fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationConfig.java - impala - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.

 package org.apache.impala.authorization.sentry;

 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
 import org.apache.impala.authorization.AuthorizationConfig;
 import org.apache.impala.authorization.AuthorizationProvider;
 import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
 import org.apache.sentry.provider.common.ResourceAuthorizationProvider;

 /**
  * Impala authorization configuration with Sentry.
  */
 public class SentryAuthorizationConfig implements AuthorizationConfig {
   private final String serverName_;
   private final SentryConfig sentryConfig_;
   private final String policyProviderClassName_;

   /**
    * Creates a new authorization configuration object.
    * @param serverName - The name of this Impala server.
    * @param sentryConfigFile - Absolute path and file name of the sentry service.
    * @param policyProviderClassName - Class name of the policy provider to use.
    */
   public SentryAuthorizationConfig(String serverName, String sentryConfigFile,
       String policyProviderClassName) {
     serverName_ = serverName;
     sentryConfig_ = new SentryConfig(sentryConfigFile);
     if (!Strings.isNullOrEmpty(policyProviderClassName)) {
       policyProviderClassName = policyProviderClassName.trim();
     }
     policyProviderClassName_ = policyProviderClassName;
     validateConfig();
   }

   public SentryAuthorizationConfig(SentryConfig config) {
     sentryConfig_ = config;
     serverName_ = null;
     policyProviderClassName_ = null;
   }

   /**
    * Returns an AuthorizationConfig object that has authorization disabled.
    */
   public static SentryAuthorizationConfig createAuthDisabledConfig() {
     return new SentryAuthorizationConfig(null, null, null);
   }

   /**
    * Returns an AuthorizationConfig object configured to use Hadoop user->group mappings
    * for the authorization provider.
    */
   public static SentryAuthorizationConfig createHadoopGroupAuthConfig(String serverName,
       String sentryConfigFile) {
     return new SentryAuthorizationConfig(serverName, sentryConfigFile,
         HadoopGroupResourceAuthorizationProvider.class.getName());
   }

   /*
    * Validates the authorization configuration and throws an AuthorizationException
    * if any problems are found. If authorization is disabled, config checks are skipped.
    */
   private void validateConfig() throws IllegalArgumentException {
     // If authorization is not enabled, config checks are skipped.
     if (!isEnabled()) return;

     // Only load the sentry configuration if a sentry-site.xml configuration file was
     // specified. It is optional for impalad.
     if (!Strings.isNullOrEmpty(sentryConfig_.getConfigFile())) {
       sentryConfig_.loadConfig();
     }

     if (Strings.isNullOrEmpty(serverName_)) {
       throw new IllegalArgumentException(
           "Authorization is enabled but the server name is null or empty. Set the " +
               "server name using the impalad --server_name flag.");
     }
     if (Strings.isNullOrEmpty(policyProviderClassName_)) {
       throw new IllegalArgumentException("Authorization is enabled but the " +
           "authorization policy provider class name is null or empty. Set the class " +
           "name using the --authorization_policy_provider_class impalad flag.");
     }

     Class<?> providerClass = null;
     try {
       // Get the Class object without performing any initialization.
       providerClass = Class.forName(policyProviderClassName_, false,
           this.getClass().getClassLoader());
     } catch (ClassNotFoundException e) {
       throw new IllegalArgumentException(String.format("The authorization policy " +
           "provider class '%s' was not found.", policyProviderClassName_), e);
     }
     Preconditions.checkNotNull(providerClass);
     if (!ResourceAuthorizationProvider.class.isAssignableFrom(providerClass)) {
       throw new IllegalArgumentException(String.format("The authorization policy " +
               "provider class '%s' must be a subclass of '%s'.",
           policyProviderClassName_,
           ResourceAuthorizationProvider.class.getName()));
     }
   }

   /**
    * Returns true if authorization is enabled.
    * If either serverName_, policyFile_, or sentryConfig_ file is set (not null
    * or empty), authorization is considered enabled.
    */
   @Override
   public boolean isEnabled() {
     return !Strings.isNullOrEmpty(serverName_) ||
         !Strings.isNullOrEmpty(sentryConfig_.getConfigFile());
   }

   @Override
   public String getProviderName() { return "sentry"; }

   /**
    * The server name to secure.
    */
   @Override
   public String getServerName() { return serverName_; }

   /**
    * The Sentry configuration.
    */
   public SentryConfig getSentryConfig() { return sentryConfig_; }

   /**
    * Returns Sentry policy provider class name.
    */
   public String getPolicyProviderClassName() { return policyProviderClassName_; }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.

	package org.apache.impala.authorization.sentry;

	import com.google.common.base.Preconditions;
	import com.google.common.base.Strings;
	import org.apache.impala.authorization.AuthorizationConfig;
	import org.apache.impala.authorization.AuthorizationProvider;
	import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
	import org.apache.sentry.provider.common.ResourceAuthorizationProvider;

	/**
	* Impala authorization configuration with Sentry.
	*/
	public class SentryAuthorizationConfig implements AuthorizationConfig {
	private final String serverName_;
	private final SentryConfig sentryConfig_;
	private final String policyProviderClassName_;

	/**
	* Creates a new authorization configuration object.
	* @param serverName - The name of this Impala server.
	* @param sentryConfigFile - Absolute path and file name of the sentry service.
	* @param policyProviderClassName - Class name of the policy provider to use.
	*/
	public SentryAuthorizationConfig(String serverName, String sentryConfigFile,
	String policyProviderClassName) {
	serverName_ = serverName;
	sentryConfig_ = new SentryConfig(sentryConfigFile);
	if (!Strings.isNullOrEmpty(policyProviderClassName)) {
	policyProviderClassName = policyProviderClassName.trim();
	}
	policyProviderClassName_ = policyProviderClassName;
	validateConfig();
	}

	public SentryAuthorizationConfig(SentryConfig config) {
	sentryConfig_ = config;
	serverName_ = null;
	policyProviderClassName_ = null;
	}

	/**
	* Returns an AuthorizationConfig object that has authorization disabled.
	*/
	public static SentryAuthorizationConfig createAuthDisabledConfig() {
	return new SentryAuthorizationConfig(null, null, null);
	}

	/**
	* Returns an AuthorizationConfig object configured to use Hadoop user->group mappings
	* for the authorization provider.
	*/
	public static SentryAuthorizationConfig createHadoopGroupAuthConfig(String serverName,
	String sentryConfigFile) {
	return new SentryAuthorizationConfig(serverName, sentryConfigFile,
	HadoopGroupResourceAuthorizationProvider.class.getName());
	}

	/*
	* Validates the authorization configuration and throws an AuthorizationException
	* if any problems are found. If authorization is disabled, config checks are skipped.
	*/
	private void validateConfig() throws IllegalArgumentException {
	// If authorization is not enabled, config checks are skipped.
	if (!isEnabled()) return;

	// Only load the sentry configuration if a sentry-site.xml configuration file was
	// specified. It is optional for impalad.
	if (!Strings.isNullOrEmpty(sentryConfig_.getConfigFile())) {
	sentryConfig_.loadConfig();
	}

	if (Strings.isNullOrEmpty(serverName_)) {
	throw new IllegalArgumentException(
	"Authorization is enabled but the server name is null or empty. Set the " +
	"server name using the impalad --server_name flag.");
	}
	if (Strings.isNullOrEmpty(policyProviderClassName_)) {
	throw new IllegalArgumentException("Authorization is enabled but the " +
	"authorization policy provider class name is null or empty. Set the class " +
	"name using the --authorization_policy_provider_class impalad flag.");
	}

	Class<?> providerClass = null;
	try {
	// Get the Class object without performing any initialization.
	providerClass = Class.forName(policyProviderClassName_, false,
	this.getClass().getClassLoader());
	} catch (ClassNotFoundException e) {
	throw new IllegalArgumentException(String.format("The authorization policy " +
	"provider class '%s' was not found.", policyProviderClassName_), e);
	}
	Preconditions.checkNotNull(providerClass);
	if (!ResourceAuthorizationProvider.class.isAssignableFrom(providerClass)) {
	throw new IllegalArgumentException(String.format("The authorization policy " +
	"provider class '%s' must be a subclass of '%s'.",
	policyProviderClassName_,
	ResourceAuthorizationProvider.class.getName()));
	}
	}

	/**
	* Returns true if authorization is enabled.
	* If either serverName_, policyFile_, or sentryConfig_ file is set (not null
	* or empty), authorization is considered enabled.
	*/
	@Override
	public boolean isEnabled() {
	return !Strings.isNullOrEmpty(serverName_) \|\|
	!Strings.isNullOrEmpty(sentryConfig_.getConfigFile());
	}

	@Override
	public String getProviderName() { return "sentry"; }

	/**
	* The server name to secure.
	*/
	@Override
	public String getServerName() { return serverName_; }

	/**
	* The Sentry configuration.
	*/
	public SentryConfig getSentryConfig() { return sentryConfig_; }

	/**
	* Returns Sentry policy provider class name.
	*/
	public String getPolicyProviderClassName() { return policyProviderClassName_; }
	}