THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Code Block |
---|
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler #org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController #org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator |
- Three Four metadata classes.
- Role
- principal
- This class defines user or group.
- Type: user, group, role.
- principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principal (name=hadoop, type=user), role (name=admin)).
- Resource
- This class defines four resources in Sqoop 2.
- Type: connector, link, job, submission.
- Privilege
- Action: create, view, update, delete, use, enable, disable.
- with_grant_option: boolean, defines whether the role could grant this privilege to other role.
...
- Restful call API is handled by org.apache.sqoop.handler.AuthorizationRequestHandlerAuthorizationEngine.java in sqoop-server
- GET /v1/role/{rid}role_name}
- Return details about one particular role with role_name
- Return all of them if role_name is null
- GET /v1/role/principal/typename/{typename}/nametype/{nametype}
- Return details about one particular role with id:ridReturn all roles the particular principal has with principal (type, name)name, type)
- GET /v1/role/privilege/{privilege_name}
- Return all roles with the particular privilege (privilege_name)Return all of them if rid equals to "all"
- PUT /v1/role
- DELETE /v1/role/{ridrole_name}
- GET /v1/principal/name/{name}/type/{type}
- Return details about one particular principal with name and type
- Return all of them if name is null or type is null or both are null
- pid}GET /v1/principal/role/{rid}role_name}
- Return details about one particular principal with id:pid
- Return all principals with the particular role has with role (rid)role (role_name)
- PUT /v1/principal
- Create new principal with name and type. Put data of JsonObject principal (name, type)
- Update existing principal with old_name, old_type, new_name, new_type. Put data of JsonObject old_principal (name, type) and new_principal (name, type)
- DELETE /v1/principal/name/{name}/type/{type}
- Delete all of them if name is null or type is nullReturn all of them if pid equals to "all"
- PUT /v1/grant_role
- Grant a role to a user/group/role
- PUT data of JsonObject role(idrole_name) list and and principal (name, type, name) list
- PUT /v1/revoke_role
- Revoke /Remove a existing role granta role to a user/group/role
- PUT data of JsonObject role(idrole_name) list and principal (name, type, name) list
- GET /v1/resource/{ridname/{name}/type/{type}
- Return details about one particular role with id:ridresource with name and type
- Return all of them if rid equals to "all"name is null or type is null or both are null
- PUT /v1/resource
- Create new resource without id:ridwith name and type. Put data of JsonObject resource (name, type)
- Update existing resource with id:ridPUT data of JsonObject resource (type, namewith old_name, old_type, new_name, new_type. Put data of JsonObject old_resource (name, type) and new_resource (name, type)
- DELETE /v1/resource/name/{rid}name}/type/{type}
- Delete all of them if name is null or type is null
- GET /v1/privilege/{pidprivilege_name}
- Return details about one particular privilege with id:pidprivilege with privilege_name
- Return all of them if pid equals to "all"name is null or type is null or both are null
- GET /v1/privilege/resource/name/{name}/type/{type}
- Return all privilege with the particular principal (name, type)
- GET /v1/privilege/role/{role_name}
- Return all privilege with the particular role (role_name)
- PUT /v1/privilege
- Create new privilege without id:pid
- Update existing role with id:pid
- with resource, action and with_grant_option. Put data of JsonObject resource (name, type), action and with_grant_option
- Update existing privilege with old_resource, old_action, old_with_grant_option, new_resource, new_action and new_with_grant_option. Put data of JsonObject old_privilege (resource (name, type), action, with_grant_option) and new_privilege (resource (name, type), PUT data of JsonObject privilege(resource, action, with_grant_option)
- DELETE /v1/privilege/{pidprivilege_name}
- DELETE /v1/resource/name/{name}/type/{type}
- DELETE /v1/resource/name/{name}/type/{type}/action/{action}/with_grant_option/{with_grant_option}
- PUT /v1/grant_privilege
- Grant a privilege to a role
- PUT data of JsonObject role(idrole_name) list and and privilege (resource, action, with_grant_option) listname)
- PUT /v1/revoke_privilege
- Revoke /Remove a existing privilege grantto a role
- PUT data of JsonObject role(id) list and privilege (resource, action, with_grant_option) listrole_name) and privilege (name)
- GET /v1/role/{rid}role_name}
Sentry implementation
- Sentry could be used as an alternative access controller
- Config in sqoop.properties
...