLink.getConnectorId())); + AuthorizationEngine.createLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId())); } else { - AuthorizationEngine.updateLink(String.valueOf(postedLink.getConnectorId()), + AuthorizationEngine.updateLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()), String.valueOf(postedLink.getPersistenceId())); } @@ -207,7 +207,7 @@ private JsonBean getLinks(RequestContext ctx) { List linkList = repository.findLinksForConnector(connectorId); // Authorization check - linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList); + linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList); linkBean = createLinksBean(linkList, locale); } else { @@ -224,7 +224,7 @@ private JsonBean getLinks(RequestContext ctx) { List linkList = repository.findLinks(); // Authorization check - linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList); + linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList); linkBean = createLinksBean(linkList, locale); } @@ -237,7 +237,7 @@ private JsonBean getLinks(RequestContext ctx) { MLink link = repository.findLink(linkId); // Authorization check - AuthorizationEngine.readLink(String.valueOf(link.getPersistenceId())); + AuthorizationEngine.readLink(ctx.getUserName(), String.valueOf(link.getPersistenceId())); linkBean = createLinkBean(Arrays.asList(link), locale); } @@ -274,7 +274,7 @@ private JsonBean enableLink(RequestContext ctx, boolean enabled) { long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier); // Authorization check - AuthorizationEngine.enableDisableLink(String.valueOf(linkId)); + AuthorizationEngine.enableDisableLink(ctx.getUserName(), String.valueOf(linkId)); repository.enableLink(linkId, enabled); return JsonBean.EMPTY_BEAN; diff --git a/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java b/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java index 5a1ab51e..5c349a28 100644 --- a/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java +++ b/server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java @@ -56,28 +56,28 @@ public JsonBean handleEvent(RequestContext ctx) { AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "get", "submissionsByJob", jobIdentifier); long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier); - return getSubmissionsForJob(jobId); + return getSubmissionsForJob(jobId, ctx); } else { // all submissions in the system AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(), ctx.getRequest().getRemoteAddr(), "get", "submissions", "all"); - return getSubmissions(); + return getSubmissions(ctx); } } - private JsonBean getSubmissions() { + private JsonBean getSubmissions(RequestContext ctx) { List submissions = RepositoryManager.getInstance().getRepository() .findSubmissions(); //Authorization check - submissions = AuthorizationEngine.filterSubmission(submissions); + submissions = AuthorizationEngine.filterSubmission(ctx.getUserName(), submissions); return new SubmissionsBean(submissions); } - private JsonBean getSubmissionsForJob(long jid) { + private JsonBean getSubmissionsForJob(long jid, RequestContext ctx) { //Authorization check - AuthorizationEngine.statusJob(String.valueOf(jid)); + AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jid)); List submissions = RepositoryManager.getInstance().getRepository() .findSubmissionsForJob(jid);