|
Impala
Impalaistheopensource,nativeanalyticdatabaseforApacheHadoop.
|
|
Impala
Impalaistheopensource,nativeanalyticdatabaseforApacheHadoop.
|
Public Member Functions | |
| synchronized void | addRole (Role role) |
| synchronized void | addPrivilege (RolePrivilege privilege) throws CatalogException |
| synchronized RolePrivilege | removePrivilege (RolePrivilege privilege) throws CatalogException |
| synchronized List< Role > | getAllRoles () |
| synchronized Set< String > | getAllRoleNames () |
| synchronized Role | getRole (String roleName) |
| synchronized Role | getRole (int roleId) |
| synchronized RolePrivilege | getPrivilege (int roleId, String privilegeName) |
| synchronized List< Role > | getGrantedRoles (String groupName) |
| synchronized Role | removeRole (String roleName) |
| synchronized Role | addGrantGroup (String roleName, String groupName) throws CatalogException |
| synchronized Role | removeGrantGroup (String roleName, String groupName) throws CatalogException |
| synchronized Set< String > | listPrivileges (Set< String > groups, ActiveRoleSet roleSet) |
| void | close () |
| synchronized TResultSet | getRolePrivileges (String roleName, TPrivilege filter) |
Package Attributes | |
| Map< Integer, String > | roleIds_ = Maps.newHashMap() |
| Map< String, Set< String > > | groupsToRoles_ = Maps.newHashMap() |
Private Attributes | |
| final CatalogObjectCache< Role > | roleCache_ = new CatalogObjectCache<Role>() |
Static Private Attributes | |
| static final Logger | LOG = Logger.getLogger(AuthorizationPolicy.class) |
A thread safe authorization policy cache, consisting of roles, groups that are members of that role, and the privileges associated with the role. The source data this cache is backing is read from the Sentry Policy Service. Writing to the cache will replace any matching items, but will not write back to the Sentry Policy Service. A role can have 0 or more privileges and roles are stored in a map of role name to role object. For example: RoleName -> Role -> [RolePriv1, ..., RolePrivN] To ensure we can efficiently retrieve the roles that a user is a member of, a map of user group name to role name is tracked as grantGroups_. To reduce duplication of metadata, privileges are linked to roles using a "role ID" rather than embedding the role name. When a privilege is added to a role, we do a lookup to get the role ID to using the roleIds_ map. Acts as the backing cache for the Sentry cached based provider (which is why PrivilegeCache is implemented). TODO: Instead of calling into Sentry to perform final authorization checks, we should parse/validate the privileges in Impala.
Definition at line 55 of file AuthorizationPolicy.java.
|
inline |
Adds a new grant group to the specified role. Returns the updated Role, if a matching role was found. If the role does not exist a CatalogException is thrown.
Definition at line 226 of file AuthorizationPolicy.java.
|
inline |
Adds a new privilege to the policy mapping to the role specified by the role ID in the privilege. Throws a CatalogException no role with a corresponding ID existing in the catalog.
Definition at line 114 of file AuthorizationPolicy.java.
References com.cloudera.impala.catalog.AuthorizationPolicy.getRole().
|
inline |
Adds a new role to the policy. If a role with the same name already exists and the role ID's are different, it will be overwritten by the new role. If a role exists and the role IDs are the same, the privileges from the old role will be copied to the new role.
Definition at line 75 of file AuthorizationPolicy.java.
References com.cloudera.impala.catalog.Role.getCatalogVersion(), com.cloudera.impala.catalog.Role.getGrantGroups(), com.cloudera.impala.catalog.Role.getId(), com.cloudera.impala.catalog.Role.getName(), com.cloudera.impala.catalog.Role.getPrivileges(), and com.cloudera.impala.catalog.AuthorizationPolicy.removeRole().
|
inline |
Definition at line 286 of file AuthorizationPolicy.java.
|
inline |
Returns all role names in the policy. Returns an empty set if no roles exist.
Definition at line 156 of file AuthorizationPolicy.java.
|
inline |
Returns all roles in the policy. Returns an empty list if no roles exist.
Definition at line 149 of file AuthorizationPolicy.java.
Referenced by com.cloudera.impala.catalog.CatalogServiceCatalog.getCatalogObjects().
|
inline |
Gets all roles granted to the specified group.
Definition at line 190 of file AuthorizationPolicy.java.
Referenced by com.cloudera.impala.catalog.AuthorizationPolicy.listPrivileges().
|
inline |
Gets a privilege from the given role ID. Returns null of there are no roles with a matching ID or if no privilege with this name exists for the role.
Definition at line 180 of file AuthorizationPolicy.java.
|
inline |
Gets a role given a role name. Returns null if no roles exist with this name.
Definition at line 163 of file AuthorizationPolicy.java.
Referenced by com.cloudera.impala.catalog.AuthorizationPolicy.addPrivilege(), com.cloudera.impala.catalog.AuthorizationPolicy.getRolePrivileges(), and com.cloudera.impala.catalog.AuthorizationPolicy.removePrivilege().
|
inline |
Gets a role given a role ID. Returns null if no roles exist with this ID.
Definition at line 170 of file AuthorizationPolicy.java.
|
inline |
Returns the privileges that have been granted to a role as a tabular result set. Allows for filtering based on a specific privilege spec or showing all privileges granted to the role. Used by the SHOW GRANT ROLE statement.
Definition at line 295 of file AuthorizationPolicy.java.
References com.cloudera.impala.catalog.Type.BOOLEAN, com.cloudera.impala.catalog.AuthorizationPolicy.getRole(), com.cloudera.impala.catalog.Type.STRING, and com.cloudera.impala.catalog.ScalarType.toThrift().
|
inline |
Returns a set of privilege strings in Sentry format.
Definition at line 262 of file AuthorizationPolicy.java.
References com.cloudera.impala.catalog.AuthorizationPolicy.getGrantedRoles().
|
inline |
Removes a grant group from the specified role. Returns the updated Role, if a matching role was found. If the role does not exist a CatalogException is thrown.
Definition at line 245 of file AuthorizationPolicy.java.
|
inline |
Removes a privilege from the policy mapping to the role specified by the role ID in the privilege. Throws a CatalogException if no role with a corresponding ID exists in the catalog. Returns null if no matching privilege is found in this role.
Definition at line 134 of file AuthorizationPolicy.java.
References com.cloudera.impala.catalog.AuthorizationPolicy.getRole().
|
inline |
Removes a role. Returns the removed role or null if no role with this name existed.
Definition at line 207 of file AuthorizationPolicy.java.
References com.cloudera.impala.catalog.Role.getGrantGroups().
Referenced by com.cloudera.impala.catalog.AuthorizationPolicy.addRole().
|
package |
Definition at line 67 of file AuthorizationPolicy.java.
|
staticprivate |
Definition at line 56 of file AuthorizationPolicy.java.
|
private |
Definition at line 59 of file AuthorizationPolicy.java.
|
package |
Definition at line 62 of file AuthorizationPolicy.java.
1.8.6 
