AuthorizationPolicy.java

Go to the documentation of this file.

// Copyright 2014 Cloudera Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package com.cloudera.impala.catalog;

import java.util.List;
import java.util.Map;
import java.util.Set;

import org.apache.commons.net.ntp.TimeStamp;
import org.apache.log4j.Logger;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.provider.cache.PrivilegeCache;

import com.cloudera.impala.thrift.TColumn;
import com.cloudera.impala.thrift.TPrivilege;
import com.cloudera.impala.thrift.TResultRow;
import com.cloudera.impala.thrift.TResultSet;
import com.cloudera.impala.thrift.TResultSetMetadata;
import com.cloudera.impala.util.TResultRowBuilder;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;

public class AuthorizationPolicy implements PrivilegeCache {
  private static final Logger LOG = Logger.getLogger(AuthorizationPolicy.class);

  // Cache of role names (case-insensitive) to role objects.
  private final CatalogObjectCache<Role> roleCache_ = new CatalogObjectCache<Role>();

  // Map of role ID -> role name. Used to match privileges to roles.
  Map<Integer, String> roleIds_ = Maps.newHashMap();

  // Map of group name (case sensitive) to set of role names (case insensitive) that
  // have been granted to this group. Kept in sync with roleCache_. Provides efficient
  // lookups of Role by group name.
  Map<String, Set<String>> groupsToRoles_ = Maps.newHashMap();

  public synchronized void addRole(Role role) {
    Role existingRole = roleCache_.get(role.getName());
    // There is already a newer version of this role in the catalog, ignore
    // just return.
    if (existingRole != null &&
        existingRole.getCatalogVersion() >= role.getCatalogVersion()) return;

    // If there was an existing role that was replaced we first need to remove it.
    if (existingRole != null) {
      // Remove the role. This will also clean up the grantGroup mappings.
      removeRole(existingRole.getName());
      if (existingRole.getId() == role.getId()) {
        // Copy the privileges from the existing role.
        for (RolePrivilege p: existingRole.getPrivileges()) {
          role.addPrivilege(p);
        }
      }
    }
    roleCache_.add(role);

    // Add new grants
    for (String groupName: role.getGrantGroups()) {
      Set<String> grantedRoles = groupsToRoles_.get(groupName);
      if (grantedRoles == null) {
        grantedRoles = Sets.newHashSet();
        groupsToRoles_.put(groupName, grantedRoles);
      }
      grantedRoles.add(role.getName().toLowerCase());
    }

    // Add this role to the role ID mapping
    roleIds_.put(role.getId(), role.getName());
  }

  public synchronized void addPrivilege(RolePrivilege privilege)
      throws CatalogException {
    LOG.trace("Adding privilege: " + privilege.getName() +
        " role ID: " + privilege.getRoleId());
    Role role = getRole(privilege.getRoleId());
    if (role == null) {
      throw new CatalogException(String.format("Error adding privilege: %s. Role ID " +
          "'%d' does not exist.", privilege.getName(), privilege.getRoleId()));
    }
    LOG.trace("Adding privilege: " + privilege.getName() + " to role: " +
        role.getName() + "ID: " + role.getId());
    role.addPrivilege(privilege);
  }

  public synchronized RolePrivilege removePrivilege(RolePrivilege privilege)
      throws CatalogException {
    Role role = getRole(privilege.getRoleId());
    if (role == null) {
      throw new CatalogException(String.format("Error removing privilege: %s. Role ID " +
          "'%d' does not exist.", privilege.getName(), privilege.getRoleId()));
    }
    LOG.trace("Removing privilege: '" + privilege.getName() + "' from Role ID: " +
        privilege.getRoleId() + " Role Name: " + role.getName());
    return role.removePrivilege(privilege.getName());
  }

  public synchronized List<Role> getAllRoles() {
    return roleCache_.getValues();
  }

  public synchronized Set<String> getAllRoleNames() {
    return Sets.newHashSet(roleCache_.keySet());
  }

  public synchronized Role getRole(String roleName) {
    return roleCache_.get(roleName);
  }

  public synchronized Role getRole(int roleId) {
    String roleName = roleIds_.get(roleId);
    if (roleName == null) return null;
    return roleCache_.get(roleName);
  }

  public synchronized RolePrivilege getPrivilege(int roleId, String privilegeName) {
    String roleName = roleIds_.get(roleId);
    if (roleName == null) return null;
    Role role = roleCache_.get(roleName);
    return role.getPrivilege(privilegeName);
  }

  public synchronized List<Role> getGrantedRoles(String groupName) {
    List<Role> grantedRoles = Lists.newArrayList();
    Set<String> roleNames = groupsToRoles_.get(groupName);
    if (roleNames != null) {
      for (String roleName: roleNames) {
        // TODO: verify they actually exist.
        Role role = roleCache_.get(roleName);
        if (role != null) grantedRoles.add(roleCache_.get(roleName));
      }
    }
    return grantedRoles;
  }

  public synchronized Role removeRole(String roleName) {
    Role removedRole = roleCache_.remove(roleName);
    if (removedRole == null) return null;
    // Cleanup grant groups
    for (String grantGroup: removedRole.getGrantGroups()) {
      // Remove this role from all of its grant groups.
      Set<String> roles = groupsToRoles_.get(grantGroup);
      if (roles != null) roles.remove(roleName.toLowerCase());
    }
    // Cleanup role id.
    roleIds_.remove(removedRole.getId());
    return removedRole;
  }

  public synchronized Role addGrantGroup(String roleName, String groupName)
      throws CatalogException {
    Role role = roleCache_.get(roleName);
    if (role == null) throw new CatalogException("Role does not exist: " + roleName);
    role.addGrantGroup(groupName);
    Set<String> grantedRoles = groupsToRoles_.get(groupName);
    if (grantedRoles == null) {
      grantedRoles = Sets.newHashSet();
      groupsToRoles_.put(groupName, grantedRoles);
    }
    grantedRoles.add(roleName.toLowerCase());
    return role;
  }

  public synchronized Role removeGrantGroup(String roleName, String groupName)
      throws CatalogException {
    Role role = roleCache_.get(roleName);
    if (role == null) throw new CatalogException("Role does not exist: " + roleName);
    role.removeGrantGroup(groupName);
    Set<String> grantedRoles = groupsToRoles_.get(groupName);
    if (grantedRoles != null) {
      grantedRoles.remove(roleName.toLowerCase());
    }
    return role;
  }

  @Override
  public synchronized Set<String>
      listPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
    Set<String> privileges = Sets.newHashSet();
    if (roleSet != ActiveRoleSet.ALL) {
      throw new UnsupportedOperationException("Impala does not support role subsets.");
    }

    // Collect all privileges granted to all roles.
    for (String groupName: groups) {
      List<Role> grantedRoles = getGrantedRoles(groupName);
      for (Role role: grantedRoles) {
        for (RolePrivilege privilege: role.getPrivileges()) {
          String authorizeable = privilege.getName();
          if (authorizeable == null) {
            LOG.trace("Ignoring invalid privilege: " + privilege.getName());
            continue;
          }
          privileges.add(authorizeable);
        }
      }
    }
    return privileges;
  }

  @Override
  public void close() {
    // Nothing to do, but required by PrivilegeCache.
  }

  public synchronized TResultSet getRolePrivileges(String roleName, TPrivilege filter) {
    TResultSet result = new TResultSet();
    result.setSchema(new TResultSetMetadata());
    result.getSchema().addToColumns(new TColumn("scope", Type.STRING.toThrift()));
    result.getSchema().addToColumns(new TColumn("database", Type.STRING.toThrift()));
    result.getSchema().addToColumns(new TColumn("table", Type.STRING.toThrift()));
    result.getSchema().addToColumns(new TColumn("uri", Type.STRING.toThrift()));
    result.getSchema().addToColumns(new TColumn("privilege", Type.STRING.toThrift()));
    result.getSchema().addToColumns(
        new TColumn("grant_option", Type.BOOLEAN.toThrift()));
    result.getSchema().addToColumns(new TColumn("create_time", Type.STRING.toThrift()));
    result.setRows(Lists.<TResultRow>newArrayList());

    Role role = getRole(roleName);
    if (role == null) return result;
    for (RolePrivilege p: role.getPrivileges()) {
      TPrivilege privilege = p.toThrift();
      if (filter != null) {
        // Check if the privileges are targeting the same object.
        filter.setPrivilege_level(privilege.getPrivilege_level());
        String privName = RolePrivilege.buildRolePrivilegeName(filter);
        if (!privName.equalsIgnoreCase(privilege.getPrivilege_name())) continue;
      }
      TResultRowBuilder rowBuilder = new TResultRowBuilder();
      rowBuilder.add(privilege.getScope().toString());
      rowBuilder.add(Strings.nullToEmpty(privilege.getDb_name()));
      rowBuilder.add(Strings.nullToEmpty(privilege.getTable_name()));
      rowBuilder.add(Strings.nullToEmpty(privilege.getUri()));
      rowBuilder.add(privilege.getPrivilege_level().toString());
      rowBuilder.add(Boolean.toString(privilege.isHas_grant_opt()));
      if (privilege.getCreate_time_ms() == -1) {
        rowBuilder.add(null);
      } else {
        rowBuilder.add(
            TimeStamp.getNtpTime(privilege.getCreate_time_ms()).toDateString());
      }
      result.addToRows(rowBuilder.get());
    }
    return result;
  }
}