LENS-1534 : Authorizer Instance to be made singleton for resource optimization
diff --git a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
index 5ae2cfd..40ca198 100644
--- a/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
+++ b/lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
@@ -60,7 +60,7 @@
sessionConf.getTrimmedStringCollection(LensConfConstants.SESSION_USER_GROUPS);
}
LensPrivilegeObject lp = new LensPrivilegeObject(privilegeObjectType, tableName, colName);
- if (!authorizer.authorize(lp, actionType, user, userGroups)) {
+ if ((authorizer != null) && !authorizer.authorize(lp, actionType, user, userGroups)) {
throw new PrivilegeException(privilegeObjectType.toString(), tableName, actionType.toString());
}
return true;
diff --git a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
index b1c1ae4..c611963 100644
--- a/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
+++ b/lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
@@ -39,7 +39,7 @@
import org.apache.lens.server.api.LensConfConstants;
import org.apache.lens.server.api.authorization.ActionType;
-import org.apache.lens.server.api.authorization.Authorizer;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
import org.apache.lens.server.api.authorization.LensPrivilegeObject;
import org.apache.lens.server.api.error.LensException;
@@ -119,8 +119,6 @@
private Boolean isAuthorizationCheckEnabled;
- private Authorizer authorizer;
-
public DataCompletenessChecker getCompletenessChecker() {
if (completenessChecker == null) {
completenessChecker = ReflectionUtils.newInstance(config.getClass(LensConfConstants.COMPLETENESS_CHECKER_CLASS,
@@ -129,14 +127,6 @@
return completenessChecker;
}
- private Authorizer getAuthorizer() {
- if (authorizer == null) {
- authorizer = ReflectionUtils.newInstance(config.getClass(MetastoreConstants.AUTHORIZER_CLASS,
- LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class), this.config);
- }
- return authorizer;
- }
-
public boolean isDataCompletenessCheckEnabled() {
if (isDataCompletenessCheckEnabled == null) {
isDataCompletenessCheckEnabled = config.getBoolean(LensConfConstants.ENABLE_DATACOMPLETENESS_CHECK,
@@ -156,7 +146,7 @@
private void checkIfAuthorized() throws LensException {
if (isAuthorizationEnabled()) {
String currentdb = SessionState.get().getCurrentDatabase();
- AuthorizationUtil.isAuthorized(getAuthorizer(), currentdb,
+ AuthorizationUtil.isAuthorized(LensAuthorizer.get().getAuthorizer(), currentdb,
LensPrivilegeObject.LensPrivilegeObjectType.DATABASE, ActionType.UPDATE, getConf(),
SessionState.getSessionConf());
}
diff --git a/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java b/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java
index 5bdfea4..88097aa 100644
--- a/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java
+++ b/lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java
@@ -26,7 +26,6 @@
public static final String TABLE_TYPE_KEY = "cube.table.type";
public static final String CUBE_TABLE_PFX = "cube.table.";
public static final String WEIGHT_KEY_SFX = ".weight";
- public static final String AUTHORIZER_CLASS = "authorizer.class";
public static final String BASE_KEY_PFX = "base.";
public static final String EXPRESSIONS_LIST_SFX = ".expressions.list";
diff --git a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
index f1376ca..a6a908f 100644
--- a/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
+++ b/lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
@@ -24,31 +24,24 @@
import org.apache.lens.cube.metadata.*;
import org.apache.lens.server.api.LensConfConstants;
import org.apache.lens.server.api.authorization.ActionType;
-import org.apache.lens.server.api.authorization.Authorizer;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
import org.apache.lens.server.api.authorization.LensPrivilegeObject;
import org.apache.lens.server.api.error.LensException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.hadoop.util.ReflectionUtils;
import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
@Slf4j
public class QueryAuthorizationResolver implements ContextRewriter {
-
- @Getter
- private Authorizer authorizer;
@Getter
private Boolean isAuthorizationCheckEnabled;
QueryAuthorizationResolver(Configuration conf) {
isAuthorizationCheckEnabled = conf.getBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK,
LensConfConstants.DEFAULT_ENABLE_QUERY_AUTHORIZATION_CHECK);
- authorizer = ReflectionUtils.newInstance(
- conf.getClass(MetastoreConstants.AUTHORIZER_CLASS, LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class),
- conf);
}
@Override
public void rewriteContext(CubeQueryContext cubeql) throws LensException {
@@ -69,7 +62,7 @@
log.info("Restricted queriedColumns queried : "+ restrictedFieldsQueried);
if (restrictedFieldsQueried != null && !restrictedFieldsQueried.isEmpty()) {
for (String col : restrictedFieldsQueried) {
- AuthorizationUtil.isAuthorized(getAuthorizer(), tbl.getName(), col,
+ AuthorizationUtil.isAuthorized(LensAuthorizer.get().getAuthorizer(), tbl.getName(), col,
LensPrivilegeObject.LensPrivilegeObjectType.COLUMN, ActionType.SELECT, cubeql.getConf(),
SessionState.getSessionConf());
}
diff --git a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
index 9499f0c..9b8a55a 100644
--- a/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
+++ b/lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
@@ -39,6 +39,7 @@
import org.apache.lens.cube.metadata.timeline.StoreAllPartitionTimeline;
import org.apache.lens.cube.metadata.timeline.TestPartitionTimelines;
import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
import org.apache.lens.server.api.error.LensException;
import org.apache.lens.server.api.query.save.exception.PrivilegeException;
import org.apache.lens.server.api.util.LensUtil;
@@ -141,6 +142,9 @@
public static void setup() throws HiveException, AlreadyExistsException, LensException {
SessionState.start(conf);
+ conf.set(LensConfConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
+ LensAuthorizer.get().init(conf);
+
Database database = new Database();
database.setName(TestCubeMetastoreClient.class.getSimpleName());
Hive.get(conf).createDatabase(database);
@@ -148,7 +152,6 @@
client = CubeMetastoreClient.getInstance(conf);
client.getConf().setBoolean(LensConfConstants.ENABLE_METASTORE_SCHEMA_AUTHORIZATION_CHECK, true);
client.getConf().setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true);
- client.getConf().set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1");
defineCube(CUBE_NAME, CUBE_NAME_WITH_PROPS, DERIVED_CUBE_NAME, DERIVED_CUBE_NAME_WITH_PROPS);
defineUberDims();
diff --git a/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java b/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java
index 13b345f..356df97 100644
--- a/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java
+++ b/lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java
@@ -23,8 +23,8 @@
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.fail;
-import org.apache.lens.cube.metadata.MetastoreConstants;
import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
import org.apache.lens.server.api.error.LensException;
import org.apache.lens.server.api.query.save.exception.PrivilegeException;
@@ -39,9 +39,10 @@
@BeforeClass
public void beforeClassTestQueryAuthorizationResolver() {
+ conf.set(LensConfConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
+ LensAuthorizer.get().init(conf);
conf.setBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK, true);
conf.setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true);
- conf.set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
}
@Test
diff --git a/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java b/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
index efaf5d2..cb82f06 100644
--- a/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
+++ b/lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
@@ -1337,10 +1337,6 @@
public static final Class<? extends DataCompletenessChecker> DEFAULT_COMPLETENESS_CHECKER =
DefaultChecker.class.asSubclass(DataCompletenessChecker.class);
-
- public static final Class<? extends Authorizer> DEFAULT_AUTHORIZER =
- DefaultAuthorizer.class.asSubclass(Authorizer.class);
-
/**
* This property is to enable Data Completeness Checks while resolving partitions.
*/
@@ -1435,4 +1431,11 @@
*/
public static final String RETRY_MESSAGE_MAP = "retry.messages.contains.map";
+ public static final String AUTHORIZER_CLASS = SERVER_PFX + "authorizer.class";
+
+ public static final Class<? extends Authorizer> DEFAULT_AUTHORIZER =
+ DefaultAuthorizer.class.asSubclass(Authorizer.class);
+
+
+
}
diff --git a/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java b/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java
new file mode 100644
index 0000000..f8c6b9c
--- /dev/null
+++ b/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.lens.server.api.authorization;
+
+import org.apache.lens.server.api.LensConfConstants;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.ReflectionUtils;
+
+//Singleton instance of Authorizer class
+public final class LensAuthorizer {
+
+ private static final LensAuthorizer INSTANCE = new LensAuthorizer();
+
+ private Authorizer authorizer;
+
+ // private constructor to ensure single instance.
+ private LensAuthorizer() {
+ }
+
+ public void init(Configuration hiveConf){
+ this.authorizer = ReflectionUtils.newInstance(
+ hiveConf.getClass(LensConfConstants.AUTHORIZER_CLASS, LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class),
+ hiveConf);
+ }
+
+ /**
+ *
+ * @return the singleton instance of the authorizer.
+ */
+ public static LensAuthorizer get(){
+ return INSTANCE;
+ }
+
+ public Authorizer getAuthorizer() {
+ return this.authorizer;
+ }
+
+
+}
diff --git a/lens-server/src/main/java/org/apache/lens/server/LensServer.java b/lens-server/src/main/java/org/apache/lens/server/LensServer.java
index 701ebbe..9a913cb 100644
--- a/lens-server/src/main/java/org/apache/lens/server/LensServer.java
+++ b/lens-server/src/main/java/org/apache/lens/server/LensServer.java
@@ -27,6 +27,7 @@
import org.apache.lens.api.jaxb.LensJAXBContextResolver;
import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
import org.apache.lens.server.api.metrics.MetricsService;
import org.apache.lens.server.error.GenericExceptionMapper;
import org.apache.lens.server.error.LensJAXBValidationExceptionMapper;
@@ -135,6 +136,7 @@
* @param conf the conf
*/
public void startServices(HiveConf conf) {
+ LensAuthorizer.get().init(conf);
LensServices.get().init(conf);
LensServices.get().start();
}
diff --git a/lens-server/src/main/resources/lensserver-default.xml b/lens-server/src/main/resources/lensserver-default.xml
index 2ea73a3..e5d94e7 100644
--- a/lens-server/src/main/resources/lensserver-default.xml
+++ b/lens-server/src/main/resources/lensserver-default.xml
@@ -1012,4 +1012,11 @@
<description>password for cert file</description>
</property>
+ <property>
+ <name>lens.server.authorizer.class</name>
+ <value>org.apache.lens.server.api.authorization.DefaultAuthorizer</value>
+ <description>The class that implements the Authorizer Interface. It will be used wherever authorization check
+ is enabled</description>
+ </property>
+
</configuration>
diff --git a/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java b/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java
index 7cccf30..33b4232 100644
--- a/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java
+++ b/lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java
@@ -39,6 +39,7 @@
import org.apache.lens.api.util.MoxyJsonConfigurationContextResolver;
import org.apache.lens.driver.hive.TestRemoteHiveDriver;
import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
import org.apache.lens.server.api.metrics.LensMetricsUtil;
import org.apache.lens.server.api.metrics.MetricsService;
import org.apache.lens.server.api.query.QueryExecutionService;
@@ -168,6 +169,7 @@
createTestDatabaseResources(new String[]{DB_WITH_JARS, DB_WITH_JARS_2},
hiveConf);
+ LensAuthorizer.get().init(LensServerConf.getHiveConf());
LensServices.get().init(LensServerConf.getHiveConf());
LensServices.get().start();
diff --git a/src/site/apt/admin/config.apt b/src/site/apt/admin/config.apt
index e900f98..4cee5ae 100644
--- a/src/site/apt/admin/config.apt
+++ b/src/site/apt/admin/config.apt
@@ -307,4 +307,6 @@
*--+--+---+--+
|139|lens.server.ws.resourcenames|session,metastore,query,savedquery,quota,scheduler,index,log|These JAX-RS resources would be started in the specified order when lens-server starts up|
*--+--+---+--+
+|140|lens.server.authorizer.class|org.apache.lens.server.api.authorization.DefaultAuthorizer|The class that implements the Authorizer Interface. It will be used wherever authorization check is enabled|
+*--+--+---+--+
The configuration parameters and their default values
