kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aw...@apache.org
Subject [2/4] kudu git commit: [sentry] SentryAction
Date Tue, 16 Oct 2018 04:34:45 GMT
[sentry] SentryAction

This commit adds SentryAction class to represent a Sentry action in
HiveSQL authorizable model. This class provides validation on whether
an action can imply another, which allows a higher-level authorization
provider to determine if an operation on a object should be allowed.

Change-Id: Ib2e60b79a60fd791ec966f6271c676323bf74d49
Reviewed-on: http://gerrit.cloudera.org:8080/11656
Reviewed-by: Dan Burkert <danburkert@apache.org>
Reviewed-by: Andrew Wong <awong@cloudera.com>
Tested-by: Kudu Jenkins


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/3570c638
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/3570c638
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/3570c638

Branch: refs/heads/master
Commit: 3570c638681d8f13e890c9c48fef61a566cbbffd
Parents: df5fc24
Author: Hao Hao <hao.hao@cloudera.com>
Authored: Wed Oct 10 12:05:29 2018 -0700
Committer: Hao Hao <hao.hao@cloudera.com>
Committed: Tue Oct 16 03:41:04 2018 +0000

----------------------------------------------------------------------
 src/kudu/sentry/CMakeLists.txt        |  2 +
 src/kudu/sentry/sentry_action-test.cc | 89 +++++++++++++++++++++++++++
 src/kudu/sentry/sentry_action.cc      | 96 ++++++++++++++++++++++++++++++
 src/kudu/sentry/sentry_action.h       | 83 ++++++++++++++++++++++++++
 4 files changed, 270 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/3570c638/src/kudu/sentry/CMakeLists.txt
----------------------------------------------------------------------
diff --git a/src/kudu/sentry/CMakeLists.txt b/src/kudu/sentry/CMakeLists.txt
index 588bf9f..3222793 100644
--- a/src/kudu/sentry/CMakeLists.txt
+++ b/src/kudu/sentry/CMakeLists.txt
@@ -32,6 +32,7 @@ add_dependencies(sentry_thrift ${SENTRY_THRIFT_TGTS})
 ##############################
 
 set(SENTRY_SRCS
+  sentry_action.cc
   sentry_client.cc)
 set(SENTRY_DEPS
   kudu_common
@@ -75,5 +76,6 @@ if (NOT NO_TESTS)
     mini_kdc
     mini_sentry)
 
+  ADD_KUDU_TEST(sentry_action-test)
   ADD_KUDU_TEST(sentry_client-test)
 endif()

http://git-wip-us.apache.org/repos/asf/kudu/blob/3570c638/src/kudu/sentry/sentry_action-test.cc
----------------------------------------------------------------------
diff --git a/src/kudu/sentry/sentry_action-test.cc b/src/kudu/sentry/sentry_action-test.cc
new file mode 100644
index 0000000..d646cc4
--- /dev/null
+++ b/src/kudu/sentry/sentry_action-test.cc
@@ -0,0 +1,89 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "kudu/sentry/sentry_action.h"
+
+#include <string>
+#include <vector>
+
+#include <gtest/gtest.h>
+
+#include "kudu/util/status.h"
+#include "kudu/util/test_macros.h"
+
+using std::string;
+using std::vector;
+
+namespace kudu {
+
+namespace sentry {
+
+TEST(SentryActionTest, TestImplyAction) {
+  SentryAction all(SentryAction::Action::ALL);
+  SentryAction metadata(SentryAction::Action::METADATA);
+  SentryAction select(SentryAction::Action::SELECT);
+  SentryAction insert(SentryAction::Action::INSERT);
+  SentryAction update(SentryAction::Action::UPDATE);
+  SentryAction del(SentryAction::Action::DELETE);
+  SentryAction alter(SentryAction::Action::ALTER);
+  SentryAction create(SentryAction::Action::CREATE);
+  SentryAction drop(SentryAction::Action::DROP);
+  SentryAction owner(SentryAction::Action::OWNER);
+
+  // Different action cannot imply each other.
+  ASSERT_FALSE(insert.Imply(select));
+  ASSERT_FALSE(select.Imply(insert));
+
+  vector<SentryAction> actions({ all, select, insert, update,
+                                 del, alter, create, drop, owner });
+
+  // Any action subsumes METADATA, not vice versa.
+  for (const auto& action : actions) {
+    ASSERT_TRUE(action.Imply(metadata));
+    ASSERT_FALSE(metadata.Imply(action));
+  }
+
+  actions.insert(actions.end(), metadata);
+  for (const auto& action : actions) {
+    // Action ALL implies all other actions.
+    ASSERT_TRUE(all.Imply(action));
+
+    // Action OWNER equals to ALL, which implies all other actions.
+    ASSERT_TRUE(owner.Imply(action));
+
+    // Any action implies itself.
+    ASSERT_TRUE(action.Imply(action));
+  }
+}
+
+TEST(SentryActionTest, TestFromString) {
+  // Action '*' equals to ALL.
+  SentryAction wildcard_action;
+  ASSERT_OK(wildcard_action.FromString(SentryAction::kWildCard));
+  SentryAction wildcard(wildcard_action);
+  SentryAction all(SentryAction::Action::ALL);
+  ASSERT_TRUE(all.Imply(wildcard));
+  ASSERT_TRUE(wildcard.Imply(all));
+
+  // Unsupported action, such as '+', throws invalid argument error.
+  SentryAction invalid_action;
+  Status s = invalid_action.FromString("+");
+  ASSERT_TRUE(s.IsInvalidArgument()) << s.ToString();
+}
+
+} // namespace sentry
+} // namespace kudu

http://git-wip-us.apache.org/repos/asf/kudu/blob/3570c638/src/kudu/sentry/sentry_action.cc
----------------------------------------------------------------------
diff --git a/src/kudu/sentry/sentry_action.cc b/src/kudu/sentry/sentry_action.cc
new file mode 100644
index 0000000..2fe0a2a
--- /dev/null
+++ b/src/kudu/sentry/sentry_action.cc
@@ -0,0 +1,96 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "kudu/sentry/sentry_action.h"
+
+#include <string>
+
+#include <boost/algorithm/string/predicate.hpp>
+#include <glog/logging.h>
+
+#include "kudu/gutil/strings/substitute.h"
+
+using std::string;
+using strings::Substitute;
+
+namespace kudu {
+namespace sentry {
+
+const char* const SentryAction::kWildCard = "*";
+
+SentryAction::SentryAction()
+  : action_(Action::UNINITIALIZED) {
+}
+
+SentryAction::SentryAction(Action action)
+  : action_(action) {
+}
+
+Status SentryAction::FromString(const string& action) {
+  // Consider action '*' equals to ALL to be compatible with the existing
+  // Java Sentry client.
+  //
+  // See org.apache.sentry.api.service.thrift.SentryPolicyServiceClientDefaultImpl.
+  if (boost::iequals(action, "ALL") || action == kWildCard) {
+    action_ = Action::ALL;
+  } else if (boost::iequals(action, "METADATA")) {
+    action_ = Action::METADATA;
+  } else if (boost::iequals(action, "SELECT")) {
+    action_ = Action::SELECT;
+  } else if (boost::iequals(action, "INSERT")) {
+    action_ = Action::INSERT;
+  } else if (boost::iequals(action, "UPDATE")) {
+    action_ = Action::UPDATE;
+  } else if (boost::iequals(action, "DELETE")) {
+    action_ = Action::DELETE;
+  } else if (boost::iequals(action, "ALTER")) {
+    action_ = Action::ALTER;
+  } else if (boost::iequals(action, "CREATE")) {
+    action_ = Action::CREATE;
+  } else if (boost::iequals(action, "DROP")) {
+    action_ = Action::DROP;
+  } else if (boost::iequals(action, "OWNER")) {
+    action_ = Action::OWNER;
+  } else {
+    return Status::InvalidArgument(Substitute("unknown SentryAction: $0",
+                                              action));
+  }
+
+  return Status::OK();
+}
+
+bool SentryAction::Imply(const SentryAction& other) const {
+  // Any action must be initialized.
+  CHECK(action() != Action::UNINITIALIZED);
+  CHECK(other.action() != Action::UNINITIALIZED);
+
+  // Action ALL and OWNER subsume every other action.
+  if (action() == Action::ALL ||
+      action() == Action::OWNER) {
+    return true;
+  }
+
+  // Any action subsumes Action METADATA
+  if (other.action() == Action::METADATA) {
+    return true;
+  }
+
+  return action() == other.action();
+}
+
+} // namespace sentry
+} // namespace kudu

http://git-wip-us.apache.org/repos/asf/kudu/blob/3570c638/src/kudu/sentry/sentry_action.h
----------------------------------------------------------------------
diff --git a/src/kudu/sentry/sentry_action.h b/src/kudu/sentry/sentry_action.h
new file mode 100644
index 0000000..957ac56
--- /dev/null
+++ b/src/kudu/sentry/sentry_action.h
@@ -0,0 +1,83 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include <string>
+
+#include "kudu/util/status.h"
+
+namespace kudu {
+namespace sentry {
+
+// A replication of Sentry Action, which is the operation taken
+// on an authorizable/object. In this case, HiveSQL model is chosen
+// to define the actions. One action can imply another following rules
+// defined in Imply().
+//
+// This class is not thread-safe.
+class SentryAction {
+ public:
+  static const char* const kWildCard;
+
+  // Actions that are supported. All actions are independent,
+  // except that ALL subsumes every other action, and every
+  // action subsumes METADATA. OWNER is a special action that
+  // behaves like the ALL.
+  // Note that 'UNINITIALIZED' is not an actual operation but
+  // only to represent an action in uninitialized state.
+  //
+  // See org.apache.sentry.core.model.db.HiveActionFactory.
+  enum class Action {
+    UNINITIALIZED,
+    ALL,
+    METADATA,
+    SELECT,
+    INSERT,
+    UPDATE,
+    DELETE,
+    ALTER,
+    CREATE,
+    DROP,
+    OWNER,
+  };
+
+  SentryAction();
+
+  explicit SentryAction(Action action);
+
+  Action action() const {
+    return action_;
+  }
+
+  // Create an Action from string.
+  Status FromString(const std::string& action);
+
+  // Check if an action implies the other. In general,
+  //   1. an action only implies itself.
+  //   2. with the exceptions that ALL, OWNER imply all other actions,
+  //      and any action implies METADATA.
+  //
+  // See org.apache.sentry.policy.common.CommonPrivilege.impliesAction.
+  bool Imply(const SentryAction& other) const;
+
+ private:
+  Action action_;
+};
+
+} // namespace sentry
+} // namespace kudu


Mime
View raw message