THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
JIRA : SQOOP-1834 and its sub tickets, SQOOP-2048 and its sub tickets
Problem
Sqoop 2 needs a pluggable role based access controller (RBAC), which is responsible for the authorization to Sqoop 2 resources, such as server, connector, link, job, etc.
...
Resource | Global Namespace |
---|---|
Server |
|
Connector |
|
Link |
|
Job |
|
Action | Privilege needed |
---|---|
show connector |
|
show link |
|
create link |
|
update link |
|
delete link |
|
enable link |
|
disable link |
|
show job |
|
create jobserver create |
|
update job |
|
delete job |
|
enable job |
|
disable job |
|
start job |
|
stop job |
|
show submission |
|
...
- Restful call API is handled by org.apache.sqoop.handler.AuthorizationEngine.java in sqoop-server
- PUT POST /authorization/roles/create
- Create new role with {name}
- DELETE /authorization/role/{role-name}
- GET /authorization/roles
- Show all roles
- GET /authorization/principals?role_name={name}
- Show all principals in role with {name}
- GET /authorization/roles?principal_type={type}&principal_name={name}
- Show all roles in principal with {name, type}
- PUT /authorization/roles/grant
- Grant a role to a user/group/role
- PUT data of JsonObject role(name) and principal (name, type)
- PUT /authorization/roles/revoke
- Revoke a role to a user/group/role
- PUT data of JsonObject role(name) and principal (name, type)
- PUT /authorization/privileges/grant
- Grant a privilege to a principal
- PUT data of JsonObject principal(name, type) and privilege (resource-name, resource-type, action, with-grant-option)
- PUT /authorization/privileges/revoke
- Revoke a privilege to a principal
- PUT data of JsonObject principal(name, type) and privilege (resource-name, resource-type, action, with-grant-option)
- If privilege is null, then revoke all privileges for principal(name, type)
- GET /authorization/privileges?principal_type={type}&principal_name={name}&resource_type={type}&resource_name={name}
- Show all privileges in principal with {name, type} and resource with {resource-name, resource-type}
- If resource is null, then show all privileges in principal with {name, type}
- PUT POST /authorization/roles/create
...