| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.sentry.provider.file; |
| |
| import static org.apache.sentry.provider.file.PolicyFileConstants.DATABASES; |
| import static org.apache.sentry.provider.file.PolicyFileConstants.GROUPS; |
| import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES; |
| import static org.apache.sentry.provider.file.PolicyFileConstants.ROLE_SPLITTER; |
| import static org.apache.sentry.provider.file.PolicyFileConstants.USERS; |
| |
| import java.io.FileNotFoundException; |
| import java.io.IOException; |
| import java.net.URI; |
| import java.util.ArrayList; |
| import java.util.Collection; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Set; |
| |
| import javax.annotation.Nullable; |
| |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.hadoop.fs.FileSystem; |
| import org.apache.hadoop.fs.Path; |
| import org.apache.sentry.core.common.Authorizable; |
| import org.apache.sentry.core.common.SentryConfigurationException; |
| import org.apache.sentry.policy.common.RoleValidator; |
| import org.apache.sentry.provider.common.ProviderBackend; |
| import org.apache.sentry.provider.common.Roles; |
| import org.apache.shiro.config.ConfigurationException; |
| import org.apache.shiro.config.Ini; |
| import org.apache.shiro.util.PermissionUtils; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import com.google.common.annotations.VisibleForTesting; |
| import com.google.common.base.Splitter; |
| import com.google.common.base.Strings; |
| import com.google.common.collect.HashMultimap; |
| import com.google.common.collect.ImmutableMap; |
| import com.google.common.collect.ImmutableSet; |
| import com.google.common.collect.ImmutableSetMultimap; |
| import com.google.common.collect.Lists; |
| import com.google.common.collect.Maps; |
| import com.google.common.collect.Multimap; |
| import com.google.common.collect.Sets; |
| |
| public class SimpleFileProviderBackend implements ProviderBackend { |
| |
| private static final Logger LOGGER = LoggerFactory |
| .getLogger(SimpleFileProviderBackend.class); |
| |
| |
| |
| private final FileSystem fileSystem; |
| private final Path resourcePath; |
| private final List<Path> perDbResources = Lists.newArrayList(); |
| private Roles rolesStorage; |
| private final Configuration conf; |
| private boolean processed; |
| private final List<String> configErrors = new ArrayList<String>(); |
| private final List<String> configWarnings = new ArrayList<String>(); |
| |
| public SimpleFileProviderBackend(String resourcePath) throws IOException { |
| this(new Configuration(), resourcePath); |
| } |
| |
| public SimpleFileProviderBackend(Configuration conf, String resourcePath) throws IOException { |
| this(conf, new Path(resourcePath)); |
| } |
| |
| @VisibleForTesting |
| public SimpleFileProviderBackend(Configuration conf, Path resourcePath) throws IOException { |
| this.resourcePath = resourcePath; |
| this.fileSystem = resourcePath.getFileSystem(conf); |
| this.rolesStorage = new Roles(); |
| this.conf = conf; |
| this.processed = false; |
| } |
| |
| /** |
| * {@inheritDoc} |
| */ |
| public void process(List<? extends RoleValidator> validators) { |
| configErrors.clear(); |
| perDbResources.clear(); |
| Ini ini; |
| |
| LOGGER.info("Parsing " + resourcePath); |
| Roles roles = new Roles(); |
| try { |
| perDbResources.clear(); |
| try { |
| ini = PolicyFiles.loadFromPath(fileSystem, resourcePath); |
| } catch (IOException e) { |
| configErrors.add("Failed to read policy file " + resourcePath + |
| " Error: " + e.getMessage()); |
| throw new SentryConfigurationException("Error loading policy file " + resourcePath, e); |
| } catch (IllegalArgumentException e) { |
| configErrors.add("Failed to read policy file " + resourcePath + |
| " Error: " + e.getMessage()); |
| throw new SentryConfigurationException("Error loading policy file " + resourcePath, e); |
| } |
| |
| if(LOGGER.isDebugEnabled()) { |
| for(String sectionName : ini.getSectionNames()) { |
| LOGGER.debug("Section: " + sectionName); |
| Ini.Section section = ini.get(sectionName); |
| for(String key : section.keySet()) { |
| String value = section.get(key); |
| LOGGER.debug(key + " = " + value); |
| } |
| } |
| } |
| ImmutableSetMultimap<String, String> globalRoles; |
| Map<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = Maps.newHashMap(); |
| globalRoles = parseIni(null, ini, validators, resourcePath); |
| Ini.Section filesSection = ini.getSection(DATABASES); |
| if(filesSection == null) { |
| LOGGER.info("Section " + DATABASES + " needs no further processing"); |
| } else { |
| for(Map.Entry<String, String> entry : filesSection.entrySet()) { |
| String database = Strings.nullToEmpty(entry.getKey()).trim().toLowerCase(); |
| Path perDbPolicy = new Path(Strings.nullToEmpty(entry.getValue()).trim()); |
| if(isRelative(perDbPolicy)) { |
| perDbPolicy = new Path(resourcePath.getParent(), perDbPolicy); |
| } |
| try { |
| LOGGER.info("Parsing " + perDbPolicy); |
| Ini perDbIni = PolicyFiles.loadFromPath(perDbPolicy.getFileSystem(conf), perDbPolicy); |
| if(perDbIni.containsKey(USERS)) { |
| configErrors.add("Per-db policy file cannot contain " + USERS + " section in " + perDbPolicy); |
| throw new ConfigurationException("Per-db policy files cannot contain " + USERS + " section"); |
| } |
| if(perDbIni.containsKey(DATABASES)) { |
| configErrors.add("Per-db policy files cannot contain " + DATABASES |
| + " section in " + perDbPolicy); |
| throw new ConfigurationException("Per-db policy files cannot contain " + DATABASES + " section"); |
| } |
| ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni, validators, perDbPolicy); |
| perDatabaseRoles.put(database, currentDbRoles); |
| perDbResources.add(perDbPolicy); |
| } catch (Exception e) { |
| configErrors.add("Failed to read per-DB policy file " + perDbPolicy + |
| " Error: " + e.getMessage()); |
| LOGGER.error("Error processing key " + entry.getKey() + ", skipping " + entry.getValue(), e); |
| } |
| } |
| } |
| roles = new Roles(globalRoles, ImmutableMap.copyOf(perDatabaseRoles)); |
| } catch (Exception e) { |
| configErrors.add("Error processing file " + resourcePath + e.getMessage()); |
| LOGGER.error("Error processing file, ignoring " + resourcePath, e); |
| } |
| rolesStorage = roles; |
| this.processed = true; |
| } |
| /** |
| * Relative for our purposes is no scheme, no authority |
| * and a non-absolute path portion. |
| */ |
| private boolean isRelative(Path path) { |
| URI uri = path.toUri(); |
| return uri.getAuthority() == null && uri.getScheme() == null && !path.isUriPathAbsolute(); |
| } |
| |
| protected long getModificationTime() throws IOException { |
| // if resource path has been deleted, throw all exceptions |
| long result = fileSystem.getFileStatus(resourcePath).getModificationTime(); |
| for(Path perDbPolicy : perDbResources) { |
| try { |
| result = Math.max(result, fileSystem.getFileStatus(perDbPolicy).getModificationTime()); |
| } catch (FileNotFoundException e) { |
| // if a per-db file has been deleted, wait until the main |
| // policy file has been updated before refreshing |
| } |
| } |
| return result; |
| } |
| |
| private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini, List<? extends RoleValidator> validators, |
| Path policyPath) { |
| Ini.Section privilegesSection = ini.getSection(ROLES); |
| boolean invalidConfiguration = false; |
| if (privilegesSection == null) { |
| String errMsg = String.format("Section %s empty for %s", ROLES, policyPath); |
| LOGGER.warn(errMsg); |
| configErrors.add(errMsg); |
| invalidConfiguration = true; |
| } |
| Ini.Section groupsSection = ini.getSection(GROUPS); |
| if (groupsSection == null) { |
| String warnMsg = String.format("Section %s empty for %s", GROUPS, policyPath); |
| LOGGER.warn(warnMsg); |
| configErrors.add(warnMsg); |
| invalidConfiguration = true; |
| } |
| if (!invalidConfiguration) { |
| return parsePermissions(database, privilegesSection, groupsSection, validators, policyPath); |
| } |
| return ImmutableSetMultimap.of(); |
| } |
| |
| private ImmutableSetMultimap<String, String> parsePermissions(@Nullable String database, |
| Ini.Section rolesSection, Ini.Section groupsSection, List<? extends RoleValidator> validators, |
| Path policyPath) { |
| ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder(); |
| Multimap<String, String> roleNameToPrivilegeMap = HashMultimap |
| .create(); |
| for (Map.Entry<String, String> entry : rolesSection.entrySet()) { |
| String roleName = Strings.nullToEmpty(entry.getKey()).trim(); |
| String roleValue = Strings.nullToEmpty(entry.getValue()).trim(); |
| boolean invalidConfiguration = false; |
| if (roleName.isEmpty()) { |
| String errMsg = String.format("Empty role name encountered in %s", policyPath); |
| LOGGER.warn(errMsg); |
| configErrors.add(errMsg); |
| invalidConfiguration = true; |
| } |
| if (roleValue.isEmpty()) { |
| String errMsg = String.format("Empty role value encountered in %s", policyPath); |
| LOGGER.warn(errMsg); |
| configErrors.add(errMsg); |
| invalidConfiguration = true; |
| } |
| if (roleNameToPrivilegeMap.containsKey(roleName)) { |
| String warnMsg = String.format("Role %s defined twice in %s", roleName, policyPath); |
| LOGGER.warn(warnMsg); |
| configWarnings.add(warnMsg); |
| } |
| Set<String> roles = PermissionUtils |
| .toPermissionStrings(roleValue); |
| if (!invalidConfiguration && roles != null) { |
| for(String role : roles) { |
| for(RoleValidator validator : validators) { |
| validator.validate(database, role.trim()); |
| } |
| } |
| roleNameToPrivilegeMap.putAll(roleName, roles); |
| } |
| } |
| Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults(); |
| for (Map.Entry<String, String> entry : groupsSection.entrySet()) { |
| String groupName = Strings.nullToEmpty(entry.getKey()).trim(); |
| String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim(); |
| Collection<String> resolvedGroupPrivileges = Sets.newHashSet(); |
| for (String roleName : roleSplitter.split(groupPrivileges)) { |
| if (roleNameToPrivilegeMap.containsKey(roleName)) { |
| resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap |
| .get(roleName)); |
| } else { |
| String warnMsg = String.format("Role %s for group %s does not exist in privileges section in %s", |
| roleName, groupName, policyPath); |
| LOGGER.warn(warnMsg); |
| configWarnings.add(warnMsg); |
| } |
| } |
| resultBuilder.putAll(groupName, resolvedGroupPrivileges); |
| } |
| return resultBuilder.build(); |
| } |
| |
| /* |
| * {@inheritDoc} |
| */ |
| public Roles getRoles() { |
| if (!processed) throw new UnsupportedOperationException("Process has not been called"); |
| |
| return rolesStorage; |
| } |
| |
| @Override |
| public void validatePolicy(List<? extends RoleValidator> validators, boolean strictValidation) |
| throws SentryConfigurationException { |
| if ((strictValidation && !configWarnings.isEmpty()) || !configErrors.isEmpty()) { |
| configErrors.add("Failed to process global policy file " + resourcePath); |
| SentryConfigurationException e = new SentryConfigurationException(""); |
| e.setConfigErrors(configErrors); |
| e.setConfigWarnings(configWarnings); |
| throw e; |
| } |
| } |
| |
| } |