THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Resource | Global Namespace | Instance |
---|---|---|
Connector |
|
|
Link |
|
|
Job |
|
|
Submission |
|
|
Authorization framework
...
- Five classes will be added into Sqoop-core as org.apache.sqoop.security package.
- AuthorizationManager
- Similar with other Sqoop Manager, ie. ConnectorManager, RepositoryManager, etc., the AuthorizationManager handles two singleton instances, AuthorizationManager and AuthorizationHandler.
- The initialize function is run when starting the Sqoop server
- The initialize function will initial AuthorizationHandler, according to the handler name (DefaultAuthorizationhandler or SentryAuthorizationHandler) from configuration file (sqoop.properties).
- AuthorizationHandlerFactory
- It is a factory design mode.
- It is to use ClassUtils.loadClass to refact the real AuthorizationHandler in getAuthorizationHandler function.
- AuthorizationHandler
- It is an abstract class.
- There is a default implementation (DefaultAuthorizationHandler) in Sqoop-security component.
- It handles two singleton instances, AccessController and AuthorizationValidator.
- All function will be delegated to these two instances to handle. AccessController to handle grantRole, revokeRole, grantPrivilege and revokePrivilege. AuthorizationValidator to handle checkPrivilege.
- AccessController
- It is an abstract class.
- There is a default implementation (DefaultAccessController) in Sqoop-security component.
- This class is responsible to manage roles, privileges.
- AuthorzationValidator
- It is an abstract class.
- There is a default implementation (DefaultAuthorizationValidator) in Sqoop-security component.
- This class is responsible to check privileges.
- AuthorizationManager
- Three classes will be added into Sqoop-security as org.apache.sqoop.security package.
- DefaultAuthorizationHandler
- This class extends abstract AuthorizationHandler.
- It handles two singleton instances, DefaultAccessController and DefaultAuthorizationValidator.
- DefaultAccessController
- This class extends abstract AccessController.
- Default AuthorzationValidator
- This class extends abstract AuthorizationValidator.
- As default/simple implementation, it always returns true and will not check the privilege actually.
- DefaultAuthorizationHandler
- All functions in
...
- RequestHandler, which
...
- handles all requests, ie. create link, will be added privilege validation check.
Code Block |
---|
/** * {@inheritDoc} */ @Override public voidCreate createLink(finalor MLinkUpdate link) { AuthorizationManager.getAuthorizationHanlder().checkPrivilige(); doWithConnection(new DoWithConnection() { @Override public Object doIt(Connection conn) { if(link.hasPersistenceId()) { throw new SqoopException(RepositoryError.JDBCREPO_0015); } handler.createLink(link, conn); return null; } }in repository. * * @param ctx Context object * @return Validation bean object */ private JsonBean createUpdateLink(RequestContext ctx, boolean create) { AuthorizationEngine.createLinkPrivilige(); ...... } |
- Privilege check request will be analyzed by AuthorizationEngine.
Code Block |
---|
@Override
public void createLinkPrivilige() throws SqoopAccessControlException {
List<Principle> principles;
principles.add(new Principle("Link", "Create"));
principles.add(new Principle("Connector", "Use"));
AuthorizationManager.getAuthenticationHandler.checkPrivileges(principles);
} |
- Privilege check will be passed to real AccessController from AuthorizationHandler.
Code Block |
---|
@Override public void checkPrivileges(List<Principle> principles) throws SqoopAccessControlException { authValidator.checkPrivileges(principles); } |
Command line tool
- The grant/revoke privilege should be run in command line in Sqoop client
- The commands are showed below
...