@Override public void validate(PrivilegeValidatorContext context) throws ConfigurationException { Iterable<SqoopAuthorizable> authorizables = parsePrivilege(context.getPrivilege()); boolean match = false; for (SqoopAuthorizable authorizable : authorizables) { if (authorizable instanceof Server && authorizable.getName().equalsIgnoreCase(sqoopServerName)) { match = true; break; } } if (!match) { String msg = "server=[name] in " + context.getPrivilege() + " is required. The name is expected " + sqoopServerName; throw new ConfigurationException(msg); } }
@Override public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { String privilege = context.getPrivilege(); Iterable<SearchModelAuthorizable> authorizables = parsePrivilege(privilege); boolean foundCollectionInAuthorizables = false; for(SearchModelAuthorizable authorizable : authorizables) { if(authorizable instanceof Collection) { foundCollectionInAuthorizables = true; break; } } if(!foundCollectionInAuthorizables) { String msg = "Missing collection object in " + privilege; throw new SentryConfigurationException(msg); } } }
@Override public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { String privilege = context.getPrivilege(); Iterable<IndexerModelAuthorizable> authorizables = parsePrivilege(privilege); boolean foundIndexerInAuthorizables = false; for(IndexerModelAuthorizable authorizable : authorizables) { if(authorizable instanceof Indexer) { foundIndexerInAuthorizables = true; break; } } if(!foundIndexerInAuthorizables) { String msg = "Missing indexer object in " + privilege; throw new SentryConfigurationException(msg); } } }
@Override public void validate(PrivilegeValidatorContext context) throws ConfigurationException { String privilege = context.getPrivilege(); Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); for(DBModelAuthorizable authorizable : authorizables) { if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) { String msg = "Server name " + authorizable.getName() + " in " + privilege + " is invalid. Expected " + serverName; throw new ConfigurationException(msg); } } }
@Override public void validate(PrivilegeValidatorContext context) throws ConfigurationException { Deque<String> privileges = Lists.newLinkedList(PolicyConstants.AUTHORIZABLE_SPLITTER.split(context.getPrivilege())); // Check privilege splits length is at least 2 the smallest privilege possible with action. Example: // smallest privilege of size 2 : instance=instance1->action=read if (privileges.size() < 2) { throw new ConfigurationException("Invalid Privilege Exception: Privilege can be given to an " + "instance or " + "instance -> namespace or " + "instance -> namespace -> (artifact|applications|stream|dataset) or " + "instance -> namespace -> application -> program"); } // Check the last part is a valid action if (!isAction(privileges.removeLast())) { throw new ConfigurationException("CDAP privilege must end with a valid action.\n"); } // the first valid authorizable type is instance since all privilege string should start with it Set<Authorizable.AuthorizableType> validTypes = EnumSet.of(Authorizable.AuthorizableType.INSTANCE); while (!privileges.isEmpty()) { Authorizable authorizable = ModelAuthorizables.from(privileges.removeFirst()); // if we were expecting no validTypes for this authorizable type that means the privilege string has more // authorizable when we were expecting it to end if (validTypes.isEmpty()) { throw new ConfigurationException(String.format("Was expecting end of Authorizables. Found unexpected " + "authorizable %s of type %s", authorizable, authorizable.getAuthzType())); } validTypes = validatePrivilege(authorizable.getAuthzType(), validTypes); } }
@Override public void validate(PrivilegeValidatorContext context) throws ConfigurationException { String privilege = context.getPrivilege(); Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); for(DBModelAuthorizable authorizable : authorizables) { if(authorizable instanceof Server && authorizable.getName().equals(Server.ALL.getName())) { String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + privilege; throw new ConfigurationException(msg); } } }
@Override public void validate(PrivilegeValidatorContext context) throws ConfigurationException { String database = context.getDatabase(); String privilege = context.getPrivilege();
@Override public void validate(PrivilegeValidatorContext context) throws ConfigurationException { List<String> splits = Lists.newArrayList(); for (String section : AUTHORIZABLE_SPLITTER.split(context.getPrivilege())) { splits.add(section);
@Override public void validate(PrivilegeValidatorContext context) throws ConfigurationException { String database = context.getDatabase(); String privilege = context.getPrivilege(); /* * Rule only applies to rules in per database policy file */ if(database != null) { Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege); for(DBModelAuthorizable authorizable : authorizables) { if(authorizable instanceof Database && !database.equalsIgnoreCase(authorizable.getName())) { String msg = "Privilege " + privilege + " references db " + authorizable.getName() + ", but is only allowed to reference " + database; throw new ConfigurationException(msg); } } } } }