List of usage examples for org.apache.hadoop.security UserGroupInformation getCurrentUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getCurrentUser() throws IOException
From source file:org.apache.sentry.binding.metastore.SentryMetastorePostEventListener.java
License:Apache License
private void dropSentryPrivileges(List<? extends Authorizable> authorizableTable) throws SentryUserException, IOException, MetaException { String requestorUserName = UserGroupInformation.getCurrentUser().getShortUserName(); SentryPolicyServiceClient sentryClient = getSentryServiceClient(); sentryClient.dropPrivileges(requestorUserName, authorizableTable); }
From source file:org.apache.sentry.binding.metastore.SentryMetastorePostEventListener.java
License:Apache License
private void renameSentryTablePrivilege(String oldDbName, String oldTabName, String oldPath, String newDbName, String newTabName, String newPath) throws MetaException { List<Authorizable> oldAuthorizableTable = new ArrayList<Authorizable>(); oldAuthorizableTable.add(server);//from w w w .j a v a 2s . com oldAuthorizableTable.add(new Database(oldDbName)); oldAuthorizableTable.add(new Table(oldTabName)); List<Authorizable> newAuthorizableTable = new ArrayList<Authorizable>(); newAuthorizableTable.add(server); newAuthorizableTable.add(new Database(newDbName)); newAuthorizableTable.add(new Table(newTabName)); if (!oldTabName.equalsIgnoreCase(newTabName) && syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_ALTER_WITH_POLICY_STORE)) { try { String requestorUserName = UserGroupInformation.getCurrentUser().getShortUserName(); SentryPolicyServiceClient sentryClient = getSentryServiceClient(); sentryClient.renamePrivileges(requestorUserName, oldAuthorizableTable, newAuthorizableTable); } catch (SentryUserException e) { throw new MetaException("Failed to remove Sentry policies for rename table " + oldDbName + "." + oldTabName + "to " + newDbName + "." + newTabName + " Error: " + e.getMessage()); } catch (IOException e) { throw new MetaException("Failed to find local user " + e.getMessage()); } } // The HDFS plugin needs to know if it's a path change (set location) for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { plugin.renameAuthzObject(oldDbName + "." + oldTabName, oldPath, newDbName + "." + newTabName, newPath); } }
From source file:org.apache.sentry.binding.metastore.SentryMetastorePostEventListenerBase.java
License:Apache License
private void dropSentryPrivileges(List<? extends Authorizable> authorizableTable) throws SentryUserException, IOException, MetaException { String requestorUserName = UserGroupInformation.getCurrentUser().getShortUserName(); SentryPolicyServiceClient sentryClient = getSentryServiceClient(); sentryClient.dropPrivileges(requestorUserName, authorizableTable); // Close the connection after dropping privileges is done. sentryClient.close();/*from w w w . j a v a 2s . c om*/ }
From source file:org.apache.sentry.binding.metastore.SentryMetastorePostEventListenerBase.java
License:Apache License
private void renameSentryTablePrivilege(String oldDbName, String oldTabName, String oldPath, String newDbName, String newTabName, String newPath) throws MetaException { List<Authorizable> oldAuthorizableTable = new ArrayList<Authorizable>(); oldAuthorizableTable.add(server);/*w w w . ja va2 s. co m*/ oldAuthorizableTable.add(new Database(oldDbName)); oldAuthorizableTable.add(new Table(oldTabName)); List<Authorizable> newAuthorizableTable = new ArrayList<Authorizable>(); newAuthorizableTable.add(server); newAuthorizableTable.add(new Database(newDbName)); newAuthorizableTable.add(new Table(newTabName)); if (!oldTabName.equalsIgnoreCase(newTabName) && syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_ALTER_WITH_POLICY_STORE)) { SentryPolicyServiceClient sentryClient = getSentryServiceClient(); try { String requestorUserName = UserGroupInformation.getCurrentUser().getShortUserName(); sentryClient.renamePrivileges(requestorUserName, oldAuthorizableTable, newAuthorizableTable); } catch (SentryUserException e) { throw new MetaException("Failed to remove Sentry policies for rename table " + oldDbName + "." + oldTabName + "to " + newDbName + "." + newTabName + " Error: " + e.getMessage()); } catch (IOException e) { throw new MetaException("Failed to find local user " + e.getMessage()); } finally { // Close the connection after renaming privileges is done. sentryClient.close(); } } // The HDFS plugin needs to know if it's a path change (set location) for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { plugin.renameAuthzObject(oldDbName + "." + oldTabName, oldPath, newDbName + "." + newTabName, newPath); } }
From source file:org.apache.sentry.binding.metastore.SentryMetastorePostEventListenerBaseV2.java
License:Apache License
private void dropSentryPrivileges(List<? extends Authorizable> authorizableTable) throws SentryUserException, IOException, MetaException { String requestorUserName = UserGroupInformation.getCurrentUser().getShortUserName(); try (SentryPolicyServiceClient sentryClient = getSentryServiceClient()) { sentryClient.dropPrivileges(requestorUserName, authorizableTable); } catch (Exception e) { e.printStackTrace();/*from w w w . j a v a2s. c om*/ } }
From source file:org.apache.sentry.binding.metastore.SentryMetastorePostEventListenerBaseV2.java
License:Apache License
private void renameSentryTablePrivilege(String oldDbName, String oldTabName, String oldPath, String newDbName, String newTabName, String newPath) throws MetaException { List<Authorizable> oldAuthorizableTable = new ArrayList<Authorizable>(); oldAuthorizableTable.add(server);/*from ww w .j a va 2s.c o m*/ oldAuthorizableTable.add(new Database(oldDbName)); oldAuthorizableTable.add(new Table(oldTabName)); List<Authorizable> newAuthorizableTable = new ArrayList<Authorizable>(); newAuthorizableTable.add(server); newAuthorizableTable.add(new Database(newDbName)); newAuthorizableTable.add(new Table(newTabName)); if (!oldTabName.equalsIgnoreCase(newTabName) && syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_ALTER_WITH_POLICY_STORE)) { try (SentryPolicyServiceClient sentryClient = getSentryServiceClient()) { String requestorUserName = UserGroupInformation.getCurrentUser().getShortUserName(); sentryClient.renamePrivileges(requestorUserName, oldAuthorizableTable, newAuthorizableTable); } catch (SentryUserException e) { throw new MetaException("Failed to remove Sentry policies for rename table " + oldDbName + "." + oldTabName + "to " + newDbName + "." + newTabName + " Error: " + e.getMessage()); } catch (IOException e) { throw new MetaException("Failed to find local user " + e.getMessage()); } catch (Exception e) { e.printStackTrace(); } } // The HDFS plugin needs to know if it's a path change (set location) for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { plugin.renameAuthzObject(oldDbName + "." + oldTabName, oldPath, newDbName + "." + newTabName, newPath); } }
From source file:org.apache.sentry.hdfs.TestSentryAuthorizationProvider.java
License:Apache License
@Test public void testProvider() throws Exception { admin.doAs(new PrivilegedExceptionAction<Void>() { @Override/*from ww w.j a v a2s . c om*/ public Void run() throws Exception { String sysUser = UserGroupInformation.getCurrentUser().getShortUserName(); FileSystem fs = FileSystem.get(miniDFS.getConfiguration(0)); List<AclEntry> baseAclList = new ArrayList<AclEntry>(); AclEntry.Builder builder = new AclEntry.Builder(); baseAclList.add(builder.setType(AclEntryType.USER).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.GROUP).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.OTHER).setScope(AclEntryScope.ACCESS).build()); Path path1 = new Path("/user/authz/obj/xxx"); fs.mkdirs(path1); fs.setAcl(path1, baseAclList); fs.mkdirs(new Path("/user/authz/xxx")); fs.mkdirs(new Path("/user/xxx")); // root Path path = new Path("/"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir before prefixes path = new Path("/user"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // prefix dir path = new Path("/user/authz"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, no obj path = new Path("/user/authz/xxx"); FileStatus status = fs.getFileStatus(path); Assert.assertEquals(sysUser, status.getOwner()); Assert.assertEquals("supergroup", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, obj path = new Path("/user/authz/obj"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); List<AclEntry> acls = new ArrayList<AclEntry>(); acls.add(new AclEntry.Builder().setName(sysUser).setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); acls.add(new AclEntry.Builder().setName("supergroup").setType(AclEntryType.GROUP) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.READ_EXECUTE).build()); acls.add(new AclEntry.Builder().setName("user-authz").setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); Assert.assertEquals(new LinkedHashSet<AclEntry>(acls), new LinkedHashSet<AclEntry>(fs.getAclStatus(path).getEntries())); // dir inside of prefix, inside of obj path = new Path("/user/authz/obj/xxx"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); Path path2 = new Path("/user/authz/obj/path2"); fs.mkdirs(path2); fs.setAcl(path2, baseAclList); // dir outside of prefix path = new Path("/user/xxx"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); return null; } }); }
From source file:org.apache.sentry.hdfs.TestSentryINodeAttributesProvider.java
License:Apache License
@Test public void testProvider() throws Exception { admin.doAs(new PrivilegedExceptionAction<Void>() { @Override//from w w w. j a v a 2 s . co m public Void run() throws Exception { String sysUser = UserGroupInformation.getCurrentUser().getShortUserName(); FileSystem fs = FileSystem.get(miniDFS.getConfiguration(0)); List<AclEntry> baseAclList = new ArrayList<AclEntry>(); AclEntry.Builder builder = new AclEntry.Builder(); baseAclList.add(builder.setType(AclEntryType.USER).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.GROUP).setScope(AclEntryScope.ACCESS).build()); baseAclList.add(builder.setType(AclEntryType.OTHER).setScope(AclEntryScope.ACCESS).build()); Path path1 = new Path("/user/authz/obj/xxx"); fs.mkdirs(path1); fs.setAcl(path1, baseAclList); fs.mkdirs(new Path("/user/authz/xxx")); fs.mkdirs(new Path("/user/xxx")); // root Path path = new Path("/"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir before prefixes path = new Path("/user"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // prefix dir path = new Path("/user/authz"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, no obj path = new Path("/user/authz/xxx"); FileStatus status = fs.getFileStatus(path); Assert.assertEquals(sysUser, status.getOwner()); Assert.assertEquals("supergroup", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // dir inside of prefix, obj path = new Path("/user/authz/obj"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); List<AclEntry> acls = new ArrayList<AclEntry>(); acls.add(new AclEntry.Builder().setName(sysUser).setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); acls.add(new AclEntry.Builder().setName("supergroup").setType(AclEntryType.GROUP) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.READ_EXECUTE).build()); acls.add(new AclEntry.Builder().setName("user-authz").setType(AclEntryType.USER) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.ALL).build()); Assert.assertEquals(new LinkedHashSet<AclEntry>(acls), new LinkedHashSet<AclEntry>(fs.getAclStatus(path).getEntries())); // dir inside of prefix, inside of obj path = new Path("/user/authz/obj/xxx"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); Path path2 = new Path("/user/authz/obj/path2"); fs.mkdirs(path2); fs.setAcl(path2, baseAclList); // dir outside of prefix path = new Path("/user/xxx"); Assert.assertEquals(sysUser, fs.getFileStatus(path).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); //stale and dir inside of prefix, obj System.setProperty("test.stale", "true"); path = new Path("/user/authz/xxx"); status = fs.getFileStatus(path); Assert.assertEquals(sysUser, status.getOwner()); Assert.assertEquals("supergroup", status.getGroup()); Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); // setPermission sets the permission for dir outside of prefix. // setUser/setGroup sets the user/group for dir outside of prefix. Path pathOutside = new Path("/user/xxx"); fs.setPermission(pathOutside, new FsPermission((short) 0000)); Assert.assertEquals(new FsPermission((short) 0000), fs.getFileStatus(pathOutside).getPermission()); fs.setOwner(pathOutside, sysUser, "supergroup"); Assert.assertEquals(sysUser, fs.getFileStatus(pathOutside).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(pathOutside).getGroup()); // removeAcl removes the ACL entries for dir outside of prefix. List<AclEntry> aclsOutside = new ArrayList<AclEntry>(baseAclList); List<AclEntry> acl = new ArrayList<AclEntry>(); acl.add(new AclEntry.Builder().setName("supergroup").setType(AclEntryType.GROUP) .setScope(AclEntryScope.ACCESS).setPermission(FsAction.READ_EXECUTE).build()); aclsOutside.addAll(acl); fs.setAcl(pathOutside, aclsOutside); fs.removeAclEntries(pathOutside, acl); Assert.assertFalse(fs.getAclStatus(pathOutside).getEntries().containsAll(acl)); // setPermission sets the permission for dir inside of prefix but not a hive obj. // setUser/setGroup sets the user/group for dir inside of prefix but not a hive obj. Path pathInside = new Path("/user/authz/xxx"); fs.setPermission(pathInside, new FsPermission((short) 0000)); Assert.assertEquals(new FsPermission((short) 0000), fs.getFileStatus(pathInside).getPermission()); fs.setOwner(pathInside, sysUser, "supergroup"); Assert.assertEquals(sysUser, fs.getFileStatus(pathInside).getOwner()); Assert.assertEquals("supergroup", fs.getFileStatus(pathInside).getGroup()); // removeAcl is a no op for dir inside of prefix. Assert.assertTrue(fs.getAclStatus(pathInside).getEntries().isEmpty()); fs.removeAclEntries(pathInside, acl); Assert.assertTrue(fs.getAclStatus(pathInside).getEntries().isEmpty()); // setPermission/setUser/setGroup is a no op for dir inside of prefix, and is a hive obj. Path pathInsideAndHive = new Path("/user/authz/obj"); fs.setPermission(pathInsideAndHive, new FsPermission((short) 0000)); Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(pathInsideAndHive).getPermission()); fs.setOwner(pathInsideAndHive, sysUser, "supergroup"); Assert.assertEquals("hive", fs.getFileStatus(pathInsideAndHive).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(pathInsideAndHive).getGroup()); return null; } }); }
From source file:org.apache.sentry.provider.db.generic.SentryGenericProviderBackend.java
License:Apache License
@Override public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) { if (!initialized) { throw new IllegalStateException("SentryGenericProviderBackend has not been properly initialized"); }/*from www . ja v a 2 s.co m*/ if (enableCaching) { return super.getRoles(groups, roleSet); } else { try (SentryGenericServiceClient client = getClient()) { Set<TSentryRole> tRoles = Sets.newHashSet(); //get the roles according to group String requestor = UserGroupInformation.getCurrentUser().getShortUserName(); for (String group : groups) { tRoles.addAll(client.listRolesByGroupName(requestor, group, getComponentType())); } Set<String> roles = Sets.newHashSet(); for (TSentryRole tRole : tRoles) { roles.add(tRole.getRoleName()); } return ImmutableSet.copyOf(roleSet.isAll() ? roles : Sets.intersection(roles, roleSet.getRoles())); } catch (SentryUserException e) { String msg = "Unable to obtain roles from server: " + e.getMessage(); LOGGER.error(msg, e); } catch (Exception e) { String msg = "Unable to obtain client:" + e.getMessage(); LOGGER.error(msg, e); } return ImmutableSet.of(); } }
From source file:org.apache.sentry.provider.db.generic.service.thrift.SearchProviderBackend.java
License:Apache License
public SearchProviderBackend(Configuration conf, String resourcePath) throws Exception { this.conf = conf; /**//w w w.j av a 2s . c o m * Who create the searchProviderBackend, this subject will been used the requester to communicate * with Sentry Service */ subject = new Subject(UserGroupInformation.getCurrentUser().getShortUserName()); }