THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Code Block |
---|
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler #org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController #org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator |
- Three metadata.
- Role
- principalPrinciple
- This class defines user or group.
- Type: user, group, role.
- Principle principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principle principal (name=hadoop, type=user), role (name=admin)).
- Resource
- This class defines four resources in Sqoop 2.
- Type: connector, link, job, submission.
- Privilege
- Action: create, view, update, delete, use, enable, disable.
- with_grant_option: boolean, defines whether the role could grant this privilege to other role.
...
- Privilege check request will be analyzed by AuthorizationEngine.
Code Block |
---|
@OverrideOverride public void createLinkPrivilige() throws SqoopAccessControlException { List<Principle> principles; principles.add List<Privilege> privileges; privileges.add(new Privilege(new PrincipleResource("Link", "1"), "Create", null)); principles privileges.add(new Privilege(new PrincipleResource("Connector", "1"), "Use", null)); AuthorizationManager.getAuthenticationHandler.checkPrivileges(principlesprivileges); } |
- Privilege check will be passed to real AccessController from AuthorizationHandler.
Code Block |
---|
@Override public void checkPrivileges(List<Principle>List<principal> principlesprincipals) throws SqoopAccessControlException { authValidator.checkPrivileges(principlesprincipals); } |
Command line tool
- The grant/revoke privilege should be run in command line in Sqoop client
- The commands are showed below
Code Block |
---|
show role show role -pid 1 update role -rid 1 -name admin remove role -rid 1 grant role –name user add role –id 1 –name user remove role –id 1 show role_user_group grant principleprincipal –role_id 1 –user_name sqoop grant principleprincipal –role_id 1 –group_name sqoop revoke principleprincipal –role_id 1 –user_name sqoop revoke principleprincipal –role_id 1 –group_name sqoop show privilege grant privilege –resource_type link –resource_id 1 –role_id 1 –action_type read -with-grant-option yes revoke privilege –resource_type link –resource_id 1 –role_id 1 –action_type read |
- Restful call API is handled by org.apache.sqoop.handler.AuthorizationRequestHandler.java in sqoop-server
- GET /v1/role/{rid}
- GET /v1/role/principleprincipal/type/{type}/name/{name}
- Return details about one particular role with id:rid
- Return all roles the particular principle principal has with principle with principal (type, name)
- Return all of them if rid equals to "all"
- PUT /v1/role
- DELETE /v1/role/{rid}
- GET /v1/principleprincipal/{pid}
- GET /v1/principleprincipal/role/{rid}
- Return details about one particular principle principal with id:pid
- Return all principles principals the particular role has with role (rid)
- Return all of them if pid equals to "all"
- GET /v1/role/{rid}
- GET /v1/role/principleprincipal/type/{type}/name/{name}
- Return details about one particular role with id:rid
- Return all roles the particular principle principal has with principle with principal (type, name)
- Return all of them if rid equals to "all"
- PUT /v1/grant_role
- Grant a role to a user/group/role
- PUT data of JsonObject role(id) list and principle principal (type, name) list
- PUT /v1/revoke_role
- Revoke/Remove a existing role grant
- PUT data of JsonObject role(id) list and principle principal (type, name) list
- GET /v1/resource/{rid}
- Return details about one particular role with id:rid
- Return all of them if rid equals to "all"
- PUT /v1/resource
- DELETE /v1/resource/{rid}
- GET /v1/privilege/{pid}
- Return details about one particular privilege with id:pid
- Return all of them if pid equals to "all"
- PUT /v1/privilege
- DELETE /v1/privilege/{pid}
- PUT /v1/grant_privilege
- Grant a privilege to a role
- PUT data of JsonObject role(id) list and privilege (resource, action, with_grant_option) list
- PUT /v1/revoke_privilege
- Revoke/Remove a existing privilege grant
- PUT data of JsonObject role(id) list and privilege (resource, action, with_grant_option) list
...