Versions Compared

Old Version 2

changes.mady.by.user richard

Saved on

compared with

New Version 3

changes.mady.by.user richard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The access controller is pluggable

 

  • Set controller class in sqoop.properties

...

  • The default implement in Sqoop 2 could be a FAKE controller (always return true)

 

  • The access controller class could be implemented by other controller framework, such as Sentry
  • Connector

...

  1. All functions in JdbcRepository, which manipulate resources, ie. create link, will be added privilege validation check.
Code Block
  /**   * {@inheritDoc}   */  @Override  
@Override
public void createLink(final MLink link) {
    AuthorizationManager.getAuthorizationHanlder().checkPrivilige();
    doWithConnection(new DoWithConnection() {
      @Override        @Override
        public Object doIt(Connection conn) {
            if(link.hasPersistenceId()) {
                throw new SqoopException(RepositoryError.JDBCREPO_0015);
            }        
            handler.createLink(link, conn);
            return null;
        }
    });  
}
  1. Privilege check will be passed to real AccessController from AuthorizationHandler.
Code Block
     @Override     @Override
public void checkPrivileges() throws SqoopAccessControlException {
         authValidatorauthValidator.checkPrivileges();     
}

  Command line tool

 

  • The grant/revoke privilege should be run in command line in Sqoop client
  • The commands are showed below
Code Block
show rolegrantrole
grant role –name useradduser
add role –id 1 –name userremoveuser
remove role –id 1show1
show role_user_groupgrantgroup
grant role_user_group –role_id 1 –user_name sqoopgrantsqoop
grant role_user_group –role_id 1 –group_name sqooprevokesqoop
revoke role_user_group –role_id 1 –user_name sqooprevokesqoop
revoke role_user_group –role_id 1 –group_name sqoopshow privilegegrantsqoop
show privilege
grant privilege –resource_type link –resource_id 1 –role_id 1 –action_type readrevokeread
revoke privilege –resource_type link –resource_id 1 –role_id 1 –action_type read

...

Code Block
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.SentryAuthorizationHandler#orgSentryAuthorizationHandler
#org.apache.sqoop.authorization.controller=org.apache.sqoop.security.SentryAccessController#orgSentryAccessController
#org.apache.sqoop.authorization.validator=org.apache.sqoop.security.SentryAuthorizationValidator

...

  • Role table
    • Id
    • Name
    • Comment
      • Role name could be admin, developer, user, etc.
  • Role_User_Group table
    • Id
    • Role_id
    • User_name
    • Group_name
    • Comment
      • The information of user and group comes from Linux or LDAP etc.
      • Only one of user name and group name is set. If user name is set and leave group name empty, it means that this user has this rule. If group name is set and leave user name empty, it means that all users in this group has this rule.
      • One user/group could have one or multiple roles.
  • Privilege table
    • Id
    • Role_id
    • Resource_id
    • Resource_type
    • Action_type
    • Comment
      • Resource type could be the existing resource table, such as connector, link, job, submission, etc.
      • Resource type could be added in the future, say config etc.
      • If resource_id is 0, it means all resource of this type, ie. resource_id=0 and resource_type=link means all links.
      • Use resource id and resource type to identify the resource, ie. resource_id=1 and resource_type=link means the resource of “select * from link where id =1”.
      • Action type could be read, create, update, delete, use etc.
  • Accordingly, MRole, MRoleUserGroup and MPrivilege classes are added into package org.apache.sqoop.model.