sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java - incubator-sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sentry.provider.file;

 import static org.apache.sentry.provider.file.PolicyFileConstants.DATABASES;
 import static org.apache.sentry.provider.file.PolicyFileConstants.GROUPS;
 import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES;
 import static org.apache.sentry.provider.file.PolicyFileConstants.ROLE_SPLITTER;
 import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;

 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;

 import javax.annotation.Nullable;

 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.policy.common.RoleValidator;
 import org.apache.sentry.provider.common.ProviderBackend;
 import org.apache.sentry.provider.common.Roles;
 import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.config.Ini;
 import org.apache.shiro.util.PermissionUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Multimap;
 import com.google.common.collect.Sets;

 public class SimpleFileProviderBackend implements ProviderBackend {

   private static final Logger LOGGER = LoggerFactory
       .getLogger(SimpleFileProviderBackend.class);


   private final FileSystem fileSystem;
   private final Path resourcePath;
   private final List<Path> perDbResources = Lists.newArrayList();
   private Roles rolesStorage;
   private final Configuration conf;
   private boolean processed;
   private final List<String> configErrors = new ArrayList<String>();
   private final List<String> configWarnings = new ArrayList<String>();

   public SimpleFileProviderBackend(String resourcePath) throws IOException {
     this(new Configuration(), resourcePath);
   }

   public SimpleFileProviderBackend(Configuration conf, String resourcePath) throws IOException {
     this(conf, new Path(resourcePath));
   }

   @VisibleForTesting
   public SimpleFileProviderBackend(Configuration conf, Path resourcePath) throws IOException {
     this.resourcePath = resourcePath;
     this.fileSystem = resourcePath.getFileSystem(conf);
     this.rolesStorage = new Roles();
     this.conf = conf;
     this.processed = false;
   }

   /**
    * {@inheritDoc}
    */
   public void process(List<? extends RoleValidator> validators) {
     configErrors.clear();
     perDbResources.clear();
     Ini ini;

     LOGGER.info("Parsing " + resourcePath);
     Roles roles = new Roles();
     try {
       perDbResources.clear();
       try {
         ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
       } catch (IOException e) {
         configErrors.add("Failed to read policy file " + resourcePath +
           " Error: " + e.getMessage());
         throw new SentryConfigurationException("Error loading policy file " + resourcePath, e);
       } catch (IllegalArgumentException e) {
         configErrors.add("Failed to read policy file " + resourcePath +
           " Error: " + e.getMessage());
         throw new SentryConfigurationException("Error loading policy file " + resourcePath, e);
       }

       if(LOGGER.isDebugEnabled()) {
         for(String sectionName : ini.getSectionNames()) {
           LOGGER.debug("Section: " + sectionName);
           Ini.Section section = ini.get(sectionName);
           for(String key : section.keySet()) {
             String value = section.get(key);
             LOGGER.debug(key + " = " + value);
           }
         }
       }
       ImmutableSetMultimap<String, String> globalRoles;
       Map<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = Maps.newHashMap();
       globalRoles = parseIni(null, ini, validators, resourcePath);
       Ini.Section filesSection = ini.getSection(DATABASES);
       if(filesSection == null) {
         LOGGER.info("Section " + DATABASES + " needs no further processing");
       } else {
         for(Map.Entry<String, String> entry : filesSection.entrySet()) {
           String database = Strings.nullToEmpty(entry.getKey()).trim().toLowerCase();
           Path perDbPolicy = new Path(Strings.nullToEmpty(entry.getValue()).trim());
           if(isRelative(perDbPolicy)) {
             perDbPolicy = new Path(resourcePath.getParent(), perDbPolicy);
           }
           try {
             LOGGER.info("Parsing " + perDbPolicy);
             Ini perDbIni = PolicyFiles.loadFromPath(perDbPolicy.getFileSystem(conf), perDbPolicy);
             if(perDbIni.containsKey(USERS)) {
               configErrors.add("Per-db policy file cannot contain " + USERS + " section in " +  perDbPolicy);
               throw new ConfigurationException("Per-db policy files cannot contain " + USERS + " section");
             }
             if(perDbIni.containsKey(DATABASES)) {
               configErrors.add("Per-db policy files cannot contain " + DATABASES
                   + " section in " + perDbPolicy);
               throw new ConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
             }
             ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni, validators, perDbPolicy);
             perDatabaseRoles.put(database, currentDbRoles);
             perDbResources.add(perDbPolicy);
           } catch (Exception e) {
             configErrors.add("Failed to read per-DB policy file " + perDbPolicy +
                " Error: " + e.getMessage());
             LOGGER.error("Error processing key " + entry.getKey() + ", skipping " + entry.getValue(), e);
           }
         }
       }
       roles = new Roles(globalRoles, ImmutableMap.copyOf(perDatabaseRoles));
     } catch (Exception e) {
       configErrors.add("Error processing file " + resourcePath + e.getMessage());
       LOGGER.error("Error processing file, ignoring " + resourcePath, e);
     }
     rolesStorage = roles;
     this.processed = true;
   }
   /**
    * Relative for our purposes is no scheme, no authority
    * and a non-absolute path portion.
    */
   private boolean isRelative(Path path) {
     URI uri = path.toUri();
     return uri.getAuthority() == null && uri.getScheme() == null && !path.isUriPathAbsolute();
   }

   protected long getModificationTime() throws IOException {
     // if resource path has been deleted, throw all exceptions
     long result = fileSystem.getFileStatus(resourcePath).getModificationTime();
     for(Path perDbPolicy : perDbResources) {
       try {
         result = Math.max(result, fileSystem.getFileStatus(perDbPolicy).getModificationTime());
       } catch (FileNotFoundException e) {
         // if a per-db file has been deleted, wait until the main
         // policy file has been updated before refreshing
       }
     }
     return result;
   }

   private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini, List<? extends RoleValidator> validators,
       Path policyPath) {
     Ini.Section privilegesSection = ini.getSection(ROLES);
     boolean invalidConfiguration = false;
     if (privilegesSection == null) {
       String errMsg = String.format("Section %s empty for %s", ROLES, policyPath);
       LOGGER.warn(errMsg);
       configErrors.add(errMsg);
       invalidConfiguration = true;
     }
     Ini.Section groupsSection = ini.getSection(GROUPS);
     if (groupsSection == null) {
       String warnMsg = String.format("Section %s empty for %s", GROUPS, policyPath);
       LOGGER.warn(warnMsg);
       configErrors.add(warnMsg);
       invalidConfiguration = true;
     }
     if (!invalidConfiguration) {
       return parsePermissions(database, privilegesSection, groupsSection, validators, policyPath);
     }
     return ImmutableSetMultimap.of();
   }

   private ImmutableSetMultimap<String, String> parsePermissions(@Nullable String database,
       Ini.Section rolesSection, Ini.Section groupsSection, List<? extends RoleValidator> validators,
       Path policyPath) {
     ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
     Multimap<String, String> roleNameToPrivilegeMap = HashMultimap
         .create();
     for (Map.Entry<String, String> entry : rolesSection.entrySet()) {
       String roleName = Strings.nullToEmpty(entry.getKey()).trim();
       String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
       boolean invalidConfiguration = false;
       if (roleName.isEmpty()) {
         String errMsg = String.format("Empty role name encountered in %s", policyPath);
         LOGGER.warn(errMsg);
         configErrors.add(errMsg);
         invalidConfiguration = true;
       }
       if (roleValue.isEmpty()) {
         String errMsg = String.format("Empty role value encountered in %s", policyPath);
         LOGGER.warn(errMsg);
         configErrors.add(errMsg);
         invalidConfiguration = true;
       }
       if (roleNameToPrivilegeMap.containsKey(roleName)) {
         String warnMsg = String.format("Role %s defined twice in %s", roleName, policyPath);
         LOGGER.warn(warnMsg);
         configWarnings.add(warnMsg);
       }
       Set<String> roles = PermissionUtils
           .toPermissionStrings(roleValue);
       if (!invalidConfiguration && roles != null) {
         for(String role : roles) {
           for(RoleValidator validator : validators) {
             validator.validate(database, role.trim());
           }
         }
         roleNameToPrivilegeMap.putAll(roleName, roles);
       }
     }
     Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults();
     for (Map.Entry<String, String> entry : groupsSection.entrySet()) {
       String groupName = Strings.nullToEmpty(entry.getKey()).trim();
       String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim();
       Collection<String> resolvedGroupPrivileges = Sets.newHashSet();
       for (String roleName : roleSplitter.split(groupPrivileges)) {
         if (roleNameToPrivilegeMap.containsKey(roleName)) {
           resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap
               .get(roleName));
         } else {
           String warnMsg = String.format("Role %s for group %s does not exist in privileges section in %s",
                   roleName, groupName, policyPath);
           LOGGER.warn(warnMsg);
           configWarnings.add(warnMsg);
         }
       }
       resultBuilder.putAll(groupName, resolvedGroupPrivileges);
     }
     return resultBuilder.build();
   }

   /*
    * {@inheritDoc}
    */
   public Roles getRoles() {
     if (!processed) throw new UnsupportedOperationException("Process has not been called");

     return rolesStorage;
   }

   @Override
   public void validatePolicy(List<? extends RoleValidator> validators, boolean strictValidation)
       throws SentryConfigurationException {
     if ((strictValidation && !configWarnings.isEmpty()) || !configErrors.isEmpty()) {
       configErrors.add("Failed to process global policy file " + resourcePath);
       SentryConfigurationException e = new SentryConfigurationException("");
       e.setConfigErrors(configErrors);
       e.setConfigWarnings(configWarnings);
       throw e;
     }
   }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sentry.provider.file;

	import static org.apache.sentry.provider.file.PolicyFileConstants.DATABASES;
	import static org.apache.sentry.provider.file.PolicyFileConstants.GROUPS;
	import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES;
	import static org.apache.sentry.provider.file.PolicyFileConstants.ROLE_SPLITTER;
	import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;

	import java.io.FileNotFoundException;
	import java.io.IOException;
	import java.net.URI;
	import java.util.ArrayList;
	import java.util.Collection;
	import java.util.List;
	import java.util.Map;
	import java.util.Set;

	import javax.annotation.Nullable;

	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.fs.FileSystem;
	import org.apache.hadoop.fs.Path;
	import org.apache.sentry.core.common.Authorizable;
	import org.apache.sentry.core.common.SentryConfigurationException;
	import org.apache.sentry.policy.common.RoleValidator;
	import org.apache.sentry.provider.common.ProviderBackend;
	import org.apache.sentry.provider.common.Roles;
	import org.apache.shiro.config.ConfigurationException;
	import org.apache.shiro.config.Ini;
	import org.apache.shiro.util.PermissionUtils;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import com.google.common.annotations.VisibleForTesting;
	import com.google.common.base.Splitter;
	import com.google.common.base.Strings;
	import com.google.common.collect.HashMultimap;
	import com.google.common.collect.ImmutableMap;
	import com.google.common.collect.ImmutableSet;
	import com.google.common.collect.ImmutableSetMultimap;
	import com.google.common.collect.Lists;
	import com.google.common.collect.Maps;
	import com.google.common.collect.Multimap;
	import com.google.common.collect.Sets;

	public class SimpleFileProviderBackend implements ProviderBackend {

	private static final Logger LOGGER = LoggerFactory
	.getLogger(SimpleFileProviderBackend.class);



	private final FileSystem fileSystem;
	private final Path resourcePath;
	private final List<Path> perDbResources = Lists.newArrayList();
	private Roles rolesStorage;
	private final Configuration conf;
	private boolean processed;
	private final List<String> configErrors = new ArrayList<String>();
	private final List<String> configWarnings = new ArrayList<String>();

	public SimpleFileProviderBackend(String resourcePath) throws IOException {
	this(new Configuration(), resourcePath);
	}

	public SimpleFileProviderBackend(Configuration conf, String resourcePath) throws IOException {
	this(conf, new Path(resourcePath));
	}

	@VisibleForTesting
	public SimpleFileProviderBackend(Configuration conf, Path resourcePath) throws IOException {
	this.resourcePath = resourcePath;
	this.fileSystem = resourcePath.getFileSystem(conf);
	this.rolesStorage = new Roles();
	this.conf = conf;
	this.processed = false;
	}

	/**
	* {@inheritDoc}
	*/
	public void process(List<? extends RoleValidator> validators) {
	configErrors.clear();
	perDbResources.clear();
	Ini ini;

	LOGGER.info("Parsing " + resourcePath);
	Roles roles = new Roles();
	try {
	perDbResources.clear();
	try {
	ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
	} catch (IOException e) {
	configErrors.add("Failed to read policy file " + resourcePath +
	" Error: " + e.getMessage());
	throw new SentryConfigurationException("Error loading policy file " + resourcePath, e);
	} catch (IllegalArgumentException e) {
	configErrors.add("Failed to read policy file " + resourcePath +
	" Error: " + e.getMessage());
	throw new SentryConfigurationException("Error loading policy file " + resourcePath, e);
	}

	if(LOGGER.isDebugEnabled()) {
	for(String sectionName : ini.getSectionNames()) {
	LOGGER.debug("Section: " + sectionName);
	Ini.Section section = ini.get(sectionName);
	for(String key : section.keySet()) {
	String value = section.get(key);
	LOGGER.debug(key + " = " + value);
	}
	}
	}
	ImmutableSetMultimap<String, String> globalRoles;
	Map<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = Maps.newHashMap();
	globalRoles = parseIni(null, ini, validators, resourcePath);
	Ini.Section filesSection = ini.getSection(DATABASES);
	if(filesSection == null) {
	LOGGER.info("Section " + DATABASES + " needs no further processing");
	} else {
	for(Map.Entry<String, String> entry : filesSection.entrySet()) {
	String database = Strings.nullToEmpty(entry.getKey()).trim().toLowerCase();
	Path perDbPolicy = new Path(Strings.nullToEmpty(entry.getValue()).trim());
	if(isRelative(perDbPolicy)) {
	perDbPolicy = new Path(resourcePath.getParent(), perDbPolicy);
	}
	try {
	LOGGER.info("Parsing " + perDbPolicy);
	Ini perDbIni = PolicyFiles.loadFromPath(perDbPolicy.getFileSystem(conf), perDbPolicy);
	if(perDbIni.containsKey(USERS)) {
	configErrors.add("Per-db policy file cannot contain " + USERS + " section in " + perDbPolicy);
	throw new ConfigurationException("Per-db policy files cannot contain " + USERS + " section");
	}
	if(perDbIni.containsKey(DATABASES)) {
	configErrors.add("Per-db policy files cannot contain " + DATABASES
	+ " section in " + perDbPolicy);
	throw new ConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
	}
	ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni, validators, perDbPolicy);
	perDatabaseRoles.put(database, currentDbRoles);
	perDbResources.add(perDbPolicy);
	} catch (Exception e) {
	configErrors.add("Failed to read per-DB policy file " + perDbPolicy +
	" Error: " + e.getMessage());
	LOGGER.error("Error processing key " + entry.getKey() + ", skipping " + entry.getValue(), e);
	}
	}
	}
	roles = new Roles(globalRoles, ImmutableMap.copyOf(perDatabaseRoles));
	} catch (Exception e) {
	configErrors.add("Error processing file " + resourcePath + e.getMessage());
	LOGGER.error("Error processing file, ignoring " + resourcePath, e);
	}
	rolesStorage = roles;
	this.processed = true;
	}
	/**
	* Relative for our purposes is no scheme, no authority
	* and a non-absolute path portion.
	*/
	private boolean isRelative(Path path) {
	URI uri = path.toUri();
	return uri.getAuthority() == null && uri.getScheme() == null && !path.isUriPathAbsolute();
	}

	protected long getModificationTime() throws IOException {
	// if resource path has been deleted, throw all exceptions
	long result = fileSystem.getFileStatus(resourcePath).getModificationTime();
	for(Path perDbPolicy : perDbResources) {
	try {
	result = Math.max(result, fileSystem.getFileStatus(perDbPolicy).getModificationTime());
	} catch (FileNotFoundException e) {
	// if a per-db file has been deleted, wait until the main
	// policy file has been updated before refreshing
	}
	}
	return result;
	}

	private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini, List<? extends RoleValidator> validators,
	Path policyPath) {
	Ini.Section privilegesSection = ini.getSection(ROLES);
	boolean invalidConfiguration = false;
	if (privilegesSection == null) {
	String errMsg = String.format("Section %s empty for %s", ROLES, policyPath);
	LOGGER.warn(errMsg);
	configErrors.add(errMsg);
	invalidConfiguration = true;
	}
	Ini.Section groupsSection = ini.getSection(GROUPS);
	if (groupsSection == null) {
	String warnMsg = String.format("Section %s empty for %s", GROUPS, policyPath);
	LOGGER.warn(warnMsg);
	configErrors.add(warnMsg);
	invalidConfiguration = true;
	}
	if (!invalidConfiguration) {
	return parsePermissions(database, privilegesSection, groupsSection, validators, policyPath);
	}
	return ImmutableSetMultimap.of();
	}

	private ImmutableSetMultimap<String, String> parsePermissions(@Nullable String database,
	Ini.Section rolesSection, Ini.Section groupsSection, List<? extends RoleValidator> validators,
	Path policyPath) {
	ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
	Multimap<String, String> roleNameToPrivilegeMap = HashMultimap
	.create();
	for (Map.Entry<String, String> entry : rolesSection.entrySet()) {
	String roleName = Strings.nullToEmpty(entry.getKey()).trim();
	String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
	boolean invalidConfiguration = false;
	if (roleName.isEmpty()) {
	String errMsg = String.format("Empty role name encountered in %s", policyPath);
	LOGGER.warn(errMsg);
	configErrors.add(errMsg);
	invalidConfiguration = true;
	}
	if (roleValue.isEmpty()) {
	String errMsg = String.format("Empty role value encountered in %s", policyPath);
	LOGGER.warn(errMsg);
	configErrors.add(errMsg);
	invalidConfiguration = true;
	}
	if (roleNameToPrivilegeMap.containsKey(roleName)) {
	String warnMsg = String.format("Role %s defined twice in %s", roleName, policyPath);
	LOGGER.warn(warnMsg);
	configWarnings.add(warnMsg);
	}
	Set<String> roles = PermissionUtils
	.toPermissionStrings(roleValue);
	if (!invalidConfiguration && roles != null) {
	for(String role : roles) {
	for(RoleValidator validator : validators) {
	validator.validate(database, role.trim());
	}
	}
	roleNameToPrivilegeMap.putAll(roleName, roles);
	}
	}
	Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults();
	for (Map.Entry<String, String> entry : groupsSection.entrySet()) {
	String groupName = Strings.nullToEmpty(entry.getKey()).trim();
	String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim();
	Collection<String> resolvedGroupPrivileges = Sets.newHashSet();
	for (String roleName : roleSplitter.split(groupPrivileges)) {
	if (roleNameToPrivilegeMap.containsKey(roleName)) {
	resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap
	.get(roleName));
	} else {
	String warnMsg = String.format("Role %s for group %s does not exist in privileges section in %s",
	roleName, groupName, policyPath);
	LOGGER.warn(warnMsg);
	configWarnings.add(warnMsg);
	}
	}
	resultBuilder.putAll(groupName, resolvedGroupPrivileges);
	}
	return resultBuilder.build();
	}

	/*
	* {@inheritDoc}
	*/
	public Roles getRoles() {
	if (!processed) throw new UnsupportedOperationException("Process has not been called");

	return rolesStorage;
	}

	@Override
	public void validatePolicy(List<? extends RoleValidator> validators, boolean strictValidation)
	throws SentryConfigurationException {
	if ((strictValidation && !configWarnings.isEmpty()) \|\| !configErrors.isEmpty()) {
	configErrors.add("Failed to process global policy file " + resourcePath);
	SentryConfigurationException e = new SentryConfigurationException("");
	e.setConfigErrors(configErrors);
	e.setConfigWarnings(configWarnings);
	throw e;
	}
	}

	}