...
Integration with Apache Sentry involves the development of three main modules:
CDAP Sentry Binding
CDAP Sentry Model
The CDAP Sentry Model defines the CDAP entities for whom access needs to be authorized via Apache Sentry. It will based off of the Sentry Generic Authorization Model. The CDAP Sentry Model will have the following components:
CDAPAuthorizable
This interface defines the CDAP entities that need to be authorized. It must implement Authorizable.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
/**
* This interface represents an authorizable resource in the CDAP component.
*/
public interface CDAPAuthorizable extends Authorizable {
public enum AuthorizableType {
Instance,
Namespace,
Artifact,
Application,
Program,
Dataset,
Stream,
Stream_View
};
AuthorizableType getAuthzType();
} |
The CDAPAuthorizable interface will have to be implemented for each authorizable entity defined by the AuthorizableType enum above.
CDAPAction and CDAPActionFactory
These classes will implement BitFieldAction and BitFieldActionFactory to define the types of actions on CDAP entities. These classes also allow you to define implies relationships between actions.
TODO: Think about ALL, ADMIN_ALL
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
public class CDAPActionConstants {
public static final String READ = "read";
public static final String EXECUTE = "execute";
public static final String WRITE = "write";
public static final String ADMIN = "admin";
public static final String ALL = "all"; // this is read + write + execute
public static final String ADMIN_ALL = "admin_all"; // this is read + write + execute + admin
} |
Sentry Policy Engine
Resource URIs
Using the above authorizable model, resource URIs for CDAP entities in the Sentry Policy Engine will be as follows:
| Entity | Sentry Resource URI |
|---|---|
| Instance | TBD |
| Namespace | cdap:///namespace=ns1 |
| Artifact | cdap:///namespace=ns1/artifact=art1 |
| Application | |
| Program | cdap:///namespace=ns1/application=app1/programType=pt1/programName=prg1 |
| Dataset | cdap:///namespace=ns1/dataset=ds1 |
| Stream | cdap:///namespace=ns1/stream=s1 |
| View | cdap:///namespace=ns1/stream=s1/view=v1 |
ACL management (either using CDAP CLI or via external systems like Sentry CLI or Hue)
Design Scribble:
Main modules:
Binding: Authorization checks happen here
Model: Define what are the objects in your system that you want to control access and define the granularity
Policy engine: Define how you want to evaluate policies. For example: Wildcards?
Model:
Binding:
Here we will bind CDAP to SentryGenericServiceClient and to the operations on the client.
| Code Block | ||||
|---|---|---|---|---|
| ||||
public class SentryAuthorizer implements Authorizer {
void grant(EntityId entity, Principal Principal, Set<Action> actions){
// do grant operation on sentry client with needed mapping/conversion
}
void grant(EntityId entity, Principal Principal, Set<Action> actions){
// do grant operation on sentry client with needed mapping/conversion
}
void revoke(EntityId entity, Principal Principal, Set<Action> actions){
// do grant operation on sentry client with needed mapping/conversion
}
void revoke(EntityId entity, Principal Principal){
// do revoke operation on sentry client with needed mapping/conversion
}
void revoke(EntityId entity){
// do revoke operation on sentry client with needed mapping/conversion
}
void checkAuthorized(Principal Principal, Entity entity, Action action) throws AuthorizationException{
// do authorization check operation on sentry client with needed mapping/conversion
}
private SentryGenericServiceClient getClient() throws Exception {
return SentryGenericServiceClientFactory.create(conf); // create sentry client from Configuration
}
} |
...
Here we will bind CDAP to SentryGenericServiceClient and to the operations on the client.
| Code Block | ||||
|---|---|---|---|---|
| ||||
public class SentryAuthorizer implements Authorizer {
void grant(EntityId entity, Principal Principal, Set<Action> actions){
// do grant operation on sentry client with needed mapping/conversion
}
void grant(EntityId entity, Principal Principal, Set<Action> actions){
// do grant operation on sentry client with needed mapping/conversion
}
void revoke(EntityId entity, Principal Principal, Set<Action> actions){
// do grant operation on sentry client with needed mapping/conversion
}
void revoke(EntityId entity, Principal Principal){
// do revoke operation on sentry client with needed mapping/conversion
}
void revoke(EntityId entity){
// do revoke operation on sentry client with needed mapping/conversion
}
void checkAuthorized(Principal Principal, Entity entity, Action action) throws AuthorizationException{
// do authorization check operation on sentry client with needed mapping/conversion
}
private SentryGenericServiceClient getClient() throws Exception {
return SentryGenericServiceClientFactory.create(conf); // create sentry client from Configuration
}
} |
CDAP Sentry Model
The CDAP Sentry Model defines the CDAP entities for whom access needs to be authorized via Apache Sentry. It will based off of the Sentry Generic Authorization Model. The CDAP Sentry Model will have the following components:
CDAPAuthorizable
This interface defines the CDAP entities that need to be authorized. It must implement Authorizable.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
/**
* This interface represents an authorizable resource in the CDAP component.
*/
public interface CDAPAuthorizable extends Authorizable {
public enum AuthorizableType {
Instance,
Namespace,
Artifact,
Application,
Program,
Dataset,
Stream,
Stream_View
};
AuthorizableType getAuthzType();
} |
The CDAPAuthorizable interface will have to be implemented for each authorizable entity defined by the AuthorizableType enum above.
CDAPAction and CDAPActionFactory
These classes will implement BitFieldAction and BitFieldActionFactory to define the types of actions on CDAP entities. These classes also allow you to define implies relationships between actions.
TODO: Think about ALL, ADMIN_ALL
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
public class CDAPActionConstants {
public static final String READ = "read";
public static final String EXECUTE = "execute";
public static final String WRITE = "write";
public static final String ADMIN = "admin";
public static final String ALL = "all"; // this is read + write + execute
public static final String ADMIN_ALL = "admin_all"; // this is read + write + execute + admin
} |
Sentry Policy Engine
Resource URIs
Using the above authorizable model, resource URIs for CDAP entities in the Sentry Policy Engine will be as follows:
| Entity | Sentry Resource URI |
|---|---|
| Instance | TBD |
| Namespace | cdap:///namespace=ns1 |
| Artifact | cdap:///namespace=ns1/artifact=art1 |
| Application | |
| Program | cdap:///namespace=ns1/application=app1/programType=pt1/programName=prg1 |
| Dataset | cdap:///namespace=ns1/dataset=ds1 |
| Stream | cdap:///namespace=ns1/stream=s1 |
| View | cdap:///namespace=ns1/stream=s1/view=v1 |
ACL management (either using CDAP CLI or via external systems like Sentry CLI or Hue)
Design Scribble:
Main modules:
Binding: Authorization checks happen here
Model: Define what are the objects in your system that you want to control access and define the granularity
Policy engine: Define how you want to evaluate policies. For example: Wildcards?
Model:
Binding:
Policy:
//TODO
...