...
Apache Solr will be the example for the following guide.
- Define authorization model (related reference code: https://github.com/apache/sentry/tree/master/sentry-core/sentry-core-model-search)
- Create the sentry-core-model-search for Solr
- Create SearchModelAuthorizable which should extend the interface Authorizable
- Create all authorization types with enum AuthorizableType, eg, Collection, Field
- Create sub class of SearchModelAuthorizable for every authorization type, eg, Collection, Field
- Define action factory factory (related reference code: https://github.com/apache/sentry/treeblob/master/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchActionFactory.java)
- SearchAction defines all actions for Solr with name and code, eg, UPDATE(0x0001), QUERY(0x0002), ALL(0x0001|0x0002).
- The action code will be used for action imply with operation &. The imply rule is defined in org.apache.sentry.core.common.BitFieldAction. According to the rule, UPDATE imply QUERY = FALSE, ALL imply UPDATE = TRUE
- Define privilegeModel with authorization model and action factoryfactory (reference code: https://github.com/apache/sentry/blob/master/sentry-core/sentry-core-model-search/src/main/java/org/apache/sentry/core/model/search/SearchPrivilegeModel.java)
- Create implyMethodMap which is responsible for imply the authorization type, the following imply methods are supported:
STRING : compare the authorization type as string and case insensitive
STRING_CASE_SENSITIVE : compare the authorization type as string and case sensitive
URL : compare the authorization type as url according to org.apache.sentry.core.common.utils.PathUtils
- Implement the getImplyMethodMap() with the created implyMethodMap.
- Implement the getBitFieldActionFactory with SearchActionFactory
- Create implyMethodMap which is responsible for imply the authorization type, the following imply methods are supported:
- Define binding for the component (reference code: https://github.com/apache/sentry/blob/master/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java)
- Initialize the AuthorizationProvider for authorization
Main modules:
Binding: Authorization checks happen here
Model: Define what are the objects in your system that you want to control access and define the granularity
Policy engine: Define how you want to evaluate policies. For example: Wildcards?
E2E tests
...