コード例 #1
0
ファイル: SimplePolicyEngine.java プロジェクト: RingsC/Impala
 private ImmutableSetMultimap<String, String> parsePermissions(
     @Nullable String database, Ini.Section rolesSection, Ini.Section groupsSection) {
   ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
   Multimap<String, String> roleNameToPrivilegeMap = HashMultimap.create();
   List<? extends RoleValidator> validators =
       Lists.newArrayList(
           new ServersAllIsInvalid(),
           new DatabaseMustMatch(),
           new DatabaseRequiredInRole(),
           new ServerNameMustMatch(serverName));
   for (Map.Entry<String, String> entry : rolesSection.entrySet()) {
     String roleName = Strings.nullToEmpty(entry.getKey()).trim();
     String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
     boolean invalidConfiguration = false;
     if (roleName.isEmpty()) {
       LOGGER.warn("Empty role name encountered in {}", resourcePath);
       invalidConfiguration = true;
     }
     if (roleValue.isEmpty()) {
       LOGGER.warn("Empty role value encountered in {}", resourcePath);
       invalidConfiguration = true;
     }
     if (roleNameToPrivilegeMap.containsKey(roleName)) {
       LOGGER.warn("Role {} defined twice in {}", roleName, resourcePath);
     }
     Set<String> roles = PermissionUtils.toPermissionStrings(roleValue);
     if (!invalidConfiguration && roles != null) {
       for (String role : roles) {
         for (RoleValidator validator : validators) {
           validator.validate(database, role.trim());
         }
       }
       roleNameToPrivilegeMap.putAll(roleName, roles);
     }
   }
   Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults();
   for (Map.Entry<String, String> entry : groupsSection.entrySet()) {
     String groupName = Strings.nullToEmpty(entry.getKey()).trim();
     String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim();
     Collection<String> resolvedGroupPrivileges = Sets.newHashSet();
     for (String roleName : roleSplitter.split(groupPrivileges)) {
       if (roleNameToPrivilegeMap.containsKey(roleName)) {
         resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap.get(roleName));
       } else {
         LOGGER.warn(
             "Role {} for group {} does not exist in privileges section in {}",
             new Object[] {roleName, groupName, resourcePath});
       }
     }
     resultBuilder.putAll(groupName, resolvedGroupPrivileges);
   }
   return resultBuilder.build();
 }
  private static void addPrivilege(String roleName, String privileges, Statement statement)
      throws IOException, SQLException {
    String serverName = null, dbName = null, tableName = null, uriPath = null, columnName = null;
    String action = "ALL"; // AccessConstants.ALL;
    for (String privilege : ROLE_SPLITTER.split(privileges)) {
      for (String section : AUTHORIZABLE_SPLITTER.split(privilege)) {
        // action is not an authorizeable
        if (!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
          DBModelAuthorizable dbAuthorizable = DBModelAuthorizables.from(section);
          if (dbAuthorizable == null) {
            throw new IOException("Unknown Auth type " + section);
          }

          if (DBModelAuthorizable.AuthorizableType.Server.equals(dbAuthorizable.getAuthzType())) {
            serverName = dbAuthorizable.getName();
          } else if (DBModelAuthorizable.AuthorizableType.Db.equals(
              dbAuthorizable.getAuthzType())) {
            dbName = dbAuthorizable.getName();
          } else if (DBModelAuthorizable.AuthorizableType.Table.equals(
              dbAuthorizable.getAuthzType())) {
            tableName = dbAuthorizable.getName();
          } else if (DBModelAuthorizable.AuthorizableType.Column.equals(
              dbAuthorizable.getAuthzType())) {
            columnName = dbAuthorizable.getName();
          } else if (DBModelAuthorizable.AuthorizableType.URI.equals(
              dbAuthorizable.getAuthzType())) {
            uriPath = dbAuthorizable.getName();
          } else {
            throw new IOException(
                "Unsupported auth type "
                    + dbAuthorizable.getName()
                    + " : "
                    + dbAuthorizable.getTypeName());
          }
        } else {
          action =
              DBModelAction.valueOf(
                      StringUtils.removePrefix(section, PRIVILEGE_PREFIX).toUpperCase())
                  .toString();
        }
      }

      LOGGER.info("addPrivilege");
      if (columnName != null) {
        statement.execute("CREATE DATABASE IF NOT EXISTS " + dbName);
        statement.execute("USE " + dbName);
        String sql =
            "GRANT "
                + action
                + " ( "
                + columnName
                + " ) ON TABLE "
                + tableName
                + " TO ROLE "
                + roleName;
        LOGGER.info("Granting column level privilege: database = " + dbName + ", sql = " + sql);
        statement.execute(sql);
      } else if (tableName != null) {
        statement.execute("CREATE DATABASE IF NOT EXISTS " + dbName);
        statement.execute("USE " + dbName);
        String sql = "GRANT " + action + " ON TABLE " + tableName + " TO ROLE " + roleName;
        LOGGER.info("Granting table level privilege:  database = " + dbName + ", sql = " + sql);
        statement.execute(sql);
      } else if (dbName != null) {
        String sql = "GRANT " + action + " ON DATABASE " + dbName + " TO ROLE " + roleName;
        LOGGER.info("Granting db level privilege: " + sql);
        statement.execute(sql);
      } else if (uriPath != null) {
        String sql = "GRANT " + action + " ON URI '" + uriPath + "' TO ROLE " + roleName;
        LOGGER.info("Granting uri level privilege: " + sql);
        statement.execute(sql); // ALL?
      } else if (serverName != null) {
        String sql = "GRANT ALL ON SERVER " + serverName + " TO ROLE " + roleName;
        LOGGER.info("Granting server level privilege: " + sql);
        statement.execute(sql);
      }
    }
  }