SQOOP-2383: SQOOP2: Add do user support in authorization engine

(Richard via Jarek Jarcec Cecho)

security/src/main/java/org/apache/sqoop/security/authorization/AuthorizationEngine.java

@@ -42,13 +42,13 @@ public class AuthorizationEngine {
   /**
    * Filter resources, get all valid resources from all resources
    */
-  public static <T extends MPersistableEntity> List<T> filterResource(final MResource.TYPE type, List<T> resources) throws SqoopException {
+  public static <T extends MPersistableEntity> List<T> filterResource(final String doUserName, final MResource.TYPE type, List<T> resources) throws SqoopException {
     Collection<T> collection = Collections2.filter(resources, new Predicate<T>() {
       @Override
       public boolean apply(T input) {
         try {
           String name = String.valueOf(input.getPersistenceId());
-          checkPrivilege(getPrivilege(type, name, MPrivilege.ACTION.READ));
+          checkPrivilege(doUserName, getPrivilege(type, name, MPrivilege.ACTION.READ));
           // add valid resource
           return true;
         } catch (Exception e) {
@@ -63,86 +63,86 @@ public boolean apply(T input) {
   /**
    * Connector related function
    */
-  public static void readConnector(String connectorId) throws SqoopException {
+  public static void readConnector(String doUserName, String connectorId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
   }
 
   /**
    * Link related function
    */
-  public static void readLink(String linkId) throws SqoopException {
+  public static void readLink(String doUserName, String linkId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.READ));
   }
 
-  public static void createLink(String connectorId) throws SqoopException {
+  public static void createLink(String doUserName, String connectorId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ));
   }
 
-  public static void updateLink(String connectorId, String linkId) throws SqoopException {
+  public static void updateLink(String doUserName, String connectorId, String linkId) throws SqoopException {
     MPrivilege privilege1 = getPrivilege(MResource.TYPE.CONNECTOR, connectorId, MPrivilege.ACTION.READ);
     MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE);
-    checkPrivilege(privilege1, privilege2);
+    checkPrivilege(doUserName, privilege1, privilege2);
   }
 
-  public static void deleteLink(String linkId) throws SqoopException {
+  public static void deleteLink(String doUserName, String linkId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
   }
 
-  public static void enableDisableLink(String linkId) throws SqoopException {
+  public static void enableDisableLink(String doUserName, String linkId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.LINK, linkId, MPrivilege.ACTION.WRITE));
   }
 
   /**
    * Job related function
    */
-  public static void readJob(String jobId) throws SqoopException {
+  public static void readJob(String doUserName, String jobId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
   }
 
-  public static void createJob(String linkId1, String linkId2) throws SqoopException {
+  public static void createJob(String doUserName, String linkId1, String linkId2) throws SqoopException {
     MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ);
     MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ);
-    checkPrivilege(privilege1, privilege2);
+    checkPrivilege(doUserName, privilege1, privilege2);
   }
 
-  public static void updateJob(String linkId1, String linkId2, String jobId) throws SqoopException {
+  public static void updateJob(String doUserName, String linkId1, String linkId2, String jobId) throws SqoopException {
     MPrivilege privilege1 = getPrivilege(MResource.TYPE.LINK, linkId1, MPrivilege.ACTION.READ);
     MPrivilege privilege2 = getPrivilege(MResource.TYPE.LINK, linkId2, MPrivilege.ACTION.READ);
     MPrivilege privilege3 = getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE);
-    checkPrivilege(privilege1, privilege2, privilege3);
+    checkPrivilege(doUserName, privilege1, privilege2, privilege3);
   }
 
-  public static void deleteJob(String jobId) throws SqoopException {
+  public static void deleteJob(String doUserName, String jobId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
   }
 
-  public static void enableDisableJob(String jobId) throws SqoopException {
+  public static void enableDisableJob(String doUserName, String jobId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
   }
 
-  public static void startJob(String jobId) throws SqoopException {
+  public static void startJob(String doUserName, String jobId) throws SqoopException {
     ;
-    checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
   }
 
-  public static void stopJob(String jobId) throws SqoopException {
+  public static void stopJob(String doUserName, String jobId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.WRITE));
   }
 
-  public static void statusJob(String jobId) throws SqoopException {
+  public static void statusJob(String doUserName, String jobId) throws SqoopException {
-    checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
+    checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
   }
 
   /**
    * Filter resources, get all valid resources from all resources
    */
-  public static List<MSubmission> filterSubmission(List<MSubmission> submissions) throws SqoopException {
+  public static List<MSubmission> filterSubmission(final String doUserName, List<MSubmission> submissions) throws SqoopException {
     Collection<MSubmission> collection = Collections2.filter(submissions, new Predicate<MSubmission>() {
       @Override
       public boolean apply(MSubmission input) {
         try {
           String jobId = String.valueOf(input.getJobId());
-          checkPrivilege(getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
+          checkPrivilege(doUserName, getPrivilege(MResource.TYPE.JOB, jobId, MPrivilege.ACTION.READ));
           // add valid submission
           return true;
         } catch (Exception e) {
@@ -163,11 +163,10 @@ private static MPrivilege getPrivilege(MResource.TYPE resourceType,
     return new MPrivilege(new MResource(resourceId, resourceType), privilegeAction, false);
   }
 
-  private static void checkPrivilege(MPrivilege... privileges) {
+  private static void checkPrivilege(String doUserName, MPrivilege... privileges) {
     AuthorizationHandler handler = AuthorizationManager.getAuthorizationHandler();
-    UserGroupInformation user = HttpUserGroupInformation.get();
+
-    String user_name = user == null ? StringUtils.EMPTY : user.getShortUserName();
+    MPrincipal principal = new MPrincipal(doUserName, MPrincipal.TYPE.USER);
-    MPrincipal principal = new MPrincipal(user_name, MPrincipal.TYPE.USER);
 
     // SQOOP-2256: Hack code, do not check privilege when the user is the creator
     // If the user is the owner/creator of this resource, then privilege will
@@ -178,12 +177,12 @@ private static void checkPrivilege(MPrivilege... privileges) {
       Repository repository = RepositoryManager.getInstance().getRepository();
       if (MResource.TYPE.LINK.name().equalsIgnoreCase(privilege.getResource().getType())) {
         MLink link = repository.findLink(Long.valueOf(privilege.getResource().getName()));
-        if (!user_name.equals(link.getCreationUser())) {
+        if (!doUserName.equals(link.getCreationUser())) {
           privilegesNeedCheck.add(privilege);
         }
       } else if (MResource.TYPE.JOB.name().equalsIgnoreCase(privilege.getResource().getType())) {
         MJob job = repository.findJob(Long.valueOf(privilege.getResource().getName()));
-        if (!user_name.equals(job.getCreationUser())) {
+        if (!doUserName.equals(job.getCreationUser())) {
           privilegesNeedCheck.add(privilege);
         }
       } else {

server/src/main/java/org/apache/sqoop/handler/ConnectorRequestHandler.java

@@ -71,7 +71,7 @@ public JsonBean handleEvent(RequestContext ctx) {
           ctx.getRequest().getRemoteAddr(), "get", "connectors", "all");
 
       // Authorization check
-      connectors = AuthorizationEngine.filterResource(MResource.TYPE.CONNECTOR, connectors);
+      connectors = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.CONNECTOR, connectors);
 
       return new ConnectorsBean(connectors, configParamBundles);
 
@@ -89,7 +89,7 @@ public JsonBean handleEvent(RequestContext ctx) {
           ctx.getRequest().getRemoteAddr(), "get", "connector", String.valueOf(cIdentifier));
 
       // Authorization check
-      AuthorizationEngine.readConnector(String.valueOf(connector.getPersistenceId()));
+      AuthorizationEngine.readConnector(ctx.getUserName(), String.valueOf(connector.getPersistenceId()));
 
       return new ConnectorBean(Arrays.asList(connector), configParamBundles);
     }

server/src/main/java/org/apache/sqoop/handler/JobRequestHandler.java

@@ -141,7 +141,7 @@ private JsonBean deleteJob(RequestContext ctx) {
     long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
 
     // Authorization check
-    AuthorizationEngine.deleteJob(String.valueOf(jobId));
+    AuthorizationEngine.deleteJob(ctx.getUserName(), String.valueOf(jobId));
 
     AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
         ctx.getRequest().getRemoteAddr(), "delete", "job", jobIdentifier);
@@ -185,10 +185,10 @@ private JsonBean createUpdateJob(RequestContext ctx, boolean create) {
 
     // Authorization check
     if (create) {
-      AuthorizationEngine.createJob(String.valueOf(postedJob.getFromLinkId()),
+      AuthorizationEngine.createJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()),
               String.valueOf(postedJob.getToLinkId()));
     } else {
-      AuthorizationEngine.updateJob(String.valueOf(postedJob.getFromLinkId()),
+      AuthorizationEngine.updateJob(ctx.getUserName(), String.valueOf(postedJob.getFromLinkId()),
               String.valueOf(postedJob.getToLinkId()),
               String.valueOf(postedJob.getPersistenceId()));
     }
@@ -284,7 +284,7 @@ private JsonBean getJobs(RequestContext ctx) {
       List<MJob> jobList = repository.findJobsForConnector(connectorId);
 
       // Authorization check
-      jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList);
+      jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList);
 
       jobBean = createJobsBean(jobList, locale);
     } else
@@ -296,7 +296,7 @@ private JsonBean getJobs(RequestContext ctx) {
       List<MJob> jobList = repository.findJobs();
 
       // Authorization check
-      jobList = AuthorizationEngine.filterResource(MResource.TYPE.JOB, jobList);
+      jobList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.JOB, jobList);
 
       jobBean = createJobsBean(jobList, locale);
     }
@@ -309,7 +309,7 @@ private JsonBean getJobs(RequestContext ctx) {
       MJob job = repository.findJob(jobId);
 
       // Authorization check
-      AuthorizationEngine.readJob(String.valueOf(job.getPersistenceId()));
+      AuthorizationEngine.readJob(ctx.getUserName(), String.valueOf(job.getPersistenceId()));
 
       jobBean = createJobBean(Arrays.asList(job), locale);
     }
@@ -352,7 +352,7 @@ private JsonBean enableJob(RequestContext ctx, boolean enabled) {
     long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
 
     // Authorization check
-    AuthorizationEngine.enableDisableJob(String.valueOf(jobId));
+    AuthorizationEngine.enableDisableJob(ctx.getUserName(), String.valueOf(jobId));
 
     repository.enableJob(jobId, enabled);
     return JsonBean.EMPTY_BEAN;
@@ -364,7 +364,7 @@ private JsonBean startJob(RequestContext ctx) {
     long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
 
     // Authorization check
-    AuthorizationEngine.startJob(String.valueOf(jobId));
+    AuthorizationEngine.startJob(ctx.getUserName(), String.valueOf(jobId));
 
     AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
         ctx.getRequest().getRemoteAddr(), "submit", "job", String.valueOf(jobId));
@@ -387,7 +387,7 @@ private JsonBean stopJob(RequestContext ctx) {
     long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
 
     // Authorization check
-    AuthorizationEngine.stopJob(String.valueOf(jobId));
+    AuthorizationEngine.stopJob(ctx.getUserName(), String.valueOf(jobId));
 
     AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
         ctx.getRequest().getRemoteAddr(), "stop", "job", String.valueOf(jobId));
@@ -401,7 +401,7 @@ private JsonBean getJobStatus(RequestContext ctx) {
     long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
 
     // Authorization check
-    AuthorizationEngine.statusJob(String.valueOf(jobId));
+    AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jobId));
 
     AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
         ctx.getRequest().getRemoteAddr(), "status", "job", String.valueOf(jobId));

server/src/main/java/org/apache/sqoop/handler/LinkRequestHandler.java

@@ -95,7 +95,7 @@ private JsonBean deleteLink(RequestContext ctx) {
     long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier);
 
     // Authorization check
-    AuthorizationEngine.deleteLink(String.valueOf(linkId));
+    AuthorizationEngine.deleteLink(ctx.getUserName(), String.valueOf(linkId));
 
     AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
         ctx.getRequest().getRemoteAddr(), "delete", "link", linkIdentifier);
@@ -137,9 +137,9 @@ private JsonBean createUpdateLink(RequestContext ctx, boolean create) {
 
     // Authorization check
     if (create) {
-      AuthorizationEngine.createLink(String.valueOf(postedLink.getConnectorId()));
+      AuthorizationEngine.createLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()));
     } else {
-      AuthorizationEngine.updateLink(String.valueOf(postedLink.getConnectorId()),
+      AuthorizationEngine.updateLink(ctx.getUserName(), String.valueOf(postedLink.getConnectorId()),
               String.valueOf(postedLink.getPersistenceId()));
     }
 
@@ -207,7 +207,7 @@ private JsonBean getLinks(RequestContext ctx) {
         List<MLink> linkList = repository.findLinksForConnector(connectorId);
 
         // Authorization check
-        linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList);
+        linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList);
 
         linkBean = createLinksBean(linkList, locale);
       } else {
@@ -224,7 +224,7 @@ private JsonBean getLinks(RequestContext ctx) {
       List<MLink> linkList = repository.findLinks();
 
       // Authorization check
-      linkList = AuthorizationEngine.filterResource(MResource.TYPE.LINK, linkList);
+      linkList = AuthorizationEngine.filterResource(ctx.getUserName(), MResource.TYPE.LINK, linkList);
 
       linkBean = createLinksBean(linkList, locale);
     }
@@ -237,7 +237,7 @@ private JsonBean getLinks(RequestContext ctx) {
       MLink link = repository.findLink(linkId);
 
       // Authorization check
-      AuthorizationEngine.readLink(String.valueOf(link.getPersistenceId()));
+      AuthorizationEngine.readLink(ctx.getUserName(), String.valueOf(link.getPersistenceId()));
 
       linkBean = createLinkBean(Arrays.asList(link), locale);
     }
@@ -274,7 +274,7 @@ private JsonBean enableLink(RequestContext ctx, boolean enabled) {
     long linkId = HandlerUtils.getLinkIdFromIdentifier(linkIdentifier);
 
     // Authorization check
-    AuthorizationEngine.enableDisableLink(String.valueOf(linkId));
+    AuthorizationEngine.enableDisableLink(ctx.getUserName(), String.valueOf(linkId));
 
     repository.enableLink(linkId, enabled);
     return JsonBean.EMPTY_BEAN;

server/src/main/java/org/apache/sqoop/handler/SubmissionRequestHandler.java

@@ -56,28 +56,28 @@ public JsonBean handleEvent(RequestContext ctx) {
       AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
           ctx.getRequest().getRemoteAddr(), "get", "submissionsByJob", jobIdentifier);
         long jobId = HandlerUtils.getJobIdFromIdentifier(jobIdentifier);
-        return getSubmissionsForJob(jobId);
+        return getSubmissionsForJob(jobId, ctx);
     } else {
       // all submissions in the system
       AuditLoggerManager.getInstance().logAuditEvent(ctx.getUserName(),
           ctx.getRequest().getRemoteAddr(), "get", "submissions", "all");
-      return getSubmissions();
+      return getSubmissions(ctx);
     }
   }
 
-  private JsonBean getSubmissions() {
+  private JsonBean getSubmissions(RequestContext ctx) {
     List<MSubmission> submissions = RepositoryManager.getInstance().getRepository()
         .findSubmissions();
 
     //Authorization check
-    submissions = AuthorizationEngine.filterSubmission(submissions);
+    submissions = AuthorizationEngine.filterSubmission(ctx.getUserName(), submissions);
 
     return new SubmissionsBean(submissions);
   }
 
-  private JsonBean getSubmissionsForJob(long jid) {
+  private JsonBean getSubmissionsForJob(long jid, RequestContext ctx) {
     //Authorization check
-    AuthorizationEngine.statusJob(String.valueOf(jid));
+    AuthorizationEngine.statusJob(ctx.getUserName(), String.valueOf(jid));
 
     List<MSubmission> submissions = RepositoryManager.getInstance().getRepository()
         .findSubmissionsForJob(jid);