java.lang.Object
org.apache.drill.exec.resourcemgr.config.selectors.AbstractResourcePoolSelector
org.apache.drill.exec.resourcemgr.config.selectors.AclSelector
All Implemented Interfaces:
ResourcePoolSelector

public class AclSelector extends AbstractResourcePoolSelector
Evaluates if a query can be admitted to a ResourcePool or not by comparing query user/groups with the configured users/groups policies for this selector. AclSelector can be configured using both long-form syntax or short-form syntax as defined below:
  • Long-Form Syntax: Allows to use identifiers to specify allowed and disallowed users/groups. For example: users: [alice:+, bob:-] means alice is allowed whereas bob is denied access to the pool
  • Short-Form Syntax: Allows to specify lists of allowed users/groups only. For example: users: [alice, bob] means only alice and bob are allowed access to this pool
The selector also supports * as a wildcard for both long and short form syntax to allow/deny all users/groups. Example configuration is of form:
 selector: {
   acl: {
     users: [alice:+, bob:-],
     groups: [sales, marketing]
   }
 }
 
  • Method Details

    • isQuerySelected

      public boolean isQuerySelected(QueryContext queryContext)
      Determines if a given query is selected by this ACL selector of a Resource Pool or not. Following rules are followed to evaluate the selection. Assumption: There is an assumption made that if a user or group is configured in both +ve/-ve respective lists then it will be treated to be present in -ve list. Rules: 1) Check if query user is present in -ve users list, If yes then query is not selected else go to 2 2) Check if query user is present in +ve users list, If yes then query is selected else go to 3 3) Check if * is present in -ve users list, if yes then query is not selected else go to 4 4) Check if * is present in +ve users list, if yes then query is selected else go to 5 5) If here that means query user or * is absent in both +ve and -ve users list so check for groups of query user in step 6 6) Check if any of groups of query user is present in -ve groups list, If yes then query is not selected else go to 7 7) Check if any of groups of query user is present in +ve groups list, If yes then query selected else go to 8 8) Check if * is present in -ve groups list, If yes then query is not selected else go to 9 9) Check if * is present in +ve groups list, If yes then query is selected else go to 10 10) Query user and groups of it is neither present is +ve/-ve users list not +ve/-ve groups list hence the query is not selected
      Specified by:
      isQuerySelected in interface ResourcePoolSelector
      Specified by:
      isQuerySelected in class AbstractResourcePoolSelector
      Parameters:
      queryContext - QueryContext to get information about query user
      Returns:
      true if a query is selected by this selector, false otherwise
    • checkQueryUserGroups

      public boolean checkQueryUserGroups(String queryUser, Set<String> queryGroups)
    • getAllowedUsers

      public Set<String> getAllowedUsers()
    • getAllowedGroups

      public Set<String> getAllowedGroups()
    • getDeniedUsers

      public Set<String> getDeniedUsers()
    • getDeniedGroups

      public Set<String> getDeniedGroups()
    • toString

      public String toString()
      Overrides:
      toString in class AbstractResourcePoolSelector