Versions Compared

Old Version 26

changes.mady.by.user richard

Saved on

compared with

New Version Current

changes.mady.by.user richard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

JIRA : SQOOP-1834 and its sub ticketsSQOOP-2048 and its sub tickets

Problem

 

Sqoop 2 needs a pluggable role based access controller (RBAC), which is responsible for the authorization to Sqoop 2 resources, such as server, connector, link, job, etc.

...

ResourceGlobal Namespace
Server
  • All
  • Create
  • Read
  • Write
Connector
  • All
  • Read
Link
  • All
  • Read
  • Write
Job
  • All
  • Read
  • Write
ActionPrivilege needed
show connector
  • connector read
show link
  • link read
create link
  • server create
  • connector read
update link
  • link write
  • connector read
delete link
  • link write
enable link
  • link write
disable link
  • link write
show job
  • job read
create job
  • server create
  • both links read
update job
  • job write
  • both links read
delete job
  • job write
enable job
  • job write
disable job
  • job write
start job
  • job write
stop job
  • job write
show submission
  • job read

...

Code Block
CREATE ROLE role_name

DROP ROLE role_name
 
SHOW ROLE

Grant/Revoke Roles

Code Block
GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ...

REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ...
principal_specification:
    USER user_name | GROUP group_name | ROLE role_name

...

Code Block
SHOW ROLE GRANT principal_specification

SHOW PRINCIPAL ON ROLE role_name
 
principal_specification:
    USER user_name | GROUP group_name | ROLE role_name

...

  • Restful call API is handled by org.apache.sqoop.handler.AuthorizationEngine.java in sqoop-server
    • PUT POST /authorization/roles/rolecreate
      • Create new role with role_{name}
    • DELETE /authorization/role/{role_-name}

    • GET /authorization/roles
      • Show all roles
    • GET /authorization/principals?role/{role_name={name}
      • Show all principals in role with {role_namename}
    • GET /authorization/roles?principal_type={type}&principal_name={name}
      • Show all roles in principal with {name, type}
    • PUT /authorization/roles/grant_role
      • Grant a role to a user/group/role
      • PUT data of JsonObject role(role_name) and principal (name, type)
    • PUT /authorization/roles/revoke_role
      • Revoke a role to a user/group/role
      • PUT data of JsonObject role(role_name) and principal (name, type)
    • PUT /authorization/privileges/grant_privilege
      • Grant a privilege to a principal
      • PUT data of JsonObject principal(name, type) and privilege (resource (-name, resource-type), action, with_-grant_-option)
    • PUT /authorization/privileges/revoke_privilege
      • Revoke a privilege to a principal
      • PUT data of JsonObject principal(name, type) and privilege (resource (-name, resource-type), action, with_-grant_-option)
      • If privilege is null, then revoke all privileges for principal(name, type)
    • GET /authorization/privileges?principal/_type={type}/&principal_name={name}?&resource_type={type}&resource_name={name}
      • Show all privileges in principal with {name, type} and resource with {resource_-name, resource_-type}
      • If resource is null, then show all privileges in principal with {name, type}

...