private List<? extends Authorizable> toAuthorizables(String privilegeStr) { List<Authorizable> authorizables = Lists.newArrayList(); if (privilegeStr == null) { return authorizables; } for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { KeyValue tempKV = new KeyValue(authorizable); final String key = tempKV.getKey(); final String value = tempKV.getValue(); authorizables.add(new Authorizable() { @Override public String getTypeName() { return key; } @Override public String getName() { return value; } }); } return authorizables; }
private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()), "Please report, this method should not be called with two different keys"); if(policyPart.getValue().equals(IndexerConstants.ALL) || policyPart.equals(requestPart)) { return true; } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey()) && IndexerConstants.ALL.equalsIgnoreCase(requestPart.getValue())) { /* privilege request is to match with any object of given type */ return true; } return false; }
/** * Gets a {@link Authorizable} from the given key and value * * @param key the {@link AuthorizableType type} of the authorizable * @param value the {@link Authorizable name} of the authorizable * @return the created {@link Authorizable} with the given name if {@link AuthorizableType} given was valid * @throws NoSuchElementException if the given {@link AuthorizableType} was not valid */ public static Authorizable from(String key, String value) { return from(new KeyValue(key, value)); }
/** * Gets a {@link Authorizable} from the given {@link KeyValue} * * @param keyValue {@link KeyValue} containing the {@link AuthorizableType} and name of the {@link Authorizable} * to be crearted * @return the created {@link Authorizable} with the given name if {@link AuthorizableType} given was valid * @throws NoSuchElementException if the given {@link AuthorizableType} was not valid */ static Authorizable from(String keyValue) { return from(new KeyValue(keyValue)); }
private static Authorizable from(KeyValue keyValue) { String prefix = keyValue.getKey().toLowerCase(); String name = keyValue.getValue(); for (Authorizable.AuthorizableType type : AuthorizableType.values()) { if (prefix.equalsIgnoreCase(type.name())) { return from(type, name); } } throw new NoSuchElementException(String.format("Given AuthorizableType %s does not exists.", prefix)); }
private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()), "Please report, this method should not be called with two different keys"); if(policyPart.getValue().equals(SearchConstants.ALL) || policyPart.equals(requestPart)) { return true; } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey()) && SearchConstants.ALL.equalsIgnoreCase(requestPart.getValue())) { /* privilege request is to match with any object of given type */ return true; } return false; }
public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) { TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { KeyValue tempKV = new KeyValue(authorizable); String key = tempKV.getKey(); String value = tempKV.getValue(); if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setServerName(value); } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setDbName(value); } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setTableName(value); } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setColumnName(value); } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setURI(value); } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setAction(value); } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE : TSentryGrantOption.FALSE; tSentryPrivilege.setGrantOption(grantOption); } } tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege)); return tSentryPrivilege; }
public WildcardPrivilege(String permission) { if (Strings.isNullOrEmpty(permission)) { throw new IllegalArgumentException("Permission string cannot be null or empty."); } List<KeyValue> parts = new ArrayList<>(); for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.trimResults().split(permission)) { if (authorizable.isEmpty()) { throw new IllegalArgumentException("Privilege '" + permission + "' has an empty section"); } parts.add(new KeyValue(authorizable)); } Preconditions.checkState(!parts.isEmpty(), "Failed to split the permission string %s into a list of Authorizables" + " separated by %s", permission, PolicyConstants.AUTHORIZABLE_SPLITTER); this.privilegeParts = Collections.unmodifiableList(parts); }
public static SearchModelAuthorizable from(KeyValue keyValue) { String prefix = keyValue.getKey().toLowerCase(); String name = keyValue.getValue().toLowerCase(); for(AuthorizableType type : AuthorizableType.values()) { if(prefix.equalsIgnoreCase(type.name())) { return from(type, name); } } return null; } public static SearchModelAuthorizable from(String s) {
private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()), "Please report, this method should not be called with two different keys"); if(policyPart.getValue().equalsIgnoreCase(SqoopActionConstant.ALL) || policyPart.getValue().equalsIgnoreCase(SqoopActionConstant.ALL_NAME) || policyPart.equals(requestPart)) { return true; } else if (!SqoopActionConstant.NAME.equalsIgnoreCase(policyPart.getKey()) && SqoopActionConstant.ALL.equalsIgnoreCase(requestPart.getValue())) { /* privilege request is to match with any object of given type */ return true; } return false; } }
public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception { TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { KeyValue tempKV = new KeyValue(authorizable); String key = tempKV.getKey(); String value = tempKV.getValue(); if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setServerName(value); } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setDbName(value); } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setTableName(value); } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setColumnName(value); } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setURI(value); } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setAction(value); } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE : TSentryGrantOption.FALSE; tSentryPrivilege.setGrantOption(grantOption); } } tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege)); validatePrivilegeHierarchy(tSentryPrivilege); return tSentryPrivilege; }
public static SqoopAuthorizable from(String keyValue) { return from(new KeyValue(keyValue)); }
public static SqoopAuthorizable from(KeyValue keyValue) { String prefix = keyValue.getKey().toLowerCase(); String name = keyValue.getValue().toLowerCase(); for (AuthorizableType type : AuthorizableType.values()) { if(prefix.equalsIgnoreCase(type.name())) { return from(type, name); } } return null; }
private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()), "Please report, this method should not be called with two different keys"); // Host is a special resource, not declared as resource in Kafka. Each Kafka resource can be // authorized based on the host request originated from and to handle this, Sentry uses host as // a resource. Kafka allows using '*' as wildcard for all hosts. '*' however is not a valid // Kafka action. if (hasHostWidCard(policyPart)) { return true; } if (KafkaActionConstant.actionName.equalsIgnoreCase(policyPart.getKey())) { // is action return policyPart.getValue().equalsIgnoreCase(KafkaActionConstant.ALL) || policyPart.equals(requestPart); } else { return policyPart.getValue().equals(requestPart.getValue()); } }
public static KafkaAuthorizable from(String keyValue) throws ConfigurationException { return from(new KeyValue(keyValue)); }
public static KafkaAuthorizable from(KeyValue keyValue) throws ConfigurationException { String prefix = keyValue.getKey().toLowerCase(); String name = keyValue.getValue(); for (AuthorizableType type : AuthorizableType.values()) { if (prefix.equalsIgnoreCase(type.name())) { return from(type, name); } } return null; }
/** * For policy and request parts with the same key, ensure that the policy implies the request. In this method, the * keys for both #policyPart and #requestPart are expected to be the same. * * @param policyPart the policy part * @param requestPart the request part * @return true if either * - policy part is {@link Action#ALL}; or * - policy part equals request part; * false otherwise. */ private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()), String.format("Privilege Key Mismatch: Key %s and %s does not match.", policyPart.getKey (), requestPart.getKey())); // if it is an action, then either the policy part must include ALL, or be the same as the request part. if (ActionConstant.ACTION_NAME.equalsIgnoreCase(policyPart.getKey()) && policyPart.getValue().equalsIgnoreCase(ActionConstant.ALL)) { return true; } // if policy part is not Action#ALL, make sure that the policy and request parts match. return policyPart.equals(requestPart); } }