ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [1/3] git commit: - added configuration 'xasecure.hive.authorizer.update.xapolicies.on.grant.revoke' to enable/disable updating XAPolicies for GRANT/REVOKE. Enabled by default. - updated to have access-check for GRANT/REVOKE done at security admin (inste
Date Fri, 22 Aug 2014 07:20:04 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master 952518938 -> e36722006


- added configuration
'xasecure.hive.authorizer.update.xapolicies.on.grant.revoke' to
enable/disable updating XAPolicies for GRANT/REVOKE. Enabled by default.
- updated to have access-check for GRANT/REVOKE done at security admin
(instead of at the agent), as the logic to determine the access could be
involved and can change (for example to restrict permissions that can be
granted by the user)
- updates for change in REST interface (a single list permMapList,
instead of two lists - userPermMap, groupPermMap)
- authz APIs that are not implemented in XAHiveAuthroizer will now raise
exception with message containing string "not implemented in Argus
HiveAuthorizer"


Project: http://git-wip-us.apache.org/repos/asf/incubator-argus/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-argus/commit/2c56c560
Tree: http://git-wip-us.apache.org/repos/asf/incubator-argus/tree/2c56c560
Diff: http://git-wip-us.apache.org/repos/asf/incubator-argus/diff/2c56c560

Branch: refs/heads/master
Commit: 2c56c5604e5bc1d4082acb19bb2ebfaf0de92102
Parents: 704f626
Author: mneethiraj <mneethiraj@hortonworks.com>
Authored: Thu Aug 21 16:36:29 2014 -0700
Committer: mneethiraj <mneethiraj@hortonworks.com>
Committed: Thu Aug 21 16:36:29 2014 -0700

----------------------------------------------------------------------
 .../admin/client/XaAdminRESTClient.java         |   6 +-
 .../admin/client/datatype/GrantRevokeData.java  | 177 +++++++------------
 .../constants/XaSecureHadoopConstants.java      |   3 +
 .../authorization/utils/StringUtil.java         |  20 +++
 hive-agent/conf/xasecure-hive-security.xml      |  17 +-
 .../hive/authorizer/XaSecureHiveAuthorizer.java |  87 +++++----
 .../authorizer/XaSecureHiveAuthorizerBase.java  | 158 +++++++----------
 .../META-INF/security-applicationContext.xml    |   2 +
 8 files changed, 224 insertions(+), 246 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/agents-common/src/main/java/com/xasecure/admin/client/XaAdminRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/com/xasecure/admin/client/XaAdminRESTClient.java
b/agents-common/src/main/java/com/xasecure/admin/client/XaAdminRESTClient.java
index 32fcd63..69f754c 100644
--- a/agents-common/src/main/java/com/xasecure/admin/client/XaAdminRESTClient.java
+++ b/agents-common/src/main/java/com/xasecure/admin/client/XaAdminRESTClient.java
@@ -134,7 +134,7 @@ public class XaAdminRESTClient implements XaAdminClient {
 
 			WebResource webResource = client.resource(mUrl + REST_URL_PATH_GRANT);
 
-			ClientResponse response = webResource.accept(REST_EXPECTED_MIME_TYPE).post(ClientResponse.class,
grData.toString());
+			ClientResponse response = webResource.accept(REST_EXPECTED_MIME_TYPE).type(REST_EXPECTED_MIME_TYPE).post(ClientResponse.class,
grData.toString());
 
 			if(response == null) {
 				throw new Exception("grantPrivilege(): unknown failure");
@@ -157,7 +157,7 @@ public class XaAdminRESTClient implements XaAdminClient {
 
 			WebResource webResource = client.resource(mUrl + REST_URL_PATH_REVOKE);
 
-			ClientResponse response = webResource.accept(REST_EXPECTED_MIME_TYPE).post(ClientResponse.class,
grData.toString());
+			ClientResponse response = webResource.accept(REST_EXPECTED_MIME_TYPE).type(REST_EXPECTED_MIME_TYPE).post(ClientResponse.class,
grData.toString());
 
 			if(response == null) {
 				throw new Exception("revokePrivilege(): unknown failure");
@@ -172,7 +172,7 @@ public class XaAdminRESTClient implements XaAdminClient {
 	}
 
 	private void init() {
-		mIsSSL = mUrl.toLowerCase().contains("https");
+		mIsSSL = StringUtil.containsIgnoreCase(mUrl, "https");
 
 		InputStream in =  null ;
 

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/agents-common/src/main/java/com/xasecure/admin/client/datatype/GrantRevokeData.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/com/xasecure/admin/client/datatype/GrantRevokeData.java
b/agents-common/src/main/java/com/xasecure/admin/client/datatype/GrantRevokeData.java
index 45cfd35..a3d9112 100644
--- a/agents-common/src/main/java/com/xasecure/admin/client/datatype/GrantRevokeData.java
+++ b/agents-common/src/main/java/com/xasecure/admin/client/datatype/GrantRevokeData.java
@@ -13,6 +13,8 @@ import org.codehaus.jackson.map.annotate.JsonSerialize;
 import org.codehaus.jackson.map.JsonMappingException;
 import org.codehaus.jackson.map.ObjectMapper;
 
+import com.xasecure.authorization.utils.StringUtil;
+
 
 @JsonAutoDetect(getterVisibility = Visibility.NONE, setterVisibility = Visibility.NONE, fieldVisibility
= Visibility.ANY)
 @JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
@@ -20,20 +22,18 @@ import org.codehaus.jackson.map.ObjectMapper;
 public class GrantRevokeData implements java.io.Serializable {
 	private static final long serialVersionUID = 1L;
 
-	private String              grantor;
-	private String              repositoryName;
-	private String              repositoryType;
-	private String              databases;
-	private String              tables;
-	private String              columns;
-	private String              columnFamilies;
-	private List<UserPermList>  userPermList  = new ArrayList<UserPermList>();
-	private List<GroupPermList> groupPermList = new ArrayList<GroupPermList>();
+	private String        grantor;
+	private String        repositoryName;
+	private String        repositoryType;
+	private String        databases;
+	private String        tables;
+	private String        columns;
+	private String        columnFamilies;
+	private List<PermMap> permMapList = new ArrayList<PermMap>();
 
 
 	public GrantRevokeData() {
 	}
-	
 
 	public String getGrantor() {
 		return grantor;
@@ -91,30 +91,21 @@ public class GrantRevokeData implements java.io.Serializable {
 		this.columnFamilies = columnFamilies;
 	}
 
-	public List<UserPermList> getUserPermList() {
-		return userPermList;
+	public List<PermMap> getPermMapList() {
+		return permMapList;
 	}
 
-	public void setUserPermList(List<UserPermList> userPermList) {
-		this.userPermList = userPermList;
+	public void setPermMapList(List<PermMap> permMapList) {
+		this.permMapList = permMapList;
 	}
 
-	public List<GroupPermList> getGroupPermList() {
-		return groupPermList;
-	}
-
-	public void setGroupPermList(List<GroupPermList> groupPermList) {
-		this.groupPermList = groupPermList;
-	}
 
-
-	public void setHiveData(String              grantor,
-							String              repositoryName,
-							String              databases,
-							String              tables,
-							String              columns,
-							List<UserPermList>  userPermList,
-							List<GroupPermList> groupPermList) {
+	public void setHiveData(String        grantor,
+							String        repositoryName,
+							String        databases,
+							String        tables,
+							String        columns,
+							List<PermMap> permMapList) {
 		this.grantor         = grantor;
 		this.repositoryName = repositoryName;
 		this.repositoryType = "hive";
@@ -122,22 +113,17 @@ public class GrantRevokeData implements java.io.Serializable {
 		this.tables         = tables;
 		this.columns        = columns;
 
-		for(UserPermList userPerm : userPermList) {
-			this.userPermList.add(userPerm);
-		}
-
-		for(GroupPermList groupPerm : groupPermList) {
-			this.groupPermList.add(groupPerm);
+		for(PermMap permMap : permMapList) {
+			this.permMapList.add(permMap);
 		}
 	}
 
-	public void setHBaseData(String              grantor,
-							 String              repositoryName,
-							 String              tables,
-							 String              columns,
-							 String              columnFamilies,
-							 List<UserPermList>  userPermList,
-							 List<GroupPermList> groupPermList) {
+	public void setHBaseData(String        grantor,
+							 String        repositoryName,
+							 String        tables,
+							 String        columns,
+							 String        columnFamilies,
+							 List<PermMap> permMapList) {
 		this.grantor         = grantor;
 		this.repositoryName = repositoryName;
 		this.repositoryType = "hbase";
@@ -145,12 +131,8 @@ public class GrantRevokeData implements java.io.Serializable {
 		this.columns        = columns;
 		this.columnFamilies = columnFamilies;
 
-		for(UserPermList userPerm : userPermList) {
-			this.userPermList.add(userPerm);
-		}
-
-		for(GroupPermList groupPerm : groupPermList) {
-			this.groupPermList.add(groupPerm);
+		for(PermMap permMap : permMapList) {
+			this.permMapList.add(permMap);
 		}
 	}
 	
@@ -179,99 +161,62 @@ public class GrantRevokeData implements java.io.Serializable {
 	@JsonAutoDetect(getterVisibility = Visibility.NONE, setterVisibility = Visibility.NONE,
fieldVisibility = Visibility.ANY)
 	@JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
 	@JsonIgnoreProperties(ignoreUnknown = true)
-	public static class UserPermList {
-		private List<String> userList = new ArrayList<String>();
-		private List<String> permList = new ArrayList<String>();
+	public static class PermMap {
+		private List<String> userList  = new ArrayList<String>();
+		private List<String> groupList = new ArrayList<String>();
+		private List<String> permList  = new ArrayList<String>();
+
+		public PermMap() {
+		}
 
-		public UserPermList(String user, String perm) {
+		public PermMap(String user, String group, String perm) {
 			addUser(user);
+			addGroup(group);
 			addPerm(perm);
 		}
 
-		public UserPermList(List<String> userList, List<String> permList) {
-			for(String user : userList) {
-				addUser(user);
-			}
-
-			for(String perm : permList) {
-				addPerm(perm);
-			}
+		public PermMap(List<String> userList, List<String> groupList, List<String>
permList) {
+			copyList(userList, this.userList);
+			copyList(groupList, this.groupList);
+			copyList(permList, this.permList);
 		}
 
 		public List<String> getUserList() {
 			return userList;
 		}
 
+		public List<String> getGroupList() {
+			return groupList;
+		}
+
 		public List<String> getPermList() {
 			return permList;
 		}
 
 		public void addUser(String user) {
-			userList.add(user);
-		}
-
-		public void addPerm(String perm) {
-			permList.add(perm);
-		}
-
-		public String toJson() {
-			try {
-				ObjectMapper om = new ObjectMapper();
-
-				return om.writeValueAsString(this);
-			} catch (JsonGenerationException e) {
-				e.printStackTrace();
-			} catch (JsonMappingException e) {
-				e.printStackTrace();
-			} catch (IOException e) {
-				e.printStackTrace();
-			}
-			
-			return "";
+			addToList(user, userList);
 		}
 
-		@Override
-		public String toString() {
-			return toJson();
+		public void addGroup(String group) {
+			addToList(group, groupList);
 		}
-	}
-	
-	@JsonAutoDetect(getterVisibility = Visibility.NONE, setterVisibility = Visibility.NONE,
fieldVisibility = Visibility.ANY)
-	@JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
-	@JsonIgnoreProperties(ignoreUnknown = true)
-	public static class GroupPermList {
-		List<String> groupList = new ArrayList<String>();
-		List<String> permList  = new ArrayList<String>();
 
-		public GroupPermList(String group, String perm) {
-			addGroup(group);
-			addPerm(perm);
+		public void addPerm(String perm) {
+			addToList(perm, permList);
 		}
 
-		public GroupPermList(List<String> groupList, List<String> permList) {
-			for(String group : groupList) {
-				addGroup(group);
-			}
-
-			for(String perm : permList) {
-				addPerm(perm);
+		private void addToList(String str, List<String> list) {
+			if(list != null && !StringUtil.isEmpty(str)) {
+				list.add(str);
 			}
 		}
 
-		public List<String> getGroupList() {
-			return groupList;
-		}
-
-		public List<String> getPermList() {
-			return permList;
-		}
-
-		public void addGroup(String group) {
-			groupList.add(group);
-		}
-
-		public void addPerm(String perm) {
-			permList.add(perm);
+		private void copyList(List<String> fromList, List<String> toList) {
+			if(fromList != null && toList != null) {
+				for(String str : fromList) {
+					addToList(str, toList);
+				}
+			}
 		}
 
 		public String toJson() {

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
b/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
index 7788ce2..fd265b4 100644
--- a/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
+++ b/agents-common/src/main/java/com/xasecure/authorization/hadoop/constants/XaSecureHadoopConstants.java
@@ -42,6 +42,9 @@ public class XaSecureHadoopConstants {
 
 	public static final String HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP 	= "hive.authorization.verifier.classname"
;
 	public static final String HIVE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "com.xasecure.pdp.hive.XASecureAuthorizer"
;
+
+	public static final String  HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP 	     = "xasecure.hive.authorizer.update.xapolicies.on.grant.revoke"
;
+	public static final boolean HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
 	
 	public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_PROP 	= "knox.authorization.verifier.classname"
;
 	public static final String KNOX_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "com.xasecure.pdp.knox.XASecureAuthorizer"
;

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/agents-common/src/main/java/com/xasecure/authorization/utils/StringUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/com/xasecure/authorization/utils/StringUtil.java
b/agents-common/src/main/java/com/xasecure/authorization/utils/StringUtil.java
index d13193b..9d663bf 100644
--- a/agents-common/src/main/java/com/xasecure/authorization/utils/StringUtil.java
+++ b/agents-common/src/main/java/com/xasecure/authorization/utils/StringUtil.java
@@ -130,6 +130,26 @@ public class StringUtil {
 	}
 	*/
 
+	public static boolean contains(String str, String strToFind) {
+		boolean ret = false;
+
+		if(str != null && strToFind != null) {
+			ret = str.contains(strToFind);
+		}
+
+		return ret;
+	}
+
+	public static boolean containsIgnoreCase(String str, String strToFind) {
+		boolean ret = false;
+
+		if(str != null && strToFind != null) {
+			ret = str.toLowerCase().contains(strToFind.toLowerCase());
+		}
+
+		return ret;
+	}
+
 	public static boolean contains(String[] strArr, String str) {
 		boolean ret = false;
 

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/hive-agent/conf/xasecure-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-hive-security.xml b/hive-agent/conf/xasecure-hive-security.xml
index 714589c..b1ed747 100644
--- a/hive-agent/conf/xasecure-hive-security.xml
+++ b/hive-agent/conf/xasecure-hive-security.xml
@@ -49,5 +49,20 @@
 			changes)
 		</description>
 	</property>
+	<property>
+		<name>xasecure.policymgr.url</name>
+		<value>http://policymanagerhost:port</value>
+		<description>Base URL for XASecure PolicyManager</description>
+	</property>
+	<property>
+		<name>xasecure.policymgr.sslconfig.filename</name>
+		<value>/etc/hive/conf/xasecure-policymgr-ssl.xml</value>
+		<description>Path to the file containing SSL details to contact XASecure PolicyManager</description>
+	</property>
+	<property>
+		<name>xasecure.hive.authorizer.update.xapolicies.on.grant.revoke</name>
+		<value>true</value>
+		<description>Should Hive agent update XASecure policies for updates to permissions
done using GRANT/REVOKE?</description>
+	</property>
 
-</configuration>
\ No newline at end of file
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
index 410b0b9..cbdccb2 100644
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
+++ b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizer.java
@@ -45,6 +45,7 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase {
 
 	private static final String XaSecureModuleName =  XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_XASECURE_MODULE_ACL_NAME_PROP
, XaSecureHadoopConstants.DEFAULT_XASECURE_MODULE_ACL_NAME) ;
 	private static final String repositoryName     = XaSecureConfiguration.getInstance().get(XaSecureHadoopConstants.AUDITLOG_REPOSITORY_NAME_PROP);
+	private static final boolean UpdateXaPoliciesOnGrantRevoke = XaSecureConfiguration.getInstance().getBoolean(XaSecureHadoopConstants.HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_PROP,
XaSecureHadoopConstants.HIVE_UPDATE_XAPOLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
 
 	private XaHiveAccessVerifier mHiveAccessVerifier = null ;
 
@@ -78,6 +79,11 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 								HivePrincipal grantorPrincipal,
 								boolean       grantOption)
 										throws HiveAuthzPluginException, HiveAccessControlException {
+		if(! UpdateXaPoliciesOnGrantRevoke) {
+			throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Argus HiveAuthorizer.
Please use Argus Security Admin to setup access control.");
+		}
+
+		boolean                isSuccess     = false;
 		XaHiveObjectAccessInfo objAccessInfo = getObjectAccessInfo(HiveOperationType.GRANT_PRIVILEGE,
hivePrivObject, new XaHiveAccessContext(null, getHiveAuthzSessionContext()), true);
 
 		try {
@@ -88,8 +94,16 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 			XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
 
 		    xaAdmin.grantPrivilege(grData);
+
+		    isSuccess = true;
 		} catch(Exception excp) {
 			throw new HiveAccessControlException(excp);
+		} finally {
+			if(mHiveAccessVerifier.isAudited(objAccessInfo)) {
+				UserGroupInformation ugi = this.getCurrentUserGroupInfo();
+	
+				logAuditEvent(ugi, objAccessInfo, isSuccess);
+			}
 		}
 	}
 
@@ -110,6 +124,11 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 								 HivePrincipal grantorPrincipal,
 								 boolean       grantOption)
 										 throws HiveAuthzPluginException, HiveAccessControlException {
+		if(! UpdateXaPoliciesOnGrantRevoke) {
+			throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Argus HiveAuthorizer.
Please use Argus Security Admin to setup access control.");
+		}
+
+		boolean                isSuccess     = false;
 		XaHiveObjectAccessInfo objAccessInfo = getObjectAccessInfo(HiveOperationType.REVOKE_PRIVILEGE,
hivePrivObject, new XaHiveAccessContext(null, getHiveAuthzSessionContext()), true);
 
 		try {
@@ -120,8 +139,17 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 			XaAdminRESTClient xaAdmin = new XaAdminRESTClient();
 
 		    xaAdmin.revokePrivilege(grData);
+
+		    isSuccess = true;
 		} catch(Exception excp) {
 			throw new HiveAccessControlException(excp);
+		} finally {
+			if(mHiveAccessVerifier.isAudited(objAccessInfo)) {
+				UserGroupInformation ugi = this.getCurrentUserGroupInfo();
+	
+				// failed return from REST calls will be logged as 'DENIED'
+				logAuditEvent(ugi, objAccessInfo, isSuccess);
+			}
 		}
 	}
 
@@ -161,7 +189,7 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 
             if(objAccessInfo.getObjectType() == HiveObjectType.URI) {
                 ret = isURIAccessAllowed(ugi, objAccessInfo.getAccessType(), objAccessInfo.getUri(),
getHiveConf());
-            } else {
+            } else if(objAccessInfo.getAccessType() != HiveAccessType.ADMIN) {
                 ret = mHiveAccessVerifier.isAccessAllowed(ugi, objAccessInfo);
             }
 
@@ -200,6 +228,7 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 				XaHiveObjectAccessInfo hiveAccessObj = getObjectAccessInfo(hiveOpType, hiveObj, context,
true);
 				
 				if(   hiveAccessObj != null
+				   && hiveAccessObj.getAccessType() != HiveAccessType.ADMIN // access check is
performed at the Argus policy server, as a part of updating the permissions
 				   && !ret.contains(hiveAccessObj)) {
 					ret.add(hiveAccessObj);
 				}
@@ -211,6 +240,7 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 				XaHiveObjectAccessInfo hiveAccessObj = getObjectAccessInfo(hiveOpType, hiveObj, context,
false);
 				
 				if(   hiveAccessObj != null
+				   && hiveAccessObj.getAccessType() != HiveAccessType.ADMIN // access check is
performed at the Argus policy server, as a part of updating the permissions
 				   && !ret.contains(hiveAccessObj)) {
 					ret.add(hiveAccessObj);
 				}
@@ -487,6 +517,7 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
             case INSERT:
             case LOCK:
             case ADMIN:
+    		case ALL:
                 action = FsAction.WRITE;
             break;
 
@@ -566,54 +597,50 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 		  ) {
 			throw new HiveAccessControlException("grantPrivileges(): unexpected object type '" + objAccessInfo.getObjectType().name());
 		}
-		
+
 		String database = objAccessInfo.getDatabase();
 		String table    = objAccessInfo.getObjectType() == HiveObjectType.VIEW ? objAccessInfo.getView()
: objAccessInfo.getTable();
 		String columns  = StringUtil.toString(objAccessInfo.getColumns());
-		
-		GrantRevokeData grData = new GrantRevokeData();
-		
-		List<String> permList  = new ArrayList<String>();
-		List<String> userList  = new ArrayList<String>();
-		List<String> groupList = new ArrayList<String>();
-		
+
+		GrantRevokeData.PermMap permMap = new GrantRevokeData.PermMap ();
+
 		for(HivePrivilege privilege : hivePrivileges) {
 			String privName = privilege.getName();
-			
+
 			if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.ALL.name())) {
-				permList.add(HiveAccessType.ALL.name());
+				permMap.addPerm(HiveAccessType.ALL.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.ALTER.name())) {
-				permList.add(HiveAccessType.ALTER.name());
+				permMap.addPerm(HiveAccessType.ALTER.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.CREATE.name())) {
-				permList.add(HiveAccessType.CREATE.name());
+				permMap.addPerm(HiveAccessType.CREATE.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.DROP.name())) {
-				permList.add(HiveAccessType.DROP.name());
+				permMap.addPerm(HiveAccessType.DROP.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.INDEX.name())) {
-				permList.add(HiveAccessType.INDEX.name());
+				permMap.addPerm(HiveAccessType.INDEX.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.INSERT.name())) {
-				permList.add(HiveAccessType.INSERT.name());
+				permMap.addPerm(HiveAccessType.INSERT.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.LOCK.name())) {
-				permList.add(HiveAccessType.LOCK.name());
+				permMap.addPerm(HiveAccessType.LOCK.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.SELECT.name())) {
-				permList.add(HiveAccessType.SELECT.name());
+				permMap.addPerm(HiveAccessType.SELECT.name());
 			} else if(StringUtil.equalsIgnoreCase(privName, HiveAccessType.UPDATE.name())) {
-				permList.add(HiveAccessType.UPDATE.name());
+				permMap.addPerm(HiveAccessType.UPDATE.name());
 			}
 		}
 		
 		if(grantOption) {
-			permList.add(HiveAccessType.ADMIN.name());
+			permMap.addPerm(HiveAccessType.ADMIN.name());
 		}
 		
 		for(HivePrincipal principal : hivePrincipals) {
 			switch(principal.getType()) {
 				case USER:
-					userList.add(principal.getName());
+					permMap.addUser(principal.getName());
 				break;
 
 				case GROUP:
 				case ROLE:
-					groupList.add(principal.getName());
+					permMap.addGroup(principal.getName());
 				break;
 
 				default:
@@ -621,18 +648,12 @@ public class XaSecureHiveAuthorizer extends XaSecureHiveAuthorizerBase
{
 			}
 		}
 
-		List<GrantRevokeData.UserPermList>  userPermList = new ArrayList<GrantRevokeData.UserPermList>();
-		List<GrantRevokeData.GroupPermList> groupPermList = new ArrayList<GrantRevokeData.GroupPermList>();
-		
-		if(! userList.isEmpty()) {
-			userPermList.add(new GrantRevokeData.UserPermList(userList, permList));
-		}
+		GrantRevokeData grData = new GrantRevokeData();
 
-		if(! groupPermList.isEmpty()) {
-			groupPermList.add(new GrantRevokeData.GroupPermList(groupList, permList));
-		}
-		
-		grData.setHiveData(grantorPrincipal.getName(), repositoryName, database, table, columns,
userPermList, groupPermList);
+		List<GrantRevokeData.PermMap> permMapList = new ArrayList<GrantRevokeData.PermMap>();
+		permMapList.add(permMap);
+
+		grData.setHiveData(grantorPrincipal.getName(), repositoryName, database, table, columns,
permMapList);
 		
 		return grData;
 	}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
index 4f2c61d..0de4141 100644
--- a/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
+++ b/hive-agent/src/main/java/com/xasecure/authorization/hive/authorizer/XaSecureHiveAuthorizerBase.java
@@ -2,6 +2,8 @@ package com.xasecure.authorization.hive.authorizer;
 
 import java.util.List;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
@@ -20,7 +22,9 @@ import org.apache.hadoop.security.UserGroupInformation;
 
 import com.xasecure.authorization.hive.XaHiveAccessContext;
 
-public class XaSecureHiveAuthorizerBase implements HiveAuthorizer {
+public abstract class XaSecureHiveAuthorizerBase implements HiveAuthorizer {
+
+	private static final Log LOG = LogFactory.getLog(XaSecureHiveAuthorizerBase.class);
 
 	private HiveMetastoreClientFactory mMetastoreClientFactory;
 	private HiveConf                   mHiveConf;
@@ -67,48 +71,10 @@ public class XaSecureHiveAuthorizerBase implements HiveAuthorizer {
 	}
 
 	@Override
-	public void applyAuthorizationConfigPolicy(HiveConf arg0) {
-		// TODO Auto-generated method stub
-	}
+	public void applyAuthorizationConfigPolicy(HiveConf conf) {
+		LOG.debug("XaSecureHiveAuthorizerBase.applyAuthorizationConfigPolicy()");
 
-	/**
-	 * Grant privileges for principals on the object
-	 * @param hivePrincipals
-	 * @param hivePrivileges
-	 * @param hivePrivObject
-	 * @param grantorPrincipal
-	 * @param grantOption
-	 * @throws HiveAuthzPluginException
-	 * @throws HiveAccessControlException
-	 */
-	@Override
-	public void grantPrivileges(List<HivePrincipal> hivePrincipals,
-								List<HivePrivilege> hivePrivileges,
-								HivePrivilegeObject hivePrivObject,
-								HivePrincipal grantorPrincipal,
-								boolean       grantOption)
-	    throws HiveAuthzPluginException, HiveAccessControlException {
-		// TODO Auto-generated method stub
-	}
-
-	/**
-	 * Revoke privileges for principals on the object
-	 * @param hivePrincipals
-	 * @param hivePrivileges
-	 * @param hivePrivObject
-	 * @param grantorPrincipal
-	 * @param grantOption
-	 * @throws HiveAuthzPluginException
-	 * @throws HiveAccessControlException
-	 */
-	@Override
-	public void revokePrivileges(List<HivePrincipal> hivePrincipals,
-								 List<HivePrivilege> hivePrivileges,
-								 HivePrivilegeObject hivePrivObject,
-								 HivePrincipal grantorPrincipal,
-								 boolean       grantOption)
-	    throws HiveAuthzPluginException, HiveAccessControlException {
-		// TODO Auto-generated method stub
+		// Nothing to do here for Argus Hive authorizer
 	}
 
 	/**
@@ -120,97 +86,103 @@ public class XaSecureHiveAuthorizerBase implements HiveAuthorizer {
 	 * @throws HiveAccessControlException
 	 */
 	@Override
-	public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject
privObj)
-	    throws HiveAuthzPluginException, HiveAccessControlException {
-		// TODO Auto-generated method stub
+	public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject
privObj) 
+			throws HiveAuthzPluginException, HiveAccessControlException {
+		LOG.debug("XaSecureHiveAuthorizerBase.showPrivileges()");
+
+		throwNotImplementedException("showPrivileges");
+
 		return null;
 	}
 
-	/**
-	 * Check if user has privileges to do this action on these objects
-	 * @param hiveOpType
-	 * @param inputsHObjs
-	 * @param outputHObjs
-	 * @param context
-	 * @throws HiveAuthzPluginException
-	 * @throws HiveAccessControlException
-	 */
 	@Override
-	public void checkPrivileges(HiveOperationType         hiveOpType,
-								List<HivePrivilegeObject> inputsHObjs,
-								List<HivePrivilegeObject> outputHObjs,
-								HiveAuthzContext          context)
-										throws HiveAuthzPluginException, HiveAccessControlException {
-		// TODO Auto-generated method stub
+	public void createRole(String roleName, HivePrincipal adminGrantor)
+			throws HiveAuthzPluginException, HiveAccessControlException {
+		LOG.debug("XaSecureHiveAuthorizerBase.createRole()");
+
+		throwNotImplementedException("createRole");
 	}
 
 	@Override
-	public void createRole(String arg0, HivePrincipal arg1)
+	public void dropRole(String roleName)
 			throws HiveAuthzPluginException, HiveAccessControlException {
-		// TODO Auto-generated method stub
-		
-	}
+		LOG.debug("XaSecureHiveAuthorizerBase.dropRole()");
 
-	@Override
-	public void dropRole(String arg0) throws HiveAuthzPluginException,
-			HiveAccessControlException {
-		// TODO Auto-generated method stub
-		
+		throwNotImplementedException("dropRole");
 	}
 
 	@Override
-	public List<String> getAllRoles() throws HiveAuthzPluginException,
-			HiveAccessControlException {
-		// TODO Auto-generated method stub
+	public List<String> getAllRoles()
+			throws HiveAuthzPluginException, HiveAccessControlException {
+		LOG.debug("XaSecureHiveAuthorizerBase.getAllRoles()");
+
+		throwNotImplementedException("getAllRoles");
+
 		return null;
 	}
 
 	@Override
 	public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
-		// TODO Auto-generated method stub
+		LOG.debug("XaSecureHiveAuthorizerBase.getCurrentRoleNames()");
+
+		throwNotImplementedException("getCurrentRoleNames");
+
 		return null;
 	}
 
 	@Override
-	public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String arg0)
+	public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
 			throws HiveAuthzPluginException, HiveAccessControlException {
-		// TODO Auto-generated method stub
+		LOG.debug("XaSecureHiveAuthorizerBase.getPrincipalGrantInfoForRole()");
+
+		throwNotImplementedException("getPrincipalGrantInfoForRole");
+
 		return null;
 	}
 
 	@Override
-	public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal arg0)
+	public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
 			throws HiveAuthzPluginException, HiveAccessControlException {
-		// TODO Auto-generated method stub
+		LOG.debug("XaSecureHiveAuthorizerBase.getRoleGrantInfoForPrincipal()");
+
+		throwNotImplementedException("getRoleGrantInfoForPrincipal");
+
 		return null;
 	}
 
 	@Override
 	public VERSION getVersion() {
-		// TODO Auto-generated method stub
-		return null;
+		return VERSION.V1;
 	}
 
 	@Override
-	public void grantRole(List<HivePrincipal> arg0, List<String> arg1,
-			boolean arg2, HivePrincipal arg3) throws HiveAuthzPluginException,
-			HiveAccessControlException {
-		// TODO Auto-generated method stub
-		
+	public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+			boolean grantOption, HivePrincipal grantorPrinc)
+					throws HiveAuthzPluginException, HiveAccessControlException {
+		LOG.debug("XaSecureHiveAuthorizerBase.grantRole()");
+
+		throwNotImplementedException("grantRole");
 	}
 
 	@Override
-	public void revokeRole(List<HivePrincipal> arg0, List<String> arg1,
-			boolean arg2, HivePrincipal arg3) throws HiveAuthzPluginException,
-			HiveAccessControlException {
-		// TODO Auto-generated method stub
-		
+	public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+			boolean grantOption, HivePrincipal grantorPrinc)
+					throws HiveAuthzPluginException, HiveAccessControlException {
+		LOG.debug("XaSecureHiveAuthorizerBase.revokeRole()");
+
+		throwNotImplementedException("revokeRole");
 	}
 
 	@Override
-	public void setCurrentRole(String arg0) throws HiveAccessControlException,
-			HiveAuthzPluginException {
-		// TODO Auto-generated method stub
-		
+	public void setCurrentRole(String roleName)
+			throws HiveAccessControlException, HiveAuthzPluginException {
+		LOG.debug("XaSecureHiveAuthorizerBase.setCurrentRole()");
+
+		throwNotImplementedException("setCurrentRole");
 	}
+
+	private void throwNotImplementedException(String method) throws HiveAuthzPluginException
{
+		throw new HiveAuthzPluginException(method + "() not implemented in Argus HiveAuthorizer");
+	}
+
 }

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/2c56c560/security-admin/src/main/webapp/META-INF/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/META-INF/security-applicationContext.xml b/security-admin/src/main/webapp/META-INF/security-applicationContext.xml
index 1ba1f23..4eb470f 100644
--- a/security-admin/src/main/webapp/META-INF/security-applicationContext.xml
+++ b/security-admin/src/main/webapp/META-INF/security-applicationContext.xml
@@ -40,6 +40,8 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
 	<security:http pattern="/loadInit.html" security="none" />
 	<security:http pattern="/service/documents/result/**" security="none" />	
 	<security:http pattern="/service/assets/policyList/*" security="none"/>
+	<security:http pattern="/service/assets/resources/grant" security="none"/>
+	<security:http pattern="/service/assets/resources/revoke" security="none"/>
 	<security:http pattern="/service/users/default" security="none"/>
 	<security:http pattern="/service/xusers/groups/**" security="none"/>
 	<security:http pattern="/service/xusers/users/*" security="none"/>


Mime
View raw message