private static Map<Resource, Set<Acl>> convertKafkaAclMap(scala.collection.immutable.Map<Resource, scala.collection.immutable.Set<Acl>> aclMap) { return Collections.unmodifiableMap(convertToJavaMap(aclMap.iterator()).entrySet().stream() .collect(Collectors.toMap(e -> e.getKey(), e -> convertToJavaSet(e.getValue().iterator())))); }
private void addExistingAclsForResource(java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap, Resource resource, java.util.Set<Acl> newAclsJava) { final scala.collection.immutable.Set<Acl> existingAcls = resourceAclsMap.get(resource); if (existingAcls != null) { final Iterator<Acl> aclsIter = existingAcls.iterator(); while (aclsIter.hasNext()) { Acl curAcl = aclsIter.next(); newAclsJava.add(curAcl); } } }
@VisibleForTesting static MemberName memberToName(final Member member) { return MemberName.forName(member.roles().iterator().next()); }
/** * Returns all {@link Acl}s associated to the given {@link Resource} * * @param resource * the {@link Resource} to look up {@link Acl}s for * @return unmodifiable set of all {@link Acl}s associated to the given {@link Resource} * @throws IllegalArgumentException * if resource is {@code null} * @throws AdminOperationException * if there is an issue reading the {@link Acl}s */ public Set<Acl> getAcls(Resource resource) { if (resource == null) throw new IllegalArgumentException("resource cannot be null"); LOG.debug("Fetching all ACLs for resource [{}]", resource); try { return Collections.unmodifiableSet(convertToJavaSet(getAuthorizer().getAcls(resource).iterator())); } catch (ZkException e) { throw new AdminOperationException("Unable to retrieve ACLs for resource: " + resource, e); } }
private void verifyAcls(scala.collection.immutable.Set<Acl> acls) { final Iterator<Acl> iterator = acls.iterator(); while (iterator.hasNext()) { final Acl acl = iterator.next(); assert acl.principal().getPrincipalType().toLowerCase().equals("role") : "Only Acls with KafkaPrincipal of type \"role;\" is supported."; assert acl.permissionType().name().equals(Allow.name()) : "Only Acls with Permission of type \"Allow\" is supported."; } }
public boolean removeAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) { verifyAcls(acls); LOG.info("Removing Acl: acl->" + acls + " resource->" + resource); final Iterator<Acl> iterator = acls.iterator(); while (iterator.hasNext()) { final Acl acl = iterator.next(); final String role = getRole(acl); try { execute(new Command<Void>() { @Override public Void run(SentryGenericServiceClient client) throws Exception { client.dropPrivilege( requestorName, role, toTSentryPrivilege(acl, resource)); return null; } }); } catch (KafkaException kex) { LOG.error("Failed to remove acls.", kex); return false; } } return true; }
scala.collection.immutable.Set<Acl> acls = iter.next()._2(); Iterator<Acl> iter2 = acls.iterator(); while (iter2.hasNext()) { KafkaPrincipal principal = iter2.next().principal();
/** * Returns Set of ACLs applying to single user * * @param username Name of the user * @return */ public Set<SimpleAclRule> getAcls(String username) { log.debug("Searching for ACL rules of user {}", username); Set<SimpleAclRule> result = new HashSet<SimpleAclRule>(); KafkaPrincipal principal = new KafkaPrincipal("User", username); scala.collection.immutable.Map<Resource, scala.collection.immutable.Set<Acl>> rules; try { rules = authorizer.getAcls(principal); } catch (Exception e) { log.error("Failed to get existing Acls rules for user {}", username, e); throw e; } Iterator<Tuple2<Resource, scala.collection.immutable.Set<Acl>>> iter = rules.iterator(); while (iter.hasNext()) { Tuple2<Resource, scala.collection.immutable.Set<Acl>> tuple = iter.next(); SimpleAclRuleResource resource = SimpleAclRuleResource.fromKafkaResource(tuple._1()); scala.collection.immutable.Set<Acl> acls = tuple._2(); Iterator<Acl> iter2 = acls.iterator(); while (iter2.hasNext()) { result.add(SimpleAclRule.fromKafkaAcl(resource, iter2.next())); } } return result; }
public void addAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) { verifyAcls(acls); LOG.info("Adding Acl: acl->" + acls + " resource->" + resource); final Iterator<Acl> iterator = acls.iterator(); while (iterator.hasNext()) { final Acl acl = iterator.next(); final String role = getRole(acl); if (!roleExists(role)) { throw new KafkaException("Can not add Acl for non-existent Role: " + role); } execute(new Command<Void>() { @Override public Void run(SentryGenericServiceClient client) throws Exception { client.grantPrivilege( requestorName, role, COMPONENT_NAME, toTSentryPrivilege(acl, resource)); return null; } }); } }
private java.util.Map<Resource, scala.collection.immutable.Set<Acl>> rolePrivilegesToResourceAcls(java.util.Map<String, scala.collection.immutable.Set<TSentryPrivilege>> rolePrivilegesMap) { final java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap = new HashMap<>(); for (String role : rolePrivilegesMap.keySet()) { scala.collection.immutable.Set<TSentryPrivilege> privileges = rolePrivilegesMap.get(role); final Iterator<TSentryPrivilege> iterator = privileges.iterator(); while (iterator.hasNext()) { TSentryPrivilege privilege = iterator.next(); final List<TAuthorizable> authorizables = privilege.getAuthorizables(); String host = null; String operation = privilege.getAction(); for (TAuthorizable tAuthorizable : authorizables) { if (tAuthorizable.getType().equals(KafkaAuthorizable.AuthorizableType.HOST.name())) { host = tAuthorizable.getName(); } else { Resource resource = new Resource(ResourceType$.MODULE$.fromString(tAuthorizable.getType()), tAuthorizable.getName()); if (operation.equals("*")) { operation = "All"; } Acl acl = new Acl(new KafkaPrincipal("role", role), Allow$.MODULE$, host, Operation$.MODULE$.fromString(operation)); Set<Acl> newAclsJava = new HashSet<Acl>(); newAclsJava.add(acl); addExistingAclsForResource(resourceAclsMap, resource, newAclsJava); final scala.collection.mutable.Set<Acl> aclScala = JavaConversions.asScalaSet(newAclsJava); resourceAclsMap.put(resource, aclScala.<Acl>toSet()); } } } } return resourceAclsMap; }