sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@apache.org
Subject git commit: SENTRY-115: Give bindings the ability to access the group mappings (Gregory Chanan via Brock)
Date Thu, 13 Feb 2014 16:21:38 GMT
Updated Branches:
  refs/heads/master 7e1ce212f -> 796b4cb56


SENTRY-115: Give bindings the ability to access the group mappings (Gregory Chanan via Brock)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/796b4cb5
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/796b4cb5
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/796b4cb5

Branch: refs/heads/master
Commit: 796b4cb567e9c9d8616d94a284ef2bae69e0a668
Parents: 7e1ce21
Author: Brock Noland <brock@apache.org>
Authored: Thu Feb 13 08:21:25 2014 -0800
Committer: Brock Noland <brock@apache.org>
Committed: Thu Feb 13 08:21:25 2014 -0800

----------------------------------------------------------------------
 .../binding/solr/authz/SolrAuthzBinding.java    | 13 +++++
 .../binding/solr/TestSolrAuthzBinding.java      | 28 ++++++++++
 .../src/test/resources/test-authz-provider.ini  |  2 +-
 sentry-provider/sentry-provider-common/pom.xml  |  5 ++
 .../provider/common/AuthorizationProvider.java  |  6 +++
 .../common/NoAuthorizationProvider.java         |  5 ++
 .../provider/common/NoGroupMappingService.java  | 33 ++++++++++++
 .../common/TestNoAuthorizationProvider.java     | 39 ++++++++++++++
 .../file/ResourceAuthorizationProvider.java     |  5 ++
 .../provider/file/TestGetGroupMapping.java      | 54 ++++++++++++++++++++
 10 files changed, 189 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 995f376..c6ce53e 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -20,6 +20,7 @@ import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
@@ -32,6 +33,7 @@ import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
 import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.provider.common.GroupMappingService;
 import org.apache.sentry.provider.common.ProviderBackend;
 
 import org.slf4j.Logger;
@@ -54,10 +56,12 @@ public class SolrAuthzBinding {
 
   private final SolrAuthzConf authzConf;
   private final AuthorizationProvider authProvider;
+  private final GroupMappingService groupMapping;
 
   public SolrAuthzBinding (SolrAuthzConf authzConf) throws Exception {
     this.authzConf = authzConf;
     this.authProvider = getAuthProvider();
+    this.groupMapping = authProvider.getGroupMapping();
   }
 
   // Instantiate the configured authz provider
@@ -122,6 +126,15 @@ public class SolrAuthzBinding {
     }
   }
 
+  /**
+   * Get the list of groups the user belongs to
+   * @param user
+   * @return list of groups the user belongs to
+   */
+  public List<String> getGroups(String user) {
+    return groupMapping.getGroups(user);
+  }
+
   private Configuration getConf() throws IOException {
     Configuration conf = new Configuration();
     String confDir = System.getProperty("solr.hdfs.confdir");

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index 494a430..b061eec 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -25,6 +25,7 @@ import java.util.List;
 import java.lang.reflect.InvocationTargetException;
 
 import junit.framework.Assert;
+import static junit.framework.Assert.assertEquals;
 import static junit.framework.Assert.assertTrue;
 
 import org.apache.commons.io.FileUtils;
@@ -161,6 +162,33 @@ public class TestSolrAuthzBinding {
   }
 
   /**
+   * Test for group mapping
+   */
+  @Test
+  public void testGroupMapping() throws Exception {
+    SolrAuthzConf solrAuthzConf =
+      new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
+    setUsableAuthzConf(solrAuthzConf);
+    SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+    List<String> emptyList = Arrays.asList();
+
+    // check non-existant users
+    assertEquals(binding.getGroups(null), emptyList);
+    assertEquals(binding.getGroups("nonExistantUser"), emptyList);
+
+    // check group names don't map to user names
+    assertEquals(binding.getGroups("corporal"), emptyList);
+    assertEquals(binding.getGroups("sergeant"), emptyList);
+    assertEquals(binding.getGroups("general"), emptyList);
+    assertEquals(binding.getGroups("othergeneralgroup"), emptyList);
+
+    // check valid group names
+    assertEquals(binding.getGroups("corporal1"), Arrays.asList("corporal"));
+    assertEquals(binding.getGroups("sergeant1"), Arrays.asList("sergeant"));
+    assertEquals(binding.getGroups("general1"), Arrays.asList("general", "othergeneralgroup"));
+  }
+
+  /**
    * Test that a full sentry-site definition works.
    */
   @Test

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
index db9af6e..f8100e0 100644
--- a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
+++ b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
@@ -30,4 +30,4 @@ general_role = collection=*->action=*
 [users]
 corporal1=corporal
 sergeant1=sergeant
-general1=general
\ No newline at end of file
+general1=general, othergeneralgroup
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/pom.xml b/sentry-provider/sentry-provider-common/pom.xml
index 321f7c6..1e9dc1b 100644
--- a/sentry-provider/sentry-provider-common/pom.xml
+++ b/sentry-provider/sentry-provider-common/pom.xml
@@ -29,6 +29,11 @@ limitations under the License.
 
   <dependencies>
     <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
       <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-core-common</artifactId>
     </dependency>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
index 4351c3f..1244755 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -38,4 +38,10 @@ public interface AuthorizationProvider {
    */
   public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
Set<? extends Action> actions);
 
+  /***
+   * Get the GroupMappingService used by the AuthorizationProvider
+   *
+   * @return GroupMappingService used by the AuthorizationProvider
+   */
+  public GroupMappingService getGroupMapping();
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
index 9cdda97..f48eafe 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
@@ -24,6 +24,7 @@ import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
 
 public class NoAuthorizationProvider implements AuthorizationProvider {
+  private GroupMappingService noGroupMappingService = new NoGroupMappingService();
 
   @Override
   public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
@@ -31,4 +32,8 @@ public class NoAuthorizationProvider implements AuthorizationProvider {
     return false;
   }
 
+  @Override
+  public GroupMappingService getGroupMapping() {
+    return noGroupMappingService;
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
new file mode 100644
index 0000000..e1bc6d2
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * GroupMappingService that always returns an empty list of groups
+ */
+public class NoGroupMappingService implements GroupMappingService {
+
+  /**
+   * @return empty list of groups for every user
+   */
+  public List<String> getGroups(String user) {
+    return new LinkedList<String>();
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
new file mode 100644
index 0000000..3f48f49
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+
+/**
+ * Tests around the NoAuthorizationProvider
+ */
+public class TestNoAuthorizationProvider {
+
+  @Test
+  public void testNoAuthorizationProvider() {
+    NoAuthorizationProvider nap = new NoAuthorizationProvider();
+    assertFalse(nap.hasAccess(null, null, null));
+
+    GroupMappingService gms = nap.getGroupMapping();
+    assertEquals(gms.getGroups(null).size(), 0);
+    assertEquals(gms.getGroups("").size(), 0);
+    assertEquals(gms.getGroups("a").size(), 0);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index c7d983d..205d012 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@ -116,4 +116,9 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
       }
     });
   }
+
+  @Override
+  public GroupMappingService getGroupMapping() {
+    return groupService;
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
new file mode 100644
index 0000000..a4d4bb3
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.file;
+
+import java.util.Arrays;
+import java.util.List;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.GroupMappingService;
+import com.google.common.collect.ImmutableSetMultimap;
+import org.junit.Test;
+import static org.junit.Assert.assertSame;
+
+public class TestGetGroupMapping {
+
+  private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider
{
+    public TestResourceAuthorizationProvider(PolicyEngine policy,
+      GroupMappingService groupService) {
+      super(policy, groupService);
+    }
+  };
+
+  @Test
+  public void testResourceAuthorizationProvider() {
+    final List<String> list = Arrays.asList("a", "b", "c");
+    GroupMappingService mappingService = new GroupMappingService() {
+      public List<String> getGroups(String user) { return list; }
+    };
+    PolicyEngine policyEngine = new PolicyEngine() {
+      public PermissionFactory getPermissionFactory() { return null; }
+
+      public ImmutableSetMultimap<String, String> getPermissions(List<? extends
Authorizable> authorizables, List<String> groups) { return null; }
+    };
+
+    TestResourceAuthorizationProvider authProvider =
+      new TestResourceAuthorizationProvider(policyEngine, mappingService);
+    assertSame(authProvider.getGroupMapping(), mappingService);
+  }
+}


Mime
View raw message