Versions Compared

Old Version 10

changes.mady.by.user richard

Saved on

compared with

New Version 11

changes.mady.by.user richard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler
#org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController
#org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator

Image RemovedImage Added

  • Three metadata.
    • Role
    • principalPrinciple
      • This class defines user or group.
      • Type: user, group, role.
      • Principle principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principle principal (name=hadoop, type=user), role (name=admin)).
    • Resource
      • This class defines four resources in Sqoop 2.
      • Type: connector, link, job, submission.
    • Privilege
      • Action: create, view, update, delete, use, enable, disable.
      • with_grant_option: boolean, defines whether the role could grant this privilege to other role.

...

  • Privilege check request will be analyzed by AuthorizationEngine.
Code Block
@OverrideOverride
public void createLinkPrivilige() throws SqoopAccessControlException {
	List<Principle> principles;
	principles.add    List<Privilege> privileges;
    privileges.add(new Privilege(new PrincipleResource("Link", "1"), "Create", null));
	principles    privileges.add(new Privilege(new PrincipleResource("Connector", "1"), "Use", null));
    AuthorizationManager.getAuthenticationHandler.checkPrivileges(principlesprivileges);
}
  • Privilege check will be passed to real AccessController from AuthorizationHandler.
Code Block
@Override
public void checkPrivileges(List<Principle>List<principal> principlesprincipals) throws SqoopAccessControlException {
    authValidator.checkPrivileges(principlesprincipals);
}

  Command line tool

 

  • The grant/revoke privilege should be run in command line in Sqoop client
  • The commands are showed below
Code Block
show role
show role -pid 1
update role -rid 1 -name admin
remove role -rid 1
grant role –name user
add role –id 1 –name user
remove role –id 1
show role_user_group
grant principleprincipal –role_id 1 –user_name sqoop
grant principleprincipal –role_id 1 –group_name sqoop
revoke principleprincipal –role_id 1 –user_name sqoop
revoke principleprincipal –role_id 1 –group_name sqoop
show privilege
grant privilege –resource_type link –resource_id 1 –role_id 1 –action_type read -with-grant-option yes
revoke privilege –resource_type link –resource_id 1 –role_id 1 –action_type read
  • Restful call API is handled by org.apache.sqoop.handler.AuthorizationRequestHandler.java in sqoop-server
    • GET /v1/role/{rid}
    • GET /v1/role/principleprincipal/type/{type}/name/{name}
      • Return details about one particular role with id:rid
      • Return all roles the particular principle principal has with principle with principal (type, name)
      • Return all of them if rid equals to "all"
    • PUT /v1/role
      • Create new role without id:rid
      • Update existing role with id:rid
      • PUT data of JsonObject role (name)
    • DELETE /v1/role/{rid}

    • GET /v1/principleprincipal/{pid}
    • GET /v1/principleprincipal/role/{rid}
      • Return details about one particular principle principal with id:pid
      • Return all principles principals the particular role has with role (rid)
      • Return all of them if pid equals to "all"
    • GET /v1/role/{rid}
    • GET /v1/role/principleprincipal/type/{type}/name/{name}
      • Return details about one particular role with id:rid
      • Return all roles the particular principle principal has with principle with principal (type, name)
      • Return all of them if rid equals to "all"

    • PUT /v1/grant_role
      • Grant a role to a user/group/role
      • PUT data of JsonObject role(id) list and principle principal (type, name) list
    • PUT /v1/revoke_role
      • Revoke/Remove a existing role grant
      • PUT data of JsonObject role(id) list and principle principal (type, name) list

    • GET /v1/resource/{rid}
      • Return details about one particular role with id:rid
      • Return all of them if rid equals to "all"
    • PUT /v1/resource
      • Create new resource without id:rid
      • Update existing resource with id:rid
      • PUT data of JsonObject resource (type, name)
    • DELETE /v1/resource/{rid}

    • GET /v1/privilege/{pid}
      • Return details about one particular privilege with id:pid
      • Return all of them if pid equals to "all"
    • PUT /v1/privilege
      • Create new privilege without id:pid
      • Update existing role with id:pid
      • PUT data of JsonObject privilege(resource, action, with_grant_option)
    • DELETE /v1/privilege/{pid}

    • PUT /v1/grant_privilege
      • Grant a privilege to a role
      • PUT data of JsonObject role(id) list and privilege (resource, action, with_grant_option) list
    • PUT /v1/revoke_privilege
      • Revoke/Remove a existing privilege grant
      • PUT data of JsonObject role(id) list and privilege (resource, action, with_grant_option) list

...