Repository: incubator-sentry Updated Branches: refs/heads/master a3adbb391 -> 850bdb222
SENTRY-678: Sentry-Solr Binding may not load group mapping service correctly Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/850bdb22 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/850bdb22 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/850bdb22 Branch: refs/heads/master Commit: 850bdb22262f79fb58cb559bce3073f5ddb3229a Parents: a3adbb3 Author: Gregory Chanan <[email protected]> Authored: Thu Apr 23 13:01:45 2015 -0700 Committer: Gregory Chanan <[email protected]> Committed: Thu Apr 23 13:01:45 2015 -0700 ---------------------------------------------------------------------- .../binding/solr/authz/SolrAuthzBinding.java | 17 ++++++++-- .../binding/solr/TestSolrAuthzBinding.java | 34 ++++++++++++++++++++ .../common/HadoopGroupMappingService.java | 4 --- ...adoopGroupResourceAuthorizationProvider.java | 18 ++++++++--- 4 files changed, 62 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java index 373ee8c..7f59eaa 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java @@ -36,6 +36,7 @@ import org.apache.sentry.core.model.search.SearchModelAction; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.common.GroupMappingService; +import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.db.generic.service.thrift.SearchPolicyServiceClient; import org.apache.sentry.provider.db.generic.service.thrift.SearchProviderBackend; @@ -89,13 +90,17 @@ public class SolrAuthzBinding { " with resource " + resourceName + ", policy engine " + policyEngineName + ", provider backend " + providerBackendName); // load the provider backend class + if (kerberosEnabledProp.equalsIgnoreCase("true")) { + initKerberos(keytabProp, principalProp); + } else { + // set configuration so that group mappings are properly setup even if + // we don't use kerberos, for testing + UserGroupInformation.setConfiguration(authzConf); + } Constructor<?> providerBackendConstructor = Class.forName(providerBackendName).getDeclaredConstructor(Configuration.class, String.class); providerBackendConstructor.setAccessible(true); - if (kerberosEnabledProp.equalsIgnoreCase("true")) { - initKerberos(keytabProp, principalProp); - } providerBackend = (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {authzConf, resourceName}); @@ -106,6 +111,12 @@ public class SolrAuthzBinding { PolicyEngine policyEngine = (PolicyEngine) policyConstructor.newInstance(new Object[] {providerBackend}); + // if unset, set the hadoop auth provider to use new groups, so we don't + // conflict with the group mappings that may already be set up + if (authzConf.get(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS) == null) { + authzConf.setBoolean(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS ,true); + } + // load the authz provider class Constructor<?> constrctor = Class.forName(authProviderName).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java index 1bc01a2..c37f8ff 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java @@ -21,9 +21,12 @@ import static junit.framework.Assert.assertTrue; import java.io.File; import java.io.FileNotFoundException; +import java.io.IOException; import java.lang.reflect.InvocationTargetException; +import java.util.Arrays; import java.util.Collections; import java.util.EnumSet; +import java.util.List; import java.util.Set; import java.util.UUID; @@ -32,6 +35,7 @@ import junit.framework.Assert; import org.apache.commons.io.FileUtils; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hdfs.MiniDFSCluster; +import org.apache.hadoop.security.GroupMappingServiceProvider; import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException; import org.apache.sentry.binding.solr.authz.SolrAuthzBinding; import org.apache.sentry.binding.solr.conf.SolrAuthzConf; @@ -359,4 +363,34 @@ public class TestSolrAuthzBinding { } } } + + @Test + public void testCustomGroupMapping() throws Exception { + SolrAuthzConf solrAuthzConf = + new SolrAuthzConf(Resources.getResource("sentry-site.xml")); + setUsableAuthzConf(solrAuthzConf); + solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider"); + solrAuthzConf.set("hadoop.security.group.mapping", + FoobarGroupMappingServiceProvider.class.getName()); + SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf); + final String user = "userTestSolrAuthzBinding"; + assertEquals(1, binding.getGroups(user).size()); + assertTrue(binding.getGroups(user).contains("foobar")); + } + + /** + * GroupMappingServiceProvider that returns "foobar" for any group + */ + private static class FoobarGroupMappingServiceProvider implements GroupMappingServiceProvider { + @Override + public List<String> getGroups(String user) throws IOException { + return Arrays.asList("foobar"); + } + + @Override + public void cacheGroupsRefresh() throws IOException {} + + @Override + public void cacheGroupsAdd(List<String> groups) throws IOException {} + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java index 14e2d05..3347ffc 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java @@ -36,10 +36,6 @@ public class HadoopGroupMappingService implements GroupMappingService { this.groups = groups; } - public HadoopGroupMappingService(Configuration conf, String resource) { - this(Groups.getUserToGroupsMappingService(conf)); - } - @Override public Set<String> getGroups(String user) { try { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/850bdb22/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java index 626fd90..c8e6c9d 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java @@ -30,16 +30,19 @@ import com.google.common.annotations.VisibleForTesting; public class HadoopGroupResourceAuthorizationProvider extends ResourceAuthorizationProvider { + // if set to true in the Configuration, constructs a new Group object + // for the GroupMappingService rather than using Hadoop's static mapping. + public static final String CONF_PREFIX = HadoopGroupResourceAuthorizationProvider.class.getName(); + public static final String USE_NEW_GROUPS = CONF_PREFIX + ".useNewGroups"; + // resource parameter present so that other AuthorizationProviders (e.g. // LocalGroupResourceAuthorizationProvider) has the same constructor params. public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy) throws IOException { - this(policy, new HadoopGroupMappingService( - Groups.getUserToGroupsMappingService(new Configuration()))); + this(new Configuration(), resource, policy); } public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy) throws IOException { - this(policy, new HadoopGroupMappingService( - Groups.getUserToGroupsMappingService(conf))); + this(policy, new HadoopGroupMappingService(getGroups(conf))); } @VisibleForTesting @@ -48,4 +51,11 @@ public class HadoopGroupResourceAuthorizationProvider extends super(policy, groupService); } + private static Groups getGroups(Configuration conf) { + if (conf.getBoolean(USE_NEW_GROUPS, false)) { + return new Groups(conf); + } else { + return Groups.getUserToGroupsMappingService(conf); + } + } }
