Skip to content

Commit

Permalink
Add JMX stats to AccessControlManager
Browse files Browse the repository at this point in the history
  • Loading branch information
@dain
dain committed Oct 22, 2015
1 parent bb25b6c commit 9b7f08a
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 16 deletions.
95 changes: 79 additions & 16 deletions presto-main/src/main/java/com/facebook/presto/security/AccessControlManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
import io.airlift.log.Logger;
import io.airlift.stats.CounterStat;
import org.weakref.jmx.Managed;
import org.weakref.jmx.Nested;

import javax.inject.Inject;

import java.io.File;
import java.io.FileInputStream;
Expand Down Expand Up @@ -56,6 +61,12 @@ public class AccessControlManager
private final AtomicReference<SystemAccessControl> systemAccessControl = new AtomicReference<>(new InitializingSystemAccessControl());
private final AtomicBoolean systemAccessControlLoading = new AtomicBoolean();

private final CounterStat authenticationSuccess = new CounterStat();
private final CounterStat authenticationFail = new CounterStat();
private final CounterStat authorizationSuccess = new CounterStat();
private final CounterStat authorizationFail = new CounterStat();

@Inject
public AccessControlManager()
{
systemAccessControlFactories.put(ALLOW_ALL_ACCESS_CONTROL, new SystemAccessControlFactory()
Expand Down Expand Up @@ -136,7 +147,7 @@ public void checkCanSetUser(Principal principal, String userName)
{
requireNonNull(userName, "userName is null");

systemAccessControl.get().checkCanSetUser(principal, userName);
authenticationCheck(() -> systemAccessControl.get().checkCanSetUser(principal, userName));
}

@Override
Expand All @@ -147,7 +158,7 @@ public void checkCanCreateTable(Identity identity, QualifiedTableName tableName)

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanCreateTable(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanCreateTable(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -159,7 +170,7 @@ public void checkCanDropTable(Identity identity, QualifiedTableName tableName)

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanDropTable(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanDropTable(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -172,7 +183,7 @@ public void checkCanRenameTable(Identity identity, QualifiedTableName tableName,

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanRenameTable(identity, tableName.asSchemaTableName(), newTableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanRenameTable(identity, tableName.asSchemaTableName(), newTableName.asSchemaTableName()));
}
}

Expand All @@ -184,7 +195,7 @@ public void checkCanAddColumns(Identity identity, QualifiedTableName tableName)

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanAddColumn(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanAddColumn(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -196,7 +207,7 @@ public void checkCanRenameColumn(Identity identity, QualifiedTableName tableName

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanRenameColumn(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanRenameColumn(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -208,7 +219,7 @@ public void checkCanSelectFromTable(Identity identity, QualifiedTableName tableN

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanSelectFromTable(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanSelectFromTable(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -220,7 +231,7 @@ public void checkCanInsertIntoTable(Identity identity, QualifiedTableName tableN

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanInsertIntoTable(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanInsertIntoTable(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -232,7 +243,7 @@ public void checkCanDeleteFromTable(Identity identity, QualifiedTableName tableN

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanDeleteFromTable(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanDeleteFromTable(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -244,7 +255,7 @@ public void checkCanCreateView(Identity identity, QualifiedTableName viewName)

ConnectorAccessControl accessControl = catalogAccessControl.get(viewName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanCreateView(identity, viewName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanCreateView(identity, viewName.asSchemaTableName()));
}
}

Expand All @@ -256,7 +267,7 @@ public void checkCanDropView(Identity identity, QualifiedTableName viewName)

ConnectorAccessControl accessControl = catalogAccessControl.get(viewName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanDropView(identity, viewName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanDropView(identity, viewName.asSchemaTableName()));
}
}

Expand All @@ -268,7 +279,7 @@ public void checkCanSelectFromView(Identity identity, QualifiedTableName viewNam

ConnectorAccessControl accessControl = catalogAccessControl.get(viewName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanSelectFromView(identity, viewName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanSelectFromView(identity, viewName.asSchemaTableName()));
}
}

Expand All @@ -280,7 +291,7 @@ public void checkCanCreateViewWithSelectFromTable(Identity identity, QualifiedTa

ConnectorAccessControl accessControl = catalogAccessControl.get(tableName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanCreateViewWithSelectFromTable(identity, tableName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanCreateViewWithSelectFromTable(identity, tableName.asSchemaTableName()));
}
}

Expand All @@ -292,7 +303,7 @@ public void checkCanCreateViewWithSelectFromView(Identity identity, QualifiedTab

ConnectorAccessControl accessControl = catalogAccessControl.get(viewName.getCatalogName());
if (accessControl != null) {
accessControl.checkCanCreateViewWithSelectFromView(identity, viewName.asSchemaTableName());
authorizationCheck(() -> accessControl.checkCanCreateViewWithSelectFromView(identity, viewName.asSchemaTableName()));
}
}

Expand All @@ -302,7 +313,7 @@ public void checkCanSetSystemSessionProperty(Identity identity, String propertyN
requireNonNull(identity, "identity is null");
requireNonNull(propertyName, "propertyName is null");

systemAccessControl.get().checkCanSetSystemSessionProperty(identity, propertyName);
authorizationCheck(() -> systemAccessControl.get().checkCanSetSystemSessionProperty(identity, propertyName));
}

@Override
Expand All @@ -314,7 +325,59 @@ public void checkCanSetCatalogSessionProperty(Identity identity, String catalogN

ConnectorAccessControl accessControl = catalogAccessControl.get(catalogName);
if (accessControl != null) {
accessControl.checkCanSetCatalogSessionProperty(identity, propertyName);
authorizationCheck(() -> accessControl.checkCanSetCatalogSessionProperty(identity, propertyName));
}
}

@Managed
@Nested
public CounterStat getAuthenticationSuccess()
{
return authenticationSuccess;
}

@Managed
@Nested
public CounterStat getAuthenticationFail()
{
return authenticationFail;
}

@Managed
@Nested
public CounterStat getAuthorizationSuccess()
{
return authorizationSuccess;
}

@Managed
@Nested
public CounterStat getAuthorizationFail()
{
return authorizationFail;
}

private void authenticationCheck(Runnable runnable)
{
try {
runnable.run();
authenticationSuccess.update(1);
}
catch (PrestoException e) {
authenticationFail.update(1);
throw e;
}
}

private void authorizationCheck(Runnable runnable)
{
try {
runnable.run();
authorizationSuccess.update(1);
}
catch (PrestoException e) {
authorizationFail.update(1);
throw e;
}
}

Expand Down
3 changes: 3 additions & 0 deletions presto-main/src/main/java/com/facebook/presto/security/AccessControlModule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@
import com.google.inject.Module;
import com.google.inject.Scopes;

import static org.weakref.jmx.guice.ExportBinder.newExporter;

public class AccessControlModule
implements Module
{
Expand All @@ -25,5 +27,6 @@ public void configure(Binder binder)
{
binder.bind(AccessControlManager.class).in(Scopes.SINGLETON);
binder.bind(AccessControl.class).to(AccessControlManager.class).in(Scopes.SINGLETON);
newExporter(binder).export(AccessControlManager.class).withGeneratedName();
}
}

0 comments on commit 9b7f08a

Please sign in to comment.