SENTRY-398: Generic authorization model for Sentry (shenguoquan via Arun Suresh)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/bf3eb482 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/bf3eb482 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/bf3eb482 Branch: refs/heads/master Commit: bf3eb482e55f8cf29f9b87a190ee585e3e5f7e2f Parents: 60bb100 Author: Arun Suresh <Arun Suresh> Authored: Thu Dec 18 21:01:48 2014 -0800 Committer: Arun Suresh <Arun Suresh> Committed: Thu Dec 18 21:01:48 2014 -0800 ---------------------------------------------------------------------- .../org/apache/sentry/core/common/Action.java | 1 + .../sentry/core/common/BitFieldAction.java | 75 + .../core/common/BitFieldActionFactory.java | 37 + .../apache/sentry/core/model/search/Field.java | 54 + .../core/model/search/SearchActionFactory.java | 80 + .../model/search/SearchModelAuthorizable.java | 3 +- .../core/search/TestSearchBitFieldAction.java | 75 + sentry-provider/sentry-provider-db/pom.xml | 8 + .../thrift/SentryGenericPolicyService.java | 8966 ++++++++++++++++++ .../TAlterSentryRoleAddGroupsRequest.java | 841 ++ .../TAlterSentryRoleAddGroupsResponse.java | 387 + .../TAlterSentryRoleDeleteGroupsRequest.java | 841 ++ .../TAlterSentryRoleDeleteGroupsResponse.java | 387 + .../TAlterSentryRoleGrantPrivilegeRequest.java | 794 ++ .../TAlterSentryRoleGrantPrivilegeResponse.java | 387 + .../TAlterSentryRoleRevokePrivilegeRequest.java | 794 ++ ...TAlterSentryRoleRevokePrivilegeResponse.java | 387 + .../generic/service/thrift/TAuthorizable.java | 486 + .../thrift/TCreateSentryRoleRequest.java | 688 ++ .../thrift/TCreateSentryRoleResponse.java | 387 + .../service/thrift/TDropPrivilegesRequest.java | 693 ++ .../service/thrift/TDropPrivilegesResponse.java | 387 + .../service/thrift/TDropSentryRoleRequest.java | 688 ++ .../service/thrift/TDropSentryRoleResponse.java | 387 + ...TListSentryPrivilegesForProviderRequest.java | 1010 ++ ...ListSentryPrivilegesForProviderResponse.java | 540 ++ .../thrift/TListSentryPrivilegesRequest.java | 953 ++ .../thrift/TListSentryPrivilegesResponse.java | 551 ++ .../service/thrift/TListSentryRolesRequest.java | 697 ++ .../thrift/TListSentryRolesResponse.java | 551 ++ .../thrift/TRenamePrivilegesRequest.java | 998 ++ .../thrift/TRenamePrivilegesResponse.java | 387 + .../service/thrift/TSentryActiveRoleSet.java | 536 ++ .../service/thrift/TSentryGrantOption.java | 48 + .../service/thrift/TSentryPrivilege.java | 1076 +++ .../db/generic/service/thrift/TSentryRole.java | 538 ++ .../thrift/sentry_common_serviceConstants.java | 2 + .../service/persistent/DelegateSentryStore.java | 447 + .../service/persistent/PrivilegeObject.java | 221 + .../persistent/PrivilegeOperatePersistence.java | 413 + .../service/persistent/SentryStoreLayer.java | 175 + .../service/thrift/NotificationHandler.java | 63 + .../thrift/NotificationHandlerInvoker.java | 180 + .../thrift/SentryGenericPolicyProcessor.java | 549 ++ .../SentryGenericPolicyProcessorFactory.java | 41 + .../thrift/SentryGenericServiceClient.java | 536 ++ .../db/service/model/MSentryGMPrivilege.java | 484 + .../provider/db/service/model/MSentryRole.java | 36 +- .../provider/db/service/model/package.jdo | 88 +- .../db/service/persistent/SentryStore.java | 14 +- .../db/service/thrift/PolicyStoreConstants.java | 5 +- .../sentry/service/thrift/ServiceConstants.java | 5 +- .../main/resources/sentry_common_service.thrift | 1 + .../sentry_generic_policy_service.thrift | 231 + .../persistent/SentryStoreIntegrationBase.java | 95 + .../persistent/TestDelegateSentryStore.java | 175 + .../TestPrivilegeOperatePersistence.java | 909 ++ .../persistent/TestSentryGMPrivilege.java | 207 + .../service/persistent/TestSentryRole.java | 373 + .../TestSentryGenericPolicyProcessor.java | 316 + .../TestSentryGenericServiceIntegration.java | 439 + 61 files changed, 31705 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Action.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Action.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Action.java index 44b7b2b..1479e5c 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Action.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Action.java @@ -17,5 +17,6 @@ package org.apache.sentry.core.common; public interface Action { + public static final String ALL = "*"; public String getValue(); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldAction.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldAction.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldAction.java new file mode 100644 index 0000000..5aa0f83 --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldAction.java @@ -0,0 +1,75 @@ +/* +* Licensed to the Apache Software Foundation (ASF) under one or more +* contributor license agreements. See the NOTICE file distributed with +* this work for additional information regarding copyright ownership. +* The ASF licenses this file to You under the Apache License, Version 2.0 +* (the "License"); you may not use this file except in compliance with +* the License. You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ +package org.apache.sentry.core.common; +/** + * Represents a bit set action in the authorize model.Take Solr component for + * example, There exists three actions, UPDATE, QUERY and ALL. + * The a bit set for UPDATE is 0x0001, QUERY is 0x0002, ALL is 0x0001|0x0002=0x0003 + */ +public abstract class BitFieldAction implements Action { + private String name; + private int code; + + public BitFieldAction(String name, int code) { + this.name = name; + this.code = code; + } + + public int getActionCode() { + return code; + } + /** + * Return true if this action implies that action. + * @param that + */ + public boolean implies(BitFieldAction that) { + if (that != null) { + return (code & that.code) == that.code; + } + return false; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) { + return true; + } + if (obj == null) { + return false; + } + if (!(obj instanceof BitFieldAction)) { + return false; + } + BitFieldAction that = (BitFieldAction)obj; + return (code == that.code) && (name.equalsIgnoreCase(that.name)); + } + + @Override + public int hashCode() { + return code + name.hashCode(); + } + + @Override + public String toString() { + return name; + } + + @Override + public String getValue() { + return name; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldActionFactory.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldActionFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldActionFactory.java new file mode 100644 index 0000000..3789da7 --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/BitFieldActionFactory.java @@ -0,0 +1,37 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.common; + +import java.util.List; + +public abstract class BitFieldActionFactory { + /** + * Get BitFieldAction list by the given action code. + * Take the Solr for example, the ALL action code is 0x0003, two bits are set. + * The return BitFieldAction list are UPDATE action(0x0001) and QUERY action(0x0002) + * @param actionCode + * @return The BitFieldAction List + */ + public abstract List<? extends BitFieldAction> getActionsByCode(int actionCode); + /** + * Get the BitFieldAction from the given name + * @param name + * @return + */ + public abstract BitFieldAction getActionByName(String name); +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/Field.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/Field.java b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/Field.java new file mode 100644 index 0000000..2dd9065 --- /dev/null +++ b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/Field.java @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.search; + +/** + * Represents the field authorizable in the solr model + */ +public class Field implements SearchModelAuthorizable{ + + private final String name; + /** + * Represents all fields + */ + public static final Field ALL = new Field(SearchConstants.ALL); + + public Field(String name) { + this.name = name; + } + + @Override + public AuthorizableType getAuthzType() { + return AuthorizableType.Field; + } + + @Override + public String toString() { + return "Field [name=" + name + "]"; + } + + @Override + public String getTypeName() { + return getAuthzType().name(); + } + + @Override + public String getName() { + return name; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchActionFactory.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchActionFactory.java b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchActionFactory.java new file mode 100644 index 0000000..3f10726 --- /dev/null +++ b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchActionFactory.java @@ -0,0 +1,80 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.search; + +import java.util.List; + +import org.apache.sentry.core.common.BitFieldAction; +import org.apache.sentry.core.common.BitFieldActionFactory; + +import com.google.common.collect.Lists; + +public class SearchActionFactory extends BitFieldActionFactory { + public enum SearchAction { + UPDATE(SearchConstants.UPDATE, 0x0001), + QUERY(SearchConstants.QUERY, 0x0002), + ALL(SearchConstants.ALL, 0x0001|0x0002); + + private String name; + private int code; + private SearchAction(String name, int code) { + this.name = name; + this.code = code; + } + public String getName() { + return name; + } + public int getCode() { + return code; + } + } + + public static class SearchBitFieldAction extends BitFieldAction { + public SearchBitFieldAction(SearchAction action) { + super(action.getName(), action.getCode()); + } + } + + private final static SearchAction[] AllActions = SearchAction.values(); + /** + * One bit set action array, includes UPDATE and QUERY + */ + private final static SearchAction[] OneBitActions = new SearchAction[]{SearchAction.UPDATE, SearchAction.QUERY}; + + @Override + public List<? extends BitFieldAction> getActionsByCode(int actionCode) { + List<SearchBitFieldAction> actions = Lists.newArrayList(); + for (SearchAction action : OneBitActions) { + if ((action.code & actionCode) == action.code) { + actions.add(new SearchBitFieldAction(action)); + } + } + return actions; + } + + @Override + public BitFieldAction getActionByName(String name) { + SearchBitFieldAction val = null; + for (SearchAction action : AllActions) { + if (action.name.equalsIgnoreCase(name)) { + return new SearchBitFieldAction(action); + } + } + return val; + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizable.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizable.java b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizable.java index 4526c4e..d6a9d54 100644 --- a/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizable.java +++ b/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchModelAuthorizable.java @@ -21,7 +21,8 @@ import org.apache.sentry.core.common.Authorizable; public interface SearchModelAuthorizable extends Authorizable { public enum AuthorizableType { - Collection + Collection, + Field }; public AuthorizableType getAuthzType(); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestSearchBitFieldAction.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestSearchBitFieldAction.java b/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestSearchBitFieldAction.java new file mode 100644 index 0000000..0ae49d6 --- /dev/null +++ b/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestSearchBitFieldAction.java @@ -0,0 +1,75 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.search; + +import java.util.List; + +import org.apache.sentry.core.model.search.SearchActionFactory; +import org.apache.sentry.core.model.search.SearchActionFactory.SearchAction; +import org.apache.sentry.core.model.search.SearchActionFactory.SearchBitFieldAction; +import org.apache.sentry.core.model.search.SearchConstants; +import org.junit.Test; + +import com.google.common.collect.Lists; + +import static junit.framework.Assert.assertTrue; +import static junit.framework.Assert.assertFalse; +import static junit.framework.Assert.assertEquals; + +public class TestSearchBitFieldAction { + SearchActionFactory actionFactory = new SearchActionFactory(); + + @Test + public void testImpliesAction() { + SearchBitFieldAction updateAction = new SearchBitFieldAction(SearchAction.UPDATE); + SearchBitFieldAction queryAction = new SearchBitFieldAction(SearchAction.QUERY); + SearchBitFieldAction allAction = new SearchBitFieldAction(SearchAction.ALL); + + assertTrue(allAction.implies(queryAction)); + assertTrue(allAction.implies(updateAction)); + assertTrue(allAction.implies(allAction)); + assertTrue(updateAction.implies(updateAction)); + assertTrue(queryAction.implies(queryAction)); + + assertFalse(queryAction.implies(updateAction)); + assertFalse(queryAction.implies(allAction)); + assertFalse(updateAction.implies(queryAction)); + assertFalse(updateAction.implies(allAction)); + } + + @Test + public void testGetActionByName() throws Exception { + SearchBitFieldAction updateAction = (SearchBitFieldAction)actionFactory.getActionByName(SearchConstants.UPDATE); + SearchBitFieldAction queryAction = (SearchBitFieldAction)actionFactory.getActionByName(SearchConstants.QUERY); + SearchBitFieldAction allAction = (SearchBitFieldAction)actionFactory.getActionByName(SearchConstants.ALL); + + assertTrue(updateAction.equals(new SearchBitFieldAction(SearchAction.UPDATE))); + assertTrue(queryAction.equals(new SearchBitFieldAction(SearchAction.QUERY))); + assertTrue(allAction.equals(new SearchBitFieldAction(SearchAction.ALL))); + } + + @Test + public void testGetActionsByCode() throws Exception { + SearchBitFieldAction updateAction = new SearchBitFieldAction(SearchAction.UPDATE); + SearchBitFieldAction queryAction = new SearchBitFieldAction(SearchAction.QUERY); + + assertEquals(Lists.newArrayList(updateAction, queryAction), actionFactory.getActionsByCode(SearchAction.ALL.getCode())); + assertEquals(Lists.newArrayList(updateAction), actionFactory.getActionsByCode(SearchAction.UPDATE.getCode())); + assertEquals(Lists.newArrayList(queryAction), actionFactory.getActionsByCode(SearchAction.QUERY.getCode())); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/bf3eb482/sentry-provider/sentry-provider-db/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index f825999..b9208ed 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -85,6 +85,14 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-search</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-search</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> </dependency> <dependency>
