THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
JIRA : SQOOP-1834 and its sub tickets, SQOOP-2048 and its sub tickets
Problem
Sqoop 2 needs a pluggable role based access controller (RBAC), which is responsible for the authorization to Sqoop 2 resources, such as server, connector, link, job, etc.
...
Resource, actions and rules
| Resource | Global Namespace | Instance |
|---|---|---|
| Connector |
|
|
| Link |
|
|
| Job |
|
|
Server has three children: Connector, Link, Job.
- It is a hierarchy mode. If a user has the privilege of {server, all}, then he/she has all privileges of {connector, all}, {link, all} and {job, all}.
- If a user has the privilege of {job, all}, then he/she has both privileges of {job, read} and {job, write}.
- If a user want to create a link, then he/she need to have the privilege of {server, create}
| Resource | Global Namespace | |
|---|---|---|
| Server |
| |
| Connector |
| |
| Link |
| |
| Job |
| |
| Resource | Action | Implicit action |
| Connector | View | |
| Connector | Use | View |
| Link | Create | View, Update, Delete, Use, Enable_Disable |
| Link | View | |
| Link | Update | View, Delete, Use, Enable_Disable |
| Link | Delete | View, Use, Enable_Disable |
| Link | Use | View, Enable_Disable |
| Link | Enable_Disable | View |
| Job | Create | View, Update, Delete, Use, Enable_Disable, Start_Stop, Status |
| Job | View | |
| Job | Update | View, Delete, Enable_Disable, Start_Stop, Status |
| Job | Delete | View, Enable_Disable, Start_Stop, Status |
| Job | Enable_Disable | View |
| Job | Start_Stop | View, Enable_Disable, Status |
| Job | Status | View
| Action | Privilege needed |
|---|---|
| show connector |
|
| show link |
|
| create link |
|
| update link |
|
| delete link |
|
| enable link |
|
| disable link |
|
| show job |
|
| create jobjob create (global) |
|
| update job |
|
| delete job |
|
| enable job |
|
| disable job |
|
| start job |
|
| stop job |
|
| show submission |
|
Authorization framework
...
| Code Block |
|---|
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler #org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController #org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator |
- Four metadata classes.
- Role
- principal
- This class defines user or group.
- Type: user, group, role.
- principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principal (name=hadoop, type=user), role (name=admin)).
- Resource
- This class defines four resources in Sqoop 2.
- Type: server, connector, link, job.
- Privilege
- Action: createall, view, update, delete, use, enable, disableread, write.
- with_grant_option: boolean, defines whether the role could grant this privilege to other role.
...
| Code Block |
|---|
Override
public void createLinkPrivilige() throws SqoopAccessControlException {
List<Privilege> privileges;
privileges.add(new Privilege(new Resource("Link", "1"), "Create", null));
privileges.add(new Privilege(new Resource("Connector", "1"), "UseRead", null));
AuthorizationManager.getAuthenticationHandler.checkPrivileges(privileges);
} |
...
| Code Block |
|---|
CREATE ROLE role_name
DROP ROLE role_name
SHOW ROLE |
Grant/Revoke Roles
| Code Block |
|---|
GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ...
REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ...
principal_specification:
USER user_name | GROUP group_name | ROLE role_name |
...
| Code Block |
|---|
SHOW ROLE GRANT principal_specification
SHOW PRINCIPAL ON ROLE role_name
principal_specification:
USER user_name | GROUP group_name | ROLE role_name |
...
| Code Block |
|---|
GRANT privilege_action_type [, privilege_action_type] ... ON resource_object_specification [, resource_object_specification] ... TO principal_specification [, principal_specification] ... [WITH GRANT OPTION] REVOKE [GRANT OPTION FOR] privilege_action_type [, privilege_action_type] ... ON resource_object_specification [, resource_object_specification] ... FROM principal_specification [, principal_specification] ... REVOKE ALL PRIVILEGES, GRANT OPTION FROM principal_specification [, principal_specification] ... privilege_action_type: ALL | ALTER | UPDATE | CREATE | DROPREAD | INDEX | LOCK | SELECT | SHOW_DATABASE WRITE resource: SERVER server_name | CONNECTOR connector_name | LINK link_name | JOB job_name principal_specification: USER user_name | GROUP group_name | ROLE role_name |
Viewing Granted Privileges
| Code Block |
|---|
SHOW GRANT principal_specification [ON object_specification [(column_list)]]resource] principal_specification: USER user _name | GROUP group _name | ROLE role_name object_specificationresource: TABLE tbl_name SERVER server_name | CONNECTOR connector_name | LINK link_name | DATABASEJOB dbjob_name |
- Restful call API is handled by org.apache.sqoop.handler.AuthorizationEngine.java in sqoop-server
- GET POST /v1authorization/role/{role_name}
- Return details about one particular role with role_name
- Return all of them if role_name is null
- GET /v1/role/principal/name/{name}/type/{type}
- Return all roles the particular principal has with principal (name, type)
- GET /v1/role/privilege/{privilege_name}
- Return all roles with the particular privilege (privilege_name)
- PUT /v1/role
- Create new role with role_name. Put data of JsonObject role (role_name)
- Update existing role with old_role_name and new_role_name. Put data of JsonObject old_role (role_name) and new_role (role_name)
DELETE /v1/role/{role_name} - GET /v1/principal/name/{name}/type/{type}
- Return details about one particular principal with name and type
- Return all of them if name is null or type is null or both are null
- GET /v1/principal/role/{role_name}
- Return all principals with the particular role (role_name)
- PUT /v1/principal
- Create new principal with name and type. Put data of JsonObject principal (name, type)
- Update existing principal with old_name, old_type, new_name, new_type. Put data of JsonObject old_principal (name, type) and new_principal (name, type)
- DELETE /v1/principal/name/{name}/type/{type}
- Delete all of them if name is null or type is null
- roles/create
- Create new role with {name}
- DELETE /authorization/role/{role-name}
- GET /authorization/roles
- Show all roles
- GET /authorization/principals?role_name={name}
- Show all principals in role with {name}
- GET /authorization/roles?principal_type={type}&principal_name={name}
- Show all roles in principal with {name, type}
- PUT /authorization/roles/grantPUT /v1/grant_role
- Grant a role to a user/group/role
- PUT data of JsonObject role(role_name) and principal (name, type)
- PUT /v1authorization/roles/revoke_role
- Revoke a role to a user/group/role
- PUT data of JsonObject role(role_name) and principal (name, type)
- PUT /v1authorization/resource/name/{name}/type/{type}
- Return details about one particular resource with name and type
- Return all of them if name is null or type is null or both are null
- Grant a privilege to a principal
- PUT data of JsonObject principal
- Create new resource with name and type. Put data of JsonObject resource (name, type)
- Update existing resource with old_name, old_type, new_name, new_type. Put data of JsonObject old_resource (name, type) and new_resource (name, type)
- DELETE /v1/resource/name/{name}/type/{type}
- Delete all of them if name is null or type is null
- GET /v1/privilege/{privilege_name}
- Return details about one particular privilege with privilege_name
- Return all of them if name is null or type is null or both are null
- GET /v1/privilege/resource/name/{name}/type/{type}
- Return all privilege with the particular principal (name, type)
- GET /v1/privilege/role/{role_name}
- Return all privilege with the particular role (role_name)
- PUT /v1/privilege
- Create new privilege with resource, action and with_grant_option. Put data of JsonObject resource (name, type), action and with_grant_option
- Update existing privilege with old_privilege_name, old_resource, old_action, old_with_grant_option, new_privilege_name, new_resource, new_action and new_with_grant_option. Put data of JsonObject old_privilege (name, resource (name, type), action, with_grant_option) and new_privilege (name, resource (name, type), action, with_grant_option)
- DELETE /v1/privilege/{privilege_name} DELETE /v1/resource/name/{name}/type/{type}
- and privilege (resource-name, resource-type, action, with-grant-option)
- PUT /authorization/privileges/revoke
- Revoke a privilege to a principal
- PUT data of JsonObject principal(name, type) and privilege (resource-name, resource-type, action, with-grant-option)
- If privilege is null, then revoke all privileges for principal(name, type)
- GET /authorization/privileges?principal_type={type}&principal_name={name}&resource_type={type}&resource_name={name}
- Show all privileges in principal with {name, type} and resource with {resource-name, resource-type}
- If resource is null, then show all privileges in principal with {name, type}
- PUT /v1/grant_privilege
- Grant a privilege to a role
- PUT data of JsonObject role(role_name) and privilege (name)
- PUT /v1/revoke_privilege
- Revoke a privilege to a role
- PUT data of JsonObject role(role_name) and privilege (name)
- GET POST /v1authorization/role/{role_name}
Sentry implementation
- Sentry could be used as an alternative access controller
- Config in sqoop.properties
...