Repository: lens Updated Branches: refs/heads/master 0eba44abd -> 3e7d92e9d
LENS-1534 : Authorizer Instance to be made singleton for resource optimization Project: http://git-wip-us.apache.org/repos/asf/lens/repo Commit: http://git-wip-us.apache.org/repos/asf/lens/commit/3e7d92e9 Tree: http://git-wip-us.apache.org/repos/asf/lens/tree/3e7d92e9 Diff: http://git-wip-us.apache.org/repos/asf/lens/diff/3e7d92e9 Branch: refs/heads/master Commit: 3e7d92e9decdb79005898bd4470afd741672ccc0 Parents: 0eba44a Author: Rajitha R <[email protected]> Authored: Mon Sep 10 16:04:26 2018 +0530 Committer: Rajitha.R <[email protected]> Committed: Mon Sep 10 16:04:26 2018 +0530 ---------------------------------------------------------------------- .../cube/authorization/AuthorizationUtil.java | 2 +- .../lens/cube/metadata/CubeMetastoreClient.java | 14 +---- .../lens/cube/metadata/MetastoreConstants.java | 1 - .../cube/parse/QueryAuthorizationResolver.java | 11 +--- .../cube/metadata/TestCubeMetastoreClient.java | 5 +- .../parse/TestQueryAuthorizationResolver.java | 5 +- .../lens/server/api/LensConfConstants.java | 11 ++-- .../api/authorization/LensAuthorizer.java | 56 ++++++++++++++++++++ .../java/org/apache/lens/server/LensServer.java | 2 + .../src/main/resources/lensserver-default.xml | 7 +++ .../org/apache/lens/server/LensJerseyTest.java | 2 + src/site/apt/admin/config.apt | 2 + 12 files changed, 88 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java index 5ae2cfd..40ca198 100644 --- a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java +++ b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java @@ -60,7 +60,7 @@ public class AuthorizationUtil { sessionConf.getTrimmedStringCollection(LensConfConstants.SESSION_USER_GROUPS); } LensPrivilegeObject lp = new LensPrivilegeObject(privilegeObjectType, tableName, colName); - if (!authorizer.authorize(lp, actionType, user, userGroups)) { + if ((authorizer != null) && !authorizer.authorize(lp, actionType, user, userGroups)) { throw new PrivilegeException(privilegeObjectType.toString(), tableName, actionType.toString()); } return true; http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java index b1c1ae4..c611963 100644 --- a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java +++ b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java @@ -39,7 +39,7 @@ import org.apache.lens.cube.metadata.timeline.PartitionTimelineFactory; import org.apache.lens.server.api.LensConfConstants; import org.apache.lens.server.api.authorization.ActionType; -import org.apache.lens.server.api.authorization.Authorizer; +import org.apache.lens.server.api.authorization.LensAuthorizer; import org.apache.lens.server.api.authorization.LensPrivilegeObject; import org.apache.lens.server.api.error.LensException; @@ -119,8 +119,6 @@ public class CubeMetastoreClient { private Boolean isAuthorizationCheckEnabled; - private Authorizer authorizer; - public DataCompletenessChecker getCompletenessChecker() { if (completenessChecker == null) { completenessChecker = ReflectionUtils.newInstance(config.getClass(LensConfConstants.COMPLETENESS_CHECKER_CLASS, @@ -129,14 +127,6 @@ public class CubeMetastoreClient { return completenessChecker; } - private Authorizer getAuthorizer() { - if (authorizer == null) { - authorizer = ReflectionUtils.newInstance(config.getClass(MetastoreConstants.AUTHORIZER_CLASS, - LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class), this.config); - } - return authorizer; - } - public boolean isDataCompletenessCheckEnabled() { if (isDataCompletenessCheckEnabled == null) { isDataCompletenessCheckEnabled = config.getBoolean(LensConfConstants.ENABLE_DATACOMPLETENESS_CHECK, @@ -156,7 +146,7 @@ public class CubeMetastoreClient { private void checkIfAuthorized() throws LensException { if (isAuthorizationEnabled()) { String currentdb = SessionState.get().getCurrentDatabase(); - AuthorizationUtil.isAuthorized(getAuthorizer(), currentdb, + AuthorizationUtil.isAuthorized(LensAuthorizer.get().getAuthorizer(), currentdb, LensPrivilegeObject.LensPrivilegeObjectType.DATABASE, ActionType.UPDATE, getConf(), SessionState.getSessionConf()); } http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java b/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java index 5bdfea4..88097aa 100644 --- a/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java +++ b/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java @@ -26,7 +26,6 @@ public final class MetastoreConstants { public static final String TABLE_TYPE_KEY = "cube.table.type"; public static final String CUBE_TABLE_PFX = "cube.table."; public static final String WEIGHT_KEY_SFX = ".weight"; - public static final String AUTHORIZER_CLASS = "authorizer.class"; public static final String BASE_KEY_PFX = "base."; public static final String EXPRESSIONS_LIST_SFX = ".expressions.list"; http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java index f1376ca..a6a908f 100644 --- a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java +++ b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java @@ -24,31 +24,24 @@ import org.apache.lens.cube.authorization.AuthorizationUtil; import org.apache.lens.cube.metadata.*; import org.apache.lens.server.api.LensConfConstants; import org.apache.lens.server.api.authorization.ActionType; -import org.apache.lens.server.api.authorization.Authorizer; +import org.apache.lens.server.api.authorization.LensAuthorizer; import org.apache.lens.server.api.authorization.LensPrivilegeObject; import org.apache.lens.server.api.error.LensException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.ql.session.SessionState; -import org.apache.hadoop.util.ReflectionUtils; import lombok.Getter; import lombok.extern.slf4j.Slf4j; @Slf4j public class QueryAuthorizationResolver implements ContextRewriter { - - @Getter - private Authorizer authorizer; @Getter private Boolean isAuthorizationCheckEnabled; QueryAuthorizationResolver(Configuration conf) { isAuthorizationCheckEnabled = conf.getBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK, LensConfConstants.DEFAULT_ENABLE_QUERY_AUTHORIZATION_CHECK); - authorizer = ReflectionUtils.newInstance( - conf.getClass(MetastoreConstants.AUTHORIZER_CLASS, LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class), - conf); } @Override public void rewriteContext(CubeQueryContext cubeql) throws LensException { @@ -69,7 +62,7 @@ public class QueryAuthorizationResolver implements ContextRewriter { log.info("Restricted queriedColumns queried : "+ restrictedFieldsQueried); if (restrictedFieldsQueried != null && !restrictedFieldsQueried.isEmpty()) { for (String col : restrictedFieldsQueried) { - AuthorizationUtil.isAuthorized(getAuthorizer(), tbl.getName(), col, + AuthorizationUtil.isAuthorized(LensAuthorizer.get().getAuthorizer(), tbl.getName(), col, LensPrivilegeObject.LensPrivilegeObjectType.COLUMN, ActionType.SELECT, cubeql.getConf(), SessionState.getSessionConf()); } http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java index 9499f0c..9b8a55a 100644 --- a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java +++ b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java @@ -39,6 +39,7 @@ import org.apache.lens.cube.metadata.timeline.PartitionTimeline; import org.apache.lens.cube.metadata.timeline.StoreAllPartitionTimeline; import org.apache.lens.cube.metadata.timeline.TestPartitionTimelines; import org.apache.lens.server.api.LensConfConstants; +import org.apache.lens.server.api.authorization.LensAuthorizer; import org.apache.lens.server.api.error.LensException; import org.apache.lens.server.api.query.save.exception.PrivilegeException; import org.apache.lens.server.api.util.LensUtil; @@ -141,6 +142,9 @@ public class TestCubeMetastoreClient { public static void setup() throws HiveException, AlreadyExistsException, LensException { SessionState.start(conf); + conf.set(LensConfConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer"); + LensAuthorizer.get().init(conf); + Database database = new Database(); database.setName(TestCubeMetastoreClient.class.getSimpleName()); Hive.get(conf).createDatabase(database); @@ -148,7 +152,6 @@ public class TestCubeMetastoreClient { client = CubeMetastoreClient.getInstance(conf); client.getConf().setBoolean(LensConfConstants.ENABLE_METASTORE_SCHEMA_AUTHORIZATION_CHECK, true); client.getConf().setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true); - client.getConf().set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer"); SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1"); defineCube(CUBE_NAME, CUBE_NAME_WITH_PROPS, DERIVED_CUBE_NAME, DERIVED_CUBE_NAME_WITH_PROPS); defineUberDims(); http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java ---------------------------------------------------------------------- diff --git a/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java b/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java index 13b345f..356df97 100644 --- a/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java +++ b/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java @@ -23,8 +23,8 @@ import static org.apache.lens.cube.metadata.DateFactory.TWO_DAYS_RANGE; import static org.testng.Assert.assertEquals; import static org.testng.Assert.fail; -import org.apache.lens.cube.metadata.MetastoreConstants; import org.apache.lens.server.api.LensConfConstants; +import org.apache.lens.server.api.authorization.LensAuthorizer; import org.apache.lens.server.api.error.LensException; import org.apache.lens.server.api.query.save.exception.PrivilegeException; @@ -39,9 +39,10 @@ public class TestQueryAuthorizationResolver extends TestQueryRewrite { @BeforeClass public void beforeClassTestQueryAuthorizationResolver() { + conf.set(LensConfConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer"); + LensAuthorizer.get().init(conf); conf.setBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK, true); conf.setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true); - conf.set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer"); } @Test http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java ---------------------------------------------------------------------- diff --git a/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java b/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java index efaf5d2..cb82f06 100644 --- a/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java +++ b/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java @@ -1337,10 +1337,6 @@ public final class LensConfConstants { public static final Class<? extends DataCompletenessChecker> DEFAULT_COMPLETENESS_CHECKER = DefaultChecker.class.asSubclass(DataCompletenessChecker.class); - - public static final Class<? extends Authorizer> DEFAULT_AUTHORIZER = - DefaultAuthorizer.class.asSubclass(Authorizer.class); - /** * This property is to enable Data Completeness Checks while resolving partitions. */ @@ -1435,4 +1431,11 @@ public final class LensConfConstants { */ public static final String RETRY_MESSAGE_MAP = "retry.messages.contains.map"; + public static final String AUTHORIZER_CLASS = SERVER_PFX + "authorizer.class"; + + public static final Class<? extends Authorizer> DEFAULT_AUTHORIZER = + DefaultAuthorizer.class.asSubclass(Authorizer.class); + + + } http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java ---------------------------------------------------------------------- diff --git a/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java b/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java new file mode 100644 index 0000000..f8c6b9c --- /dev/null +++ b/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java @@ -0,0 +1,56 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.lens.server.api.authorization; + +import org.apache.lens.server.api.LensConfConstants; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.util.ReflectionUtils; + +//Singleton instance of Authorizer class +public final class LensAuthorizer { + + private static final LensAuthorizer INSTANCE = new LensAuthorizer(); + + private Authorizer authorizer; + + // private constructor to ensure single instance. + private LensAuthorizer() { + } + + public void init(Configuration hiveConf){ + this.authorizer = ReflectionUtils.newInstance( + hiveConf.getClass(LensConfConstants.AUTHORIZER_CLASS, LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class), + hiveConf); + } + + /** + * + * @return the singleton instance of the authorizer. + */ + public static LensAuthorizer get(){ + return INSTANCE; + } + + public Authorizer getAuthorizer() { + return this.authorizer; + } + + +} http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-server/src/main/java/org/apache/lens/server/LensServer.java ---------------------------------------------------------------------- diff --git a/lens-server/src/main/java/org/apache/lens/server/LensServer.java b/lens-server/src/main/java/org/apache/lens/server/LensServer.java index 701ebbe..9a913cb 100644 --- a/lens-server/src/main/java/org/apache/lens/server/LensServer.java +++ b/lens-server/src/main/java/org/apache/lens/server/LensServer.java @@ -27,6 +27,7 @@ import javax.ws.rs.core.UriBuilder; import org.apache.lens.api.jaxb.LensJAXBContextResolver; import org.apache.lens.server.api.LensConfConstants; +import org.apache.lens.server.api.authorization.LensAuthorizer; import org.apache.lens.server.api.metrics.MetricsService; import org.apache.lens.server.error.GenericExceptionMapper; import org.apache.lens.server.error.LensJAXBValidationExceptionMapper; @@ -135,6 +136,7 @@ public class LensServer { * @param conf the conf */ public void startServices(HiveConf conf) { + LensAuthorizer.get().init(conf); LensServices.get().init(conf); LensServices.get().start(); } http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-server/src/main/resources/lensserver-default.xml ---------------------------------------------------------------------- diff --git a/lens-server/src/main/resources/lensserver-default.xml b/lens-server/src/main/resources/lensserver-default.xml index 2ea73a3..e5d94e7 100644 --- a/lens-server/src/main/resources/lensserver-default.xml +++ b/lens-server/src/main/resources/lensserver-default.xml @@ -1012,4 +1012,11 @@ <description>password for cert file</description> </property> + <property> + <name>lens.server.authorizer.class</name> + <value>org.apache.lens.server.api.authorization.DefaultAuthorizer</value> + <description>The class that implements the Authorizer Interface. It will be used wherever authorization check + is enabled</description> + </property> + </configuration> http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java ---------------------------------------------------------------------- diff --git a/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java b/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java index 7cccf30..33b4232 100644 --- a/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java +++ b/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java @@ -39,6 +39,7 @@ import org.apache.lens.api.jaxb.LensJAXBContextResolver; import org.apache.lens.api.util.MoxyJsonConfigurationContextResolver; import org.apache.lens.driver.hive.TestRemoteHiveDriver; import org.apache.lens.server.api.LensConfConstants; +import org.apache.lens.server.api.authorization.LensAuthorizer; import org.apache.lens.server.api.metrics.LensMetricsUtil; import org.apache.lens.server.api.metrics.MetricsService; import org.apache.lens.server.api.query.QueryExecutionService; @@ -168,6 +169,7 @@ public abstract class LensJerseyTest extends JerseyTest { createTestDatabaseResources(new String[]{DB_WITH_JARS, DB_WITH_JARS_2}, hiveConf); + LensAuthorizer.get().init(LensServerConf.getHiveConf()); LensServices.get().init(LensServerConf.getHiveConf()); LensServices.get().start(); http://git-wip-us.apache.org/repos/asf/lens/blob/3e7d92e9/src/site/apt/admin/config.apt ---------------------------------------------------------------------- diff --git a/src/site/apt/admin/config.apt b/src/site/apt/admin/config.apt index e900f98..4cee5ae 100644 --- a/src/site/apt/admin/config.apt +++ b/src/site/apt/admin/config.apt @@ -307,4 +307,6 @@ Lens server configuration *--+--+---+--+ |139|lens.server.ws.resourcenames|session,metastore,query,savedquery,quota,scheduler,index,log|These JAX-RS resources would be started in the specified order when lens-server starts up| *--+--+---+--+ +|140|lens.server.authorizer.class|org.apache.lens.server.api.authorization.DefaultAuthorizer|The class that implements the Authorizer Interface. It will be used wherever authorization check is enabled| +*--+--+---+--+ The configuration parameters and their default values
