Versions Compared

Old Version 12

changes.mady.by.user richard

Saved on

compared with

New Version 13

changes.mady.by.user richard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler
#org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController
#org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator

Image RemovedImage Added

  • Three Four metadata classes.
    • Role
    • principal
      • This class defines user or group.
      • Type: user, group, role.
      • principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principal (name=hadoop, type=user), role (name=admin)).
    • Resource
      • This class defines four resources in Sqoop 2.
      • Type: connector, link, job, submission.
    • Privilege
      • Action: create, view, update, delete, use, enable, disable.
      • with_grant_option: boolean, defines whether the role could grant this privilege to other role.

...

  • Restful call API is handled by org.apache.sqoop.handler.AuthorizationRequestHandlerAuthorizationEngine.java in sqoop-server
    • GET /v1/role/{rid}role_name}
      • Return details about one particular role with role_name
      • Return all of them if role_name is null
    • GET /v1/role/principal/typename/{typename}/nametype/{nametype}
      • Return details about one particular role with id:ridReturn all roles the particular principal has with principal (type, name)name, type)
    • GET /v1/role/privilege/{privilege_name}
      • Return all roles with the particular privilege (privilege_name)Return all of them if rid equals to "all"
    • PUT /v1/role
      • Create new role without id:ridrole with role_name. Put data of JsonObject role (role_name)
      • Update existing role with id:ridPUT data of JsonObject role (name)old_role_name and new_role_name. Put data of JsonObject old_role (role_name) and new_role (role_name)
    • DELETE /v1/role/{ridrole_name}

    • GET /v1/principal/name/{name}/type/{type}
      • Return details about one particular principal with name and type
      • Return all of them if name is null or type is null or both are null
    • pid}GET /v1/principal/role/{rid}role_name}
        Return details about one particular principal with id:pid
      • Return all principals with the particular role has with role (rid)role (role_name)
    • PUT /v1/principal
      • Create new principal with name and type. Put data of JsonObject principal (name, type)
      • Update existing principal with old_name, old_type, new_name, new_type. Put data of JsonObject old_principal (name, type) and new_principal (name, type)
    • DELETE /v1/principal/name/{name}/type/{type}
      • Delete all of them if name is null or type is nullReturn all of them if pid equals to "all"
    • PUT /v1/grant_role
      • Grant a role to a user/group/role
      • PUT data of JsonObject role(idrole_name) list and and principal (name, type, name) list
    • PUT /v1/revoke_role
      • Revoke /Remove a existing role granta role to a user/group/role
      • PUT data of JsonObject role(idrole_name) list and principal (name, type, name) list
    • GET /v1/resource/{ridname/{name}/type/{type}
      • Return details about one particular role with id:ridresource with name and type
      • Return all of them if rid equals to "all"name is null or type is null or both are null
    • PUT /v1/resource
      • Create new resource without id:ridwith name and type. Put data of JsonObject resource (name, type)
      • Update existing resource with id:ridPUT data of JsonObject resource (type, namewith old_name, old_type, new_name, new_type. Put data of JsonObject old_resource (name, type) and new_resource (name, type)
    • DELETE /v1/resource/name/{rid}name}/type/{type}
      • Delete all of them if name is null or type is null
    • GET /v1/privilege/{pidprivilege_name}
      • Return details about one particular privilege with id:pidprivilege with privilege_name
      • Return all of them if pid equals to "all"name is null or type is null or both are null
    • GET /v1/privilege/resource/name/{name}/type/{type}
      • Return all privilege with the particular principal (name, type)
    • GET /v1/privilege/role/{role_name}
      • Return all privilege with the particular role (role_name)
    • PUT /v1/privilege
      • Create new privilege without id:pid
      • Update existing role with id:pid
      • with resource, action and with_grant_option. Put data of JsonObject resource (name, type), action and with_grant_option
      • Update existing privilege with old_resource, old_action, old_with_grant_option, new_resource, new_action and new_with_grant_option. Put data of JsonObject old_privilege (resource (name, type), action, with_grant_option) and new_privilege (resource (name, type), PUT data of JsonObject privilege(resource, action, with_grant_option)
    • DELETE /v1/privilege/{pidprivilege_name}
    • DELETE /v1/resource/name/{name}/type/{type}
    • DELETE /v1/resource/name/{name}/type/{type}/action/{action}/with_grant_option/{with_grant_option}

    • PUT /v1/grant_privilege
      • Grant a privilege to a role
      • PUT data of JsonObject role(idrole_name) list and and privilege (resource, action, with_grant_option) listname)
    • PUT /v1/revoke_privilege
      • Revoke /Remove a existing privilege grantto a role
      • PUT data of JsonObject role(id) list and privilege (resource, action, with_grant_option) listrole_name) and privilege (name)

Sentry implementation

  • Sentry could be used as an alternative access controller
  • Config in sqoop.properties

...