private Subject getCurrentSubject(HiveSemanticAnalyzerHookContext context) { // Extract the username from the hook context return new Subject(context.getUserName()); }
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.dropRole(subject.getName(), role, COMPONENT_TYPE); return null; } });
throws SolrException { Subject superUser = new Subject(System.getProperty("solr.authorization.superuser", "solr")); Subject userName = new Subject(getUserName(req)); long eventTime = req.getStartTime(); String paramString = req.getParamString(); + "no SolrCore attached to request"; if (errorIfNoCollection) { auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.UNAUTHORIZED, ""); throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, msg); } else { // just warn log.warn(msg); auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.ALLOWED, ""); return; if (!superUser.getName().equals(userName.getName())) { binding.authorizeCollection(userName, collection, actions); auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.UNAUTHORIZED, collectionName); throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, ex); auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.ALLOWED, collectionName);
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.grantPrivilege(subject.getName(), role, COMPONENT_TYPE, toTSentryPrivilege(privilege)); return null; } });
public SqoopAuthBinding(Configuration authConf, String serverName) throws Exception { this.authConf = authConf; this.authConf.set(AuthzConfVars.AUTHZ_SERVER_NAME.getVar(), serverName); this.sqoopServer = new Server(serverName); this.authProvider = createAuthProvider(); /** The Sqoop server principal will use the binding */ this.bindingSubject = new Subject(UserGroupInformation.getCurrentUser() .getShortUserName()); }
@Override public Set<TSentryRole> run(SentryGenericServiceClient client) throws Exception { return client.listAllRoles(subject.getName(), COMPONENT_TYPE); } });
public SolrAuthzBinding (SolrAuthzConf authzConf) throws Exception { this.authzConf = addHdfsPropsToConf(authzConf); this.authProvider = getAuthProvider(); this.groupMapping = authProvider.getGroupMapping(); /** * The Solr server principal will use the binding */ this.bindingSubject = new Subject(UserGroupInformation.getCurrentUser() .getShortUserName()); }
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.createRole(subject.getName(), role, COMPONENT_TYPE); return null; } });
private Subject getSubject() { return new Subject(SentryAuthorizationHander.getAuthenticator().getUserName()); }
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.revokePrivilege(subject.getName(), role, COMPONENT_TYPE, toTSentryPrivilege(privilege)); return null; } });
public void listPrivs() throws Exception { getSentryProvider().validateResource(true); System.out.println("Available privileges for user " + getUser() + ":"); Set<String> permList = getSentryProvider().listPrivilegesForSubject( new Subject(getUser())); for (String perms : permList) { System.out.println("\t" + perms); } if (permList.isEmpty()) { System.out.println("\t*** No permissions available ***"); } }
@Override public Set<TSentryRole> run(SentryGenericServiceClient client) throws Exception { return client.listRolesByGroupName(subject.getName(), groupName, COMPONENT_TYPE); } });
/** * Authorize access to a Kafka privilege */ public boolean authorize(RequestChannel.Session session, Operation operation, Resource resource) { List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(session.clientAddress().getHostAddress(), resource); Set<KafkaAction> actions = Sets.newHashSet(actionFactory.getActionByName(operation.name())); return authProvider.hasAccess(new Subject(getName(session)), authorizables, actions, ActiveRoleSet.ALL); }
private Set<String> getGroups(Subject subject) { return groupService.getGroups(subject.getName()); }
private Subject getSubject(SecurityContext securityContext) throws SentryUserException { String princ = securityContext.getUserPrincipal() != null ? securityContext.getUserPrincipal().getName() : null; KerberosName kerbName = new KerberosName(princ); try { return new Subject(kerbName.getShortName()); } catch (IOException e) { throw new SentryUserException("Unable to get subject", e); } }
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.deleteRoleToGroups(subject.getName(), role.getName(), COMPONENT_TYPE, Sets.newHashSet(group)); return null; } });
throws SemanticException { List<FieldSchema> filteredResult = new ArrayList<FieldSchema>(); Subject subject = new Subject(userName); HiveAuthzPrivileges columnMetaDataPrivilege = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(HiveOperation.SHOWCOLUMNS);
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.addRoleToGroups(subject.getName(), role.getName(), COMPONENT_TYPE, Sets.newHashSet(group)); return null; } });
throws SemanticException { List<String> filteredResult = new ArrayList<String>(); Subject subject = new Subject(userName); HiveAuthzPrivileges tableMetaDataPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)).
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.renamePrivilege(subject.getName(), COMPONENT_TYPE, sqoopServer.getName(), toAuthorizable(srcResource), toAuthorizable(dstResource)); return null; } });