SENTRY-711: Implement grant user to role (Colin Ma, reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/68949951 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/68949951 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/68949951 Branch: refs/heads/master Commit: 68949951e97b206766bf3e07d24399d80799e7af Parents: 04881fa Author: Colin Ma <[email protected]> Authored: Wed Apr 13 15:03:56 2016 +0800 Committer: Colin Ma <[email protected]> Committed: Thu Apr 14 09:21:55 2016 +0800 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHookBase.java | 8 +- .../hive/ql/exec/SentryGrantRevokeTask.java | 29 +- .../SentryHiveAuthorizationTaskFactoryImpl.java | 4 +- .../TestSentryHiveAuthorizationTaskFactory.java | 50 +- .../sentry/policy/common/PolicyEngine.java | 29 + .../sentry/policy/db/SimpleDBPolicyEngine.java | 21 + .../indexer/SimpleIndexerPolicyEngine.java | 21 +- .../policy/kafka/SimpleKafkaPolicyEngine.java | 20 + .../policy/search/SimpleSearchPolicyEngine.java | 21 +- .../policy/sqoop/SimpleSqoopPolicyEngine.java | 19 + .../sentry/provider/cache/PrivilegeCache.java | 7 + .../cache/SimpleCacheProviderBackend.java | 11 + .../provider/cache/SimplePrivilegeCache.java | 8 + .../provider/cache/PrivilegeCacheTestImpl.java | 5 + .../sentry/provider/common/ProviderBackend.java | 8 +- .../common/ResourceAuthorizationProvider.java | 13 +- .../provider/common/TestGetGroupMapping.java | 19 +- .../db/service/thrift/SentryPolicyService.java | 2564 +++++++++++++++++- .../thrift/TAlterSentryRoleAddUsersRequest.java | 740 +++++ .../TAlterSentryRoleAddUsersResponse.java | 390 +++ .../TAlterSentryRoleDeleteGroupsRequest.java | 36 +- .../TAlterSentryRoleDeleteUsersRequest.java | 740 +++++ .../TAlterSentryRoleDeleteUsersResponse.java | 390 +++ .../TAlterSentryRoleGrantPrivilegeRequest.java | 36 +- .../TAlterSentryRoleGrantPrivilegeResponse.java | 36 +- .../TAlterSentryRoleRevokePrivilegeRequest.java | 36 +- .../TListSentryPrivilegesByAuthRequest.java | 68 +- .../TListSentryPrivilegesByAuthResponse.java | 52 +- ...TListSentryPrivilegesForProviderRequest.java | 198 +- ...ListSentryPrivilegesForProviderResponse.java | 32 +- .../thrift/TListSentryPrivilegesResponse.java | 36 +- .../thrift/TListSentryRolesForUserRequest.java | 587 ++++ .../thrift/TListSentryRolesResponse.java | 36 +- .../db/service/thrift/TSentryActiveRoleSet.java | 32 +- .../db/service/thrift/TSentryMappingData.java | 148 +- .../db/service/thrift/TSentryPrivilegeMap.java | 76 +- .../provider/db/service/thrift/TSentryRole.java | 36 +- .../provider/db/SimpleDBProviderBackend.java | 15 +- .../generic/SentryGenericProviderBackend.java | 7 + .../db/log/entity/JsonLogEntityFactory.java | 40 + .../provider/db/log/util/CommandUtil.java | 28 +- .../sentry/provider/db/log/util/Constants.java | 22 +- .../provider/db/service/model/MSentryRole.java | 29 +- .../provider/db/service/model/MSentryUser.java | 116 + .../provider/db/service/model/package.jdo | 78 +- .../db/service/persistent/SentryStore.java | 254 +- .../db/service/thrift/NotificationHandler.java | 8 + .../thrift/NotificationHandlerInvoker.java | 30 + .../thrift/SentryPolicyServiceClient.java | 19 +- .../SentryPolicyServiceClientDefaultImpl.java | 79 +- .../thrift/SentryPolicyStoreProcessor.java | 155 +- .../main/resources/sentry_policy_service.thrift | 37 +- .../provider/db/log/util/TestCommandUtil.java | 42 +- .../db/service/persistent/TestSentryStore.java | 461 +++- .../TestSentryServerForHaWithoutKerberos.java | 60 +- .../thrift/TestSentryServerWithoutKerberos.java | 59 +- .../thrift/TestSentryServiceIntegration.java | 226 ++ .../file/SimpleFileProviderBackend.java | 7 + .../tests/e2e/dbprovider/TestDbDDLAuditLog.java | 18 + .../e2e/dbprovider/TestGrantUserToRole.java | 237 ++ 60 files changed, 7938 insertions(+), 651 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java index 6df939f..a00f2d5 100644 --- a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java +++ b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java @@ -75,6 +75,7 @@ import org.slf4j.LoggerFactory; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Splitter; import com.google.common.collect.ImmutableList; +import com.google.common.collect.Sets; public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerHook { private static final Logger LOG = LoggerFactory @@ -747,9 +748,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH String userName) throws SemanticException { // get the original HiveAuthzBinding, and get the user's privileges by AuthorizationProvider AuthorizationProvider authProvider = hiveAuthzBinding.getCurrentAuthProvider(); - Set<String> userPrivileges = authProvider.getPolicyEngine().getPrivileges( - authProvider.getGroupMapping().getGroups(userName), hiveAuthzBinding.getActiveRoleSet(), - hiveAuthzBinding.getAuthServer()); + Set<String> userPrivileges = + authProvider.getPolicyEngine().getPrivileges( + authProvider.getGroupMapping().getGroups(userName), Sets.newHashSet(userName), + hiveAuthzBinding.getActiveRoleSet(), hiveAuthzBinding.getAuthServer()); // create PrivilegeCache using user's privileges PrivilegeCache privilegeCache = new SimplePrivilegeCache(userPrivileges); http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java index cd8352a..217b7b3 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -237,11 +237,14 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) { Set<TSentryRole> roles; PrincipalType principalType = desc.getPrincipalType(); - if (principalType != PrincipalType.GROUP) { + if (principalType == PrincipalType.GROUP) { + roles = sentryClient.listRolesByGroupName(subject, name); + } else if (principalType == PrincipalType.USER) { + roles = sentryClient.listRolesByUserName(subject, name); + } else { String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType; throw new HiveException(msg); } - roles = sentryClient.listRolesByGroupName(subject, desc.getName() ); writeToFile(writeRoleGrantsInfo(roles), desc.getResFile()); return RETURN_CODE_SUCCESS; } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) { @@ -407,21 +410,35 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable List<String> roles = desc.getRoles(); // get principals Set<String> groups = Sets.newHashSet(); + Set<String> users = Sets.newHashSet(); for (PrincipalDesc principal : principals) { - if (principal.getType() != PrincipalType.GROUP) { + if (principal.getType() == PrincipalType.GROUP) { + groups.add(principal.getName()); + } else if (principal.getType() == PrincipalType.USER) { + users.add(principal.getName()); + } else { String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); throw new HiveException(msg); } - groups.add(principal.getName()); } // grant/revoke role to/from principals for (String roleName : roles) { if (grantRole) { - sentryClient.grantRoleToGroups(subject, roleName, groups); + if (groups.size() > 0) { + sentryClient.grantRoleToGroups(subject, roleName, groups); + } + if (users.size() > 0) { + sentryClient.grantRoleToUsers(subject, roleName, users); + } } else { - sentryClient.revokeRoleFromGroups(subject, roleName, groups); + if (groups.size() > 0) { + sentryClient.revokeRoleFromGroups(subject, roleName, groups); + } + if (users.size() > 0) { + sentryClient.revokeRoleFromUsers(subject, roleName, users); + } } } http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java index caf32cf..0d1db89 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java @@ -102,7 +102,7 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization principalType = PrincipalType.ROLE; break; } - if (principalType != PrincipalType.GROUP) { + if (principalType != PrincipalType.GROUP && principalType != PrincipalType.USER) { String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType; throw new SemanticException(msg); } @@ -241,7 +241,7 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization roleOwnerName = SessionState.get().getAuthenticator().getUserName(); } for (PrincipalDesc princ : principalDesc) { - if (princ.getType() != PrincipalType.GROUP) { + if (princ.getType() != PrincipalType.GROUP && princ.getType() != PrincipalType.USER) { String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + princ.getType(); throw new SemanticException(msg); } http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java index dfe93a5..4fcb71c 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java @@ -17,6 +17,11 @@ */ package org.apache.sentry.binding.hive; +import java.io.File; +import java.io.Serializable; +import java.util.HashMap; +import java.util.List; + import org.junit.Assert; import org.apache.commons.io.FileUtils; @@ -54,11 +59,6 @@ import org.mockito.Mockito; import com.google.common.io.Files; -import java.io.File; -import java.io.Serializable; -import java.util.HashMap; -import java.util.List; - public class TestSentryHiveAuthorizationTaskFactory { private static final String ALL = "ALL"; @@ -237,8 +237,20 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testGrantRoleUser() throws Exception { - expectSemanticException("GRANT ROLE " + ROLE + " TO USER " + USER, - SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + "USER"); + DDLWork work = analyze(parse("GRANT ROLE " + ROLE + " TO USER " + USER)); + GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); + Assert.assertNotNull("Grant should not be null", grantDesc); + Assert.assertTrue("Expected grant ", grantDesc.getGrant()); + Assert.assertFalse("Grant option should be false", grantDesc.isGrantOption()); + Assert.assertEquals(currentUser, grantDesc.getGrantor()); + Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); + for (String role : assertSize(1, grantDesc.getRoles())) { + Assert.assertEquals(ROLE, role); + } + for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) { + Assert.assertEquals(PrincipalType.USER, principal.getType()); + Assert.assertEquals(USER, principal.getName()); + } } /** @@ -277,8 +289,20 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testRevokeRoleUser() throws Exception { - expectSemanticException("REVOKE ROLE " + ROLE + " FROM USER " + USER, - SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + "USER"); + DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM USER " + USER)); + GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); + Assert.assertNotNull("Grant should not be null", grantDesc); + Assert.assertFalse("Did not expect grant ", grantDesc.getGrant()); + Assert.assertFalse("Grant option is always true ", grantDesc.isGrantOption()); + Assert.assertEquals(currentUser, grantDesc.getGrantor()); + Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); + for (String role : assertSize(1, grantDesc.getRoles())) { + Assert.assertEquals(ROLE, role); + } + for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) { + Assert.assertEquals(PrincipalType.USER, principal.getType()); + Assert.assertEquals(USER, principal.getName()); + } } /** @@ -316,8 +340,12 @@ public class TestSentryHiveAuthorizationTaskFactory { */ @Test public void testShowRoleGrantUser() throws Exception { - expectSemanticException("SHOW ROLE GRANT USER " + USER, - SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + "USER"); + DDLWork work = analyze(parse("SHOW ROLE GRANT USER " + USER)); + RoleDDLDesc roleDesc = work.getRoleDDLDesc(); + Assert.assertNotNull("Role should not be null", roleDesc); + Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation()); + Assert.assertEquals(PrincipalType.USER, roleDesc.getPrincipalType()); + Assert.assertEquals(USER, roleDesc.getName()); } /** http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java index bbb009c..b7d8c32 100644 --- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java +++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java @@ -53,6 +53,20 @@ public interface PolicyEngine { throws SentryConfigurationException; /** + * Get privileges associated with groups and users. Returns Strings which can be resolved by the + * caller. Strings are returned to separate the PolicyFile class from the type of privileges used + * in a policy file. Additionally it is possible further processing of the privileges is needed + * before resolving to a privilege object. + * + * @param group name + * @param user name + * @param active role-set + * @return non-null immutable set of privileges + */ + ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, ActiveRoleSet roleSet) + throws SentryConfigurationException; + + /** * Get privileges associated with a group. Returns Strings which can be resolved * by the caller. Strings are returned to separate the PolicyFile class from the * type of privileges used in a policy file. Additionally it is possible further @@ -65,6 +79,21 @@ public interface PolicyEngine { ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) throws SentryConfigurationException; + /** + * Get privileges associated with groups and users. Returns Strings which can be resolved by the + * caller. Strings are returned to separate the PolicyFile class from the type of privileges used + * in a policy file. Additionally it is possible further processing of the privileges is needed + * before resolving to a privilege object. + * + * @param group name + * @param user name + * @param active role-set + * @param authorizable Hierarchy (Can be null) + * @return non-null immutable set of privileges + */ + ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, ActiveRoleSet roleSet, + Authorizable... authorizableHierarchy) throws SentryConfigurationException; + void close(); void validatePolicy(boolean strictValidation) throws SentryConfigurationException; http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java index b5b584f..9d25592 100644 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java +++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java @@ -65,6 +65,12 @@ public class SimpleDBPolicyEngine implements PolicyEngine { return getPrivileges(groups, roleSet); } + @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + /** * {@inheritDoc} */ @@ -82,6 +88,21 @@ public class SimpleDBPolicyEngine implements PolicyEngine { } @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) + throws SentryConfigurationException { + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); + } + ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet, + authorizableHierarchy); + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("result = " + result); + } + return result; + } + + @Override public void validatePolicy(boolean strictValidation) throws SentryConfigurationException { this.providerBackend.validatePolicy(strictValidation); } http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java index 2f4bc1d..8914319 100644 --- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java +++ b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java @@ -21,8 +21,8 @@ import java.util.Set; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.policy.common.PrivilegeFactory; import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.common.PrivilegeFactory; import org.apache.sentry.policy.common.PrivilegeValidator; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; @@ -67,6 +67,12 @@ public class SimpleIndexerPolicyEngine implements PolicyEngine { return getPrivileges(groups, roleSet); } + @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + /** * {@inheritDoc} */ @@ -83,6 +89,19 @@ public class SimpleIndexerPolicyEngine implements PolicyEngine { } @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) { + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); + } + ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet); + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("result = " + result); + } + return result; + } + + @Override public void validatePolicy(boolean strictValidation) throws SentryConfigurationException { throw new SentryConfigurationException("Not implemented yet"); http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java b/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java index 7e043e1..4d90544 100644 --- a/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java +++ b/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java @@ -84,4 +84,24 @@ public class SimpleKafkaPolicyEngine implements PolicyEngine { } } + @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) + throws SentryConfigurationException { + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); + } + ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet); + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("result = " + result); + } + return result; + } + } http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java index bc518fb..c71036e 100644 --- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java +++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java @@ -21,8 +21,8 @@ import java.util.Set; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.policy.common.PrivilegeFactory; import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.common.PrivilegeFactory; import org.apache.sentry.policy.common.PrivilegeValidator; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; @@ -83,6 +83,25 @@ public class SimpleSearchPolicyEngine implements PolicyEngine { } @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) { + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); + } + ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet); + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("result = " + result); + } + return result; + } + + @Override public void validatePolicy(boolean strictValidation) throws SentryConfigurationException { providerBackend.validatePolicy(strictValidation); http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java index e8615a0..13f78c6 100644 --- a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java +++ b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java @@ -69,6 +69,25 @@ public class SimpleSqoopPolicyEngine implements PolicyEngine { } @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) { + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users); + } + ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet); + if(LOGGER.isDebugEnabled()) { + LOGGER.debug("result = " + result); + } + return result; + } + + @Override public void close() { if (providerBackend != null) { providerBackend.close(); http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java index 811b931..28c5b76 100644 --- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java +++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java @@ -29,5 +29,12 @@ public interface PrivilegeCache { Set<String> listPrivileges(Set<String> groups, ActiveRoleSet roleSet); + /** + * Get the privileges for the give set of groups and users with the give active + * roles from the cache. + */ + Set<String> listPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet); + void close(); } http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java index 73ed6c2..d8b9063 100644 --- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java +++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java @@ -66,6 +66,17 @@ public class SimpleCacheProviderBackend implements ProviderBackend { } @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) { + if (!initialized()) { + throw new IllegalStateException( + "Backend has not been properly initialized"); + } + return ImmutableSet.copyOf(cacheHandle.listPrivileges(groups, users, + roleSet)); + } + + @Override public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) { if (!initialized()) { throw new IllegalStateException( http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java index 2643a32..dd0c39a 100644 --- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java +++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java @@ -48,4 +48,12 @@ public class SimplePrivilegeCache implements PrivilegeCache { cachedPrivileges.clear(); } } + + @Override + public Set<String> listPrivileges(Set<String> groups, Set<String> users, ActiveRoleSet roleSet) { + if (cachedPrivileges == null) { + cachedPrivileges = new HashSet<String>(); + } + return cachedPrivileges; + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java index a7566e7..79e047e 100644 --- a/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java +++ b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java @@ -60,4 +60,9 @@ public class PrivilegeCacheTestImpl implements PrivilegeCache { FileUtils.deleteQuietly(baseDir); } } + + @Override + public Set<String> listPrivileges(Set<String> groups, Set<String> users, ActiveRoleSet roleSet) { + return backend.getPrivileges(groups, users, roleSet); + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java index b19a170..ffd3af4 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java @@ -45,11 +45,17 @@ public interface ProviderBackend { void initialize(ProviderBackendContext context); /** - * Get the privileges from the backend. + * Get the privileges from the backend for groups. */ ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy); /** + * Get the privileges from the backend for users and groups. + */ + ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizableHierarchy); + + /** * Get the roles associated with the groups from the backend. */ ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet); http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java index 0cf0b5d..b023c9a 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java @@ -95,12 +95,14 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv List<? extends Authorizable> authorizables, Set<? extends Action> actions, ActiveRoleSet roleSet) { Set<String> groups = getGroups(subject); + Set<String> users = Sets.newHashSet(subject.getName()); Set<String> hierarchy = new HashSet<String>(); for (Authorizable authorizable : authorizables) { hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName())); } List<String> requestPrivileges = buildPermissions(authorizables, actions); - Iterable<Privilege> privileges = getPrivileges(groups, roleSet, authorizables.toArray(new Authorizable[0])); + Iterable<Privilege> privileges = getPrivileges(groups, users, roleSet, + authorizables.toArray(new Authorizable[0])); lastFailedPrivileges.get().clear(); for (String requestPrivilege : requestPrivileges) { @@ -123,8 +125,10 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv return false; } - private Iterable<Privilege> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable[] authorizables) { - return Iterables.transform(appendDefaultDBPriv(policy.getPrivileges(groups, roleSet, authorizables), authorizables), + private Iterable<Privilege> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable[] authorizables) { + ImmutableSet<String> privileges = policy.getPrivileges(groups, users, roleSet, authorizables); + return Iterables.transform(appendDefaultDBPriv(privileges, authorizables), new Function<String, Privilege>() { @Override public Privilege apply(String privilege) { @@ -172,7 +176,8 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv @Override public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException { - return policy.getPrivileges(getGroups(subject), ActiveRoleSet.ALL); + return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()), + ActiveRoleSet.ALL, (Authorizable[]) null); } @Override http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java index 14af2d4..402574e 100644 --- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java +++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java @@ -20,11 +20,11 @@ import static org.junit.Assert.assertSame; import java.util.Set; +import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.SentryConfigurationException; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.policy.common.PrivilegeFactory; import org.apache.sentry.policy.common.PolicyEngine; +import org.apache.sentry.policy.common.PrivilegeFactory; import org.junit.Test; import com.google.common.collect.ImmutableSet; @@ -53,7 +53,7 @@ public class TestGetGroupMapping { @Override public ImmutableSet<String> getAllPrivileges(Set<String> groups, ActiveRoleSet roleSet) throws SentryConfigurationException { - return getPrivileges(groups, roleSet, null); + return getPrivileges(groups, roleSet); } @Override @@ -67,6 +67,19 @@ public class TestGetGroupMapping { } @Override + public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet) throws SentryConfigurationException { + return getPrivileges(groups, users, roleSet); + } + + @Override + public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users, + ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) + throws SentryConfigurationException { + return ImmutableSet.of(); + } + + @Override public void close() {} };
