LENS-1534 : Authorizer Instance to be made singleton for resource optimization
authorRajitha R <rajithar@apache.org>
Mon, 10 Sep 2018 10:34:26 +0000 (16:04 +0530)
committerRajitha.R <rajithar@IM0318-L0.corp.inmobi.com>
Mon, 10 Sep 2018 10:34:26 +0000 (16:04 +0530)
12 files changed:
lens-cube/src/main/java/org/apache/lens/cube/authorization/AuthorizationUtil.java
lens-cube/src/main/java/org/apache/lens/cube/metadata/CubeMetastoreClient.java
lens-cube/src/main/java/org/apache/lens/cube/metadata/MetastoreConstants.java
lens-cube/src/main/java/org/apache/lens/cube/parse/QueryAuthorizationResolver.java
lens-cube/src/test/java/org/apache/lens/cube/metadata/TestCubeMetastoreClient.java
lens-cube/src/test/java/org/apache/lens/cube/parse/TestQueryAuthorizationResolver.java
lens-server-api/src/main/java/org/apache/lens/server/api/LensConfConstants.java
lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java [new file with mode: 0644]
lens-server/src/main/java/org/apache/lens/server/LensServer.java
lens-server/src/main/resources/lensserver-default.xml
lens-server/src/test/java/org/apache/lens/server/LensJerseyTest.java
src/site/apt/admin/config.apt

index 5ae2cfd..40ca198 100644 (file)
@@ -60,7 +60,7 @@ public class AuthorizationUtil {
         sessionConf.getTrimmedStringCollection(LensConfConstants.SESSION_USER_GROUPS);
     }
     LensPrivilegeObject lp = new LensPrivilegeObject(privilegeObjectType, tableName, colName);
-    if (!authorizer.authorize(lp, actionType, user, userGroups)) {
+    if ((authorizer != null) && !authorizer.authorize(lp, actionType, user, userGroups)) {
       throw new PrivilegeException(privilegeObjectType.toString(), tableName, actionType.toString());
     }
     return true;
index b1c1ae4..c611963 100644 (file)
@@ -39,7 +39,7 @@ import org.apache.lens.cube.metadata.timeline.PartitionTimelineFactory;
 
 import org.apache.lens.server.api.LensConfConstants;
 import org.apache.lens.server.api.authorization.ActionType;
-import org.apache.lens.server.api.authorization.Authorizer;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
 import org.apache.lens.server.api.authorization.LensPrivilegeObject;
 
 import org.apache.lens.server.api.error.LensException;
@@ -119,8 +119,6 @@ public class CubeMetastoreClient {
 
   private Boolean isAuthorizationCheckEnabled;
 
-  private Authorizer authorizer;
-
   public DataCompletenessChecker getCompletenessChecker() {
     if (completenessChecker == null) {
       completenessChecker = ReflectionUtils.newInstance(config.getClass(LensConfConstants.COMPLETENESS_CHECKER_CLASS,
@@ -129,14 +127,6 @@ public class CubeMetastoreClient {
     return completenessChecker;
   }
 
-  private Authorizer getAuthorizer() {
-    if (authorizer == null) {
-      authorizer = ReflectionUtils.newInstance(config.getClass(MetastoreConstants.AUTHORIZER_CLASS,
-        LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class), this.config);
-    }
-    return authorizer;
-  }
-
   public boolean isDataCompletenessCheckEnabled() {
     if (isDataCompletenessCheckEnabled == null) {
       isDataCompletenessCheckEnabled = config.getBoolean(LensConfConstants.ENABLE_DATACOMPLETENESS_CHECK,
@@ -156,7 +146,7 @@ public class CubeMetastoreClient {
   private void checkIfAuthorized() throws LensException {
     if (isAuthorizationEnabled()) {
       String currentdb = SessionState.get().getCurrentDatabase();
-      AuthorizationUtil.isAuthorized(getAuthorizer(), currentdb,
+      AuthorizationUtil.isAuthorized(LensAuthorizer.get().getAuthorizer(), currentdb,
         LensPrivilegeObject.LensPrivilegeObjectType.DATABASE, ActionType.UPDATE, getConf(),
         SessionState.getSessionConf());
     }
index 5bdfea4..88097aa 100644 (file)
@@ -26,7 +26,6 @@ public final class MetastoreConstants {
   public static final String TABLE_TYPE_KEY = "cube.table.type";
   public static final String CUBE_TABLE_PFX = "cube.table.";
   public static final String WEIGHT_KEY_SFX = ".weight";
-  public static final String AUTHORIZER_CLASS = "authorizer.class";
 
   public static final String BASE_KEY_PFX = "base.";
   public static final String EXPRESSIONS_LIST_SFX = ".expressions.list";
index f1376ca..a6a908f 100644 (file)
@@ -24,31 +24,24 @@ import org.apache.lens.cube.authorization.AuthorizationUtil;
 import org.apache.lens.cube.metadata.*;
 import org.apache.lens.server.api.LensConfConstants;
 import org.apache.lens.server.api.authorization.ActionType;
-import org.apache.lens.server.api.authorization.Authorizer;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
 import org.apache.lens.server.api.authorization.LensPrivilegeObject;
 import org.apache.lens.server.api.error.LensException;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.hadoop.util.ReflectionUtils;
 
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
 public class QueryAuthorizationResolver implements ContextRewriter {
-
-  @Getter
-  private Authorizer authorizer;
   @Getter
   private Boolean isAuthorizationCheckEnabled;
 
   QueryAuthorizationResolver(Configuration conf) {
     isAuthorizationCheckEnabled = conf.getBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK,
       LensConfConstants.DEFAULT_ENABLE_QUERY_AUTHORIZATION_CHECK);
-    authorizer = ReflectionUtils.newInstance(
-      conf.getClass(MetastoreConstants.AUTHORIZER_CLASS, LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class),
-      conf);
   }
   @Override
   public void rewriteContext(CubeQueryContext cubeql) throws LensException {
@@ -69,7 +62,7 @@ public class QueryAuthorizationResolver implements ContextRewriter {
         log.info("Restricted queriedColumns queried : "+ restrictedFieldsQueried);
         if (restrictedFieldsQueried != null && !restrictedFieldsQueried.isEmpty()) {
           for (String col : restrictedFieldsQueried) {
-            AuthorizationUtil.isAuthorized(getAuthorizer(), tbl.getName(), col,
+            AuthorizationUtil.isAuthorized(LensAuthorizer.get().getAuthorizer(), tbl.getName(), col,
               LensPrivilegeObject.LensPrivilegeObjectType.COLUMN, ActionType.SELECT, cubeql.getConf(),
               SessionState.getSessionConf());
           }
index 9499f0c..9b8a55a 100644 (file)
@@ -39,6 +39,7 @@ import org.apache.lens.cube.metadata.timeline.PartitionTimeline;
 import org.apache.lens.cube.metadata.timeline.StoreAllPartitionTimeline;
 import org.apache.lens.cube.metadata.timeline.TestPartitionTimelines;
 import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
 import org.apache.lens.server.api.error.LensException;
 import org.apache.lens.server.api.query.save.exception.PrivilegeException;
 import org.apache.lens.server.api.util.LensUtil;
@@ -141,6 +142,9 @@ public class TestCubeMetastoreClient {
   public static void setup() throws HiveException, AlreadyExistsException, LensException {
     SessionState.start(conf);
 
+    conf.set(LensConfConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
+    LensAuthorizer.get().init(conf);
+
     Database database = new Database();
     database.setName(TestCubeMetastoreClient.class.getSimpleName());
     Hive.get(conf).createDatabase(database);
@@ -148,7 +152,6 @@ public class TestCubeMetastoreClient {
     client = CubeMetastoreClient.getInstance(conf);
     client.getConf().setBoolean(LensConfConstants.ENABLE_METASTORE_SCHEMA_AUTHORIZATION_CHECK, true);
     client.getConf().setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true);
-    client.getConf().set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
     SessionState.getSessionConf().set(LensConfConstants.SESSION_USER_GROUPS, "lens-auth-test1");
     defineCube(CUBE_NAME, CUBE_NAME_WITH_PROPS, DERIVED_CUBE_NAME, DERIVED_CUBE_NAME_WITH_PROPS);
     defineUberDims();
index 13b345f..356df97 100644 (file)
@@ -23,8 +23,8 @@ import static org.apache.lens.cube.metadata.DateFactory.TWO_DAYS_RANGE;
 import static org.testng.Assert.assertEquals;
 import static org.testng.Assert.fail;
 
-import org.apache.lens.cube.metadata.MetastoreConstants;
 import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
 import org.apache.lens.server.api.error.LensException;
 import org.apache.lens.server.api.query.save.exception.PrivilegeException;
 
@@ -39,9 +39,10 @@ public class TestQueryAuthorizationResolver extends TestQueryRewrite {
 
   @BeforeClass
   public void beforeClassTestQueryAuthorizationResolver() {
+    conf.set(LensConfConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
+    LensAuthorizer.get().init(conf);
     conf.setBoolean(LensConfConstants.ENABLE_QUERY_AUTHORIZATION_CHECK, true);
     conf.setBoolean(LensConfConstants.USER_GROUPS_BASED_AUTHORIZATION, true);
-    conf.set(MetastoreConstants.AUTHORIZER_CLASS, "org.apache.lens.cube.parse.MockAuthorizer");
   }
 
   @Test
index efaf5d2..cb82f06 100644 (file)
@@ -1337,10 +1337,6 @@ public final class LensConfConstants {
   public static final Class<? extends DataCompletenessChecker> DEFAULT_COMPLETENESS_CHECKER =
           DefaultChecker.class.asSubclass(DataCompletenessChecker.class);
 
-
-  public static final Class<? extends Authorizer> DEFAULT_AUTHORIZER =
-    DefaultAuthorizer.class.asSubclass(Authorizer.class);
-
   /**
    * This property is to enable Data Completeness Checks while resolving partitions.
    */
@@ -1435,4 +1431,11 @@ public final class LensConfConstants {
    */
   public static final String RETRY_MESSAGE_MAP = "retry.messages.contains.map";
 
+  public static final String AUTHORIZER_CLASS = SERVER_PFX + "authorizer.class";
+
+  public static final Class<? extends Authorizer> DEFAULT_AUTHORIZER =
+    DefaultAuthorizer.class.asSubclass(Authorizer.class);
+
+
+
 }
diff --git a/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java b/lens-server-api/src/main/java/org/apache/lens/server/api/authorization/LensAuthorizer.java
new file mode 100644 (file)
index 0000000..f8c6b9c
--- /dev/null
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.lens.server.api.authorization;
+
+import org.apache.lens.server.api.LensConfConstants;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.util.ReflectionUtils;
+
+//Singleton instance of Authorizer class
+public final class LensAuthorizer {
+
+  private static final LensAuthorizer INSTANCE = new LensAuthorizer();
+
+  private Authorizer authorizer;
+
+  // private constructor to ensure single instance.
+  private LensAuthorizer() {
+  }
+
+  public void init(Configuration hiveConf){
+    this.authorizer =  ReflectionUtils.newInstance(
+    hiveConf.getClass(LensConfConstants.AUTHORIZER_CLASS, LensConfConstants.DEFAULT_AUTHORIZER, Authorizer.class),
+    hiveConf);
+  }
+
+  /**
+   *
+   * @return the singleton instance of the authorizer.
+   */
+  public static LensAuthorizer get(){
+    return INSTANCE;
+  }
+
+  public Authorizer getAuthorizer() {
+    return this.authorizer;
+  }
+
+
+}
index 701ebbe..9a913cb 100644 (file)
@@ -27,6 +27,7 @@ import javax.ws.rs.core.UriBuilder;
 
 import org.apache.lens.api.jaxb.LensJAXBContextResolver;
 import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
 import org.apache.lens.server.api.metrics.MetricsService;
 import org.apache.lens.server.error.GenericExceptionMapper;
 import org.apache.lens.server.error.LensJAXBValidationExceptionMapper;
@@ -135,6 +136,7 @@ public class LensServer {
    * @param conf the conf
    */
   public void startServices(HiveConf conf) {
+    LensAuthorizer.get().init(conf);
     LensServices.get().init(conf);
     LensServices.get().start();
   }
index 2ea73a3..e5d94e7 100644 (file)
     <description>password for cert file</description>
   </property>
 
+  <property>
+    <name>lens.server.authorizer.class</name>
+    <value>org.apache.lens.server.api.authorization.DefaultAuthorizer</value>
+    <description>The class that implements the Authorizer Interface. It will be used wherever authorization check
+    is enabled</description>
+  </property>
+
 </configuration>
index 7cccf30..33b4232 100644 (file)
@@ -39,6 +39,7 @@ import org.apache.lens.api.jaxb.LensJAXBContextResolver;
 import org.apache.lens.api.util.MoxyJsonConfigurationContextResolver;
 import org.apache.lens.driver.hive.TestRemoteHiveDriver;
 import org.apache.lens.server.api.LensConfConstants;
+import org.apache.lens.server.api.authorization.LensAuthorizer;
 import org.apache.lens.server.api.metrics.LensMetricsUtil;
 import org.apache.lens.server.api.metrics.MetricsService;
 import org.apache.lens.server.api.query.QueryExecutionService;
@@ -168,6 +169,7 @@ public abstract class LensJerseyTest extends JerseyTest {
     createTestDatabaseResources(new String[]{DB_WITH_JARS, DB_WITH_JARS_2},
       hiveConf);
 
+    LensAuthorizer.get().init(LensServerConf.getHiveConf());
     LensServices.get().init(LensServerConf.getHiveConf());
     LensServices.get().start();
 
index e900f98..4cee5ae 100644 (file)
@@ -307,4 +307,6 @@ Lens server configuration
 *--+--+---+--+
 |139|lens.server.ws.resourcenames|session,metastore,query,savedquery,quota,scheduler,index,log|These JAX-RS resources would be started in the specified order when lens-server starts up|
 *--+--+---+--+
+|140|lens.server.authorizer.class|org.apache.lens.server.api.authorization.DefaultAuthorizer|The class that implements the Authorizer Interface. It will be used wherever authorization check is enabled|
+*--+--+---+--+
 The configuration parameters and their default values