Versions Compared

Old Version 25

changes.mady.by.user richard

Saved on

compared with

New Version 26

changes.mady.by.user richard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sqoop 2 needs a pluggable role based access controller (RBAC), which is responsible for the authorization to Sqoop 2 resources, such as server, connector, link, job, etc.

...

Resource, actions and rules

ResourceGlobal NamespaceInstance
Connector
  • View
  • Use
  • View
  • Use
Link
  • Create
  • View
  • Update
  • Delete
  • Use
  • Enable_Disable
  • View
  • Update
  • Delete
  • Use
  • Enable_Disable
Job
  • Create
  • View
  • Update
  • Delete
  • Enable_Disable
  • Start_Stop
  • Status
  • View
  • Update
  • Delete
  • Enable_Disable
  • Start_Stop
  • Status
ResourceActionImplicit action
ConnectorView 
ConnectorUseView
LinkCreateView, Update, Delete, Use, Enable_Disable
LinkView 
LinkUpdateView, Delete, Use, Enable_Disable
LinkDeleteView, Use, Enable_Disable
LinkUseView, Enable_Disable
LinkEnable_DisableView
JobCreateView, Update, Delete, Use, Enable_Disable, Start_Stop, Status 
JobView 
JobUpdateView, Delete, Enable_Disable, Start_Stop, Status
JobDeleteView, Enable_Disable, Start_Stop, Status
JobEnable_DisableView
JobStart_StopView, Enable_Disable, Status
JobStatusView

Server has three children: Connector, Link, Job.

  • It is a hierarchy mode. If a user has the privilege of {server, all}, then he/she has all privileges of {connector, all}, {link, all} and {job, all}.
  • If a user has the privilege of {job, all}, then he/she has both privileges of {job, read} and {job, write}.
  • If a user want to create a link, then he/she need to have the privilege of {server, create}
ResourceGlobal Namespace
Server
  • All
  • Create
  • Read
  • Write
Connector
  • All
  • Read
Link
  • All
  • Read
  • Write
Job
  • All
  • Read
  • Write
ActionPrivilege needed
show connector
  • connector viewread
show link
  • link viewread
create link
  • link server create (global)
  • connector useread
update link
  • link updatewrite
  • connector useread
delete link
  • link deletewrite
enable link
  • link enable_disablewrite
disable link
  • link enable_disablewrite
show job
  • job viewread
create job
  • job server create (global)
  • both links useread
update job
  • job updatewrite
  • both links useread
delete job
  • job deletewrite
enable job
  • job enable_disablewrite
disable job
  • job enable_disablewrite
start job
  • job start_stopwrite
stop job
  • job start_stopwrite
show submission
  • job statusread

 

Authorization framework

 

...

Code Block
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler
#org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController
#org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator

Image RemovedImage Added

  • Four metadata classes.
    • Role
    • principal
      • This class defines user or group.
      • Type: user, group, role.
      • principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principal (name=hadoop, type=user), role (name=admin)).
    • Resource
      • This class defines four resources in Sqoop 2.
      • Type: server, connector, link, job.
    • Privilege
      • Action: createall, view, update, delete, use, enable, disableread, write.
      • with_grant_option: boolean, defines whether the role could grant this privilege to other role.

...

Code Block
Override
public void createLinkPrivilige() throws SqoopAccessControlException {
    List<Privilege> privileges;
    privileges.add(new Privilege(new Resource("Link", "1"), "Create", null));
    privileges.add(new Privilege(new Resource("Connector", "1"), "UseRead", null));
    AuthorizationManager.getAuthenticationHandler.checkPrivileges(privileges);
}

...