Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- private class GroupCache {
- List<org.apache.sentry.policy.common.Privilege> privileges;
- public GroupCache(String group) {
- ImmutableSet<String> pSet =
- policy_.getAllPrivileges(Sets.newHashSet(group), ActiveRoleSet.ALL);
- privileges = new ArrayList<>(pSet.size());
- for (String p: pSet) {
- privileges.add(privilegeFactory_.createPrivilege(p));
- }
- }
- }
- HashMap<String, GroupCache> groupCacheMap = new HashMap<>();
- private boolean hasCachedAccessInternal(Subject user, List<? extends Authorizable> authorizables, Set<? extends Action> actions) {
- Set<String> groups = provider_.getGroupMapping().getGroups(user.getName());
- List<String> hierarchy = new ArrayList<>();
- for (Authorizable authorizable : authorizables) {
- hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
- }
- List<String> requestPrivileges = new ArrayList<String>();
- for (Action action : actions) {
- String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy);
- requestPermission = AUTHORIZABLE_JOINER.join(requestPermission,
- KV_JOINER.join(PRIVILEGE_NAME, action.getValue()));
- requestPrivileges.add(requestPermission);
- }
- for (String g: groups) {
- GroupCache gc = groupCacheMap.get(g);
- if ( gc == null ) {
- gc = this.new GroupCache(g);
- groupCacheMap.put(g, gc);
- }
- for (String requestPrivilege : requestPrivileges) {
- org.apache.sentry.policy.common.Privilege reqPriv =
- privilegeFactory_.createPrivilege(requestPrivilege);
- for (org.apache.sentry.policy.common.Privilege permission : gc.privileges) {
- /*
- * Does the permission granted in the policy file imply the requested action?
- */
- boolean result = permission.implies(reqPriv);
- if(LOG.isDebugEnabled()) {
- LOG.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}",
- permission, requestPrivilege, ActiveRoleSet.ALL, result);
- }
- if (result) {
- return true;
- }
- }
- }
- }
- return false;
- }
- /*
- * Returns true if the given user has permission to execute the given
- * request, false otherwise. Always returns true if authorization is disabled.
- */
- public boolean hasCachedAccess(String user, PrivilegeRequest request) {
- Preconditions.checkNotNull(user);
- Preconditions.checkNotNull(request);
- // If authorization is not enabled the user will always have access. If this is
- // an internal request, the user will always have permission.
- if (!config_.isEnabled()) {
- return true;
- }
- EnumSet<DBModelAction> actions = request.getPrivilege().getHiveActions();
- List<DBModelAuthorizable> authorizeables = Lists.newArrayList(
- server_.getHiveAuthorizeableHierarchy());
- // If request.getAuthorizeable() is null, the request is for server-level permission.
- if (request.getAuthorizeable() != null) {
- authorizeables.addAll(request.getAuthorizeable().getHiveAuthorizeableHierarchy());
- }
- // The Hive Access API does not currently provide a way to check if the user
- // has any privileges on a given resource.
- if (request.getPrivilege().getAnyOf()) {
- for (DBModelAction action: anyActions) {
- if (hasCachedAccessInternal(new Subject(user), authorizeables,
- EnumSet.of(action))) {
- return true;
- }
- }
- return false;
- } else if (request.getPrivilege() == Privilege.CREATE && authorizeables.size() > 1) {
- // CREATE on an object requires CREATE on the parent,
- // so don't check access on the object we're creating.
- authorizeables.remove(authorizeables.size() - 1);
- }
- return hasCachedAccessInternal(new Subject(user), authorizeables, actions);
- }
Advertisement
Add Comment
Please, Sign In to add comment
