SENTRY-1287: Create sentry-service-server module(Colin Ma, reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e72e6eac Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e72e6eac Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e72e6eac Branch: refs/heads/SENTRY-1205 Commit: e72e6eacfb0a4375f35c91ed1d1fcf6c7c914aa8 Parents: 4767ec3 Author: Colin Ma <[email protected]> Authored: Fri Jun 24 14:45:02 2016 +0800 Committer: Colin Ma <[email protected]> Committed: Fri Jun 24 14:45:02 2016 +0800 ---------------------------------------------------------------------- pom.xml | 13 +- sentry-binding/sentry-binding-hive/pom.xml | 4 - .../policy/hive/TestPolicyParsingNegative.java | 2 +- ...sourceAuthorizationProviderSpecialCases.java | 2 +- .../hive/TestSimpleDBPolicyEngineDFS.java | 2 +- ...tKafkaAuthorizationProviderSpecialCases.java | 2 +- ...SearchAuthorizationProviderSpecialCases.java | 2 +- ...tSqoopAuthorizationProviderSpecialCases.java | 2 +- .../sentry/core/common/utils/PolicyFile.java | 202 ++ sentry-dist/pom.xml | 4 + sentry-dist/src/main/assembly/src.xml | 1 + sentry-hdfs/sentry-hdfs-common/pom.xml | 19 +- ...ndexerAuthorizationProviderSpecialCases.java | 2 +- sentry-provider/sentry-provider-db/pom.xml | 177 +- .../provider/db/SentryPolicyStorePlugin.java | 60 - .../service/persistent/DelegateSentryStore.java | 542 ---- .../service/persistent/PrivilegeObject.java | 231 -- .../persistent/PrivilegeOperatePersistence.java | 485 ---- .../service/persistent/SentryStoreLayer.java | 198 -- .../service/thrift/NotificationHandler.java | 47 - .../thrift/NotificationHandlerInvoker.java | 164 -- .../thrift/SentryGenericPolicyProcessor.java | 836 ------ .../SentryGenericPolicyProcessorFactory.java | 40 - .../SentryGenericPolicyProcessorWrapper.java | 39 - .../SentryGenericServiceClientDefaultImpl.java | 2 +- .../log/appender/AuditLoggerTestAppender.java | 52 - .../RollingFileWithoutDeleteAppender.java | 175 -- .../db/log/entity/AuditMetadataLogEntity.java | 155 - .../db/log/entity/DBAuditMetadataLogEntity.java | 124 - .../db/log/entity/GMAuditMetadataLogEntity.java | 97 - .../provider/db/log/entity/JsonLogEntity.java | 25 - .../db/log/entity/JsonLogEntityFactory.java | 351 --- .../provider/db/log/util/CommandUtil.java | 233 -- .../sentry/provider/db/log/util/Constants.java | 162 -- .../db/service/model/MSentryGMPrivilege.java | 497 ---- .../provider/db/service/model/MSentryGroup.java | 116 - .../db/service/model/MSentryPrivilege.java | 332 --- .../provider/db/service/model/MSentryRole.java | 216 -- .../provider/db/service/model/MSentryUser.java | 116 - .../db/service/model/MSentryVersion.java | 66 - .../provider/db/service/model/package.jdo | 242 -- .../db/service/persistent/CommitContext.java | 42 - .../db/service/persistent/SentryStore.java | 2672 ------------------ .../persistent/SentryStoreSchemaInfo.java | 143 - .../db/service/persistent/ServiceRegister.java | 52 - .../provider/db/service/thrift/ConfServlet.java | 69 - .../db/service/thrift/NotificationHandler.java | 79 - .../thrift/NotificationHandlerInvoker.java | 176 -- .../db/service/thrift/PolicyStoreConstants.java | 32 - .../db/service/thrift/SentryAuthFilter.java | 92 - ...SentryHealthCheckServletContextListener.java | 35 - .../db/service/thrift/SentryMetrics.java | 162 -- .../SentryMetricsServletContextListener.java | 32 - .../SentryPolicyServiceClientDefaultImpl.java | 2 +- .../thrift/SentryPolicyStoreProcessor.java | 1113 -------- .../SentryPolicyStoreProcessorFactory.java | 39 - .../service/thrift/SentryProcessorWrapper.java | 37 - .../db/service/thrift/SentryWebServer.java | 184 -- .../provider/db/service/thrift/ThriftUtil.java | 112 - .../provider/db/tools/SentrySchemaHelper.java | 315 --- .../provider/db/tools/SentrySchemaTool.java | 595 ---- .../sentry/service/thrift/GSSCallback.java | 110 - .../service/thrift/KerberosConfiguration.java | 107 - .../sentry/service/thrift/ProcessorFactory.java | 31 - .../service/thrift/SentryKerberosContext.java | 157 - .../sentry/service/thrift/SentryService.java | 426 --- .../service/thrift/SentryServiceFactory.java | 28 - .../service/thrift/SentryServiceUtil.java | 158 -- .../src/main/resources/001-SENTRY-327.derby.sql | 2 - .../src/main/resources/001-SENTRY-327.mysql.sql | 2 - .../main/resources/001-SENTRY-327.oracle.sql | 2 - .../main/resources/001-SENTRY-327.postgres.sql | 2 - .../src/main/resources/002-SENTRY-339.derby.sql | 13 - .../src/main/resources/002-SENTRY-339.mysql.sql | 13 - .../main/resources/002-SENTRY-339.oracle.sql | 13 - .../main/resources/002-SENTRY-339.postgres.sql | 13 - .../src/main/resources/003-SENTRY-380.derby.sql | 7 - .../src/main/resources/003-SENTRY-380.mysql.sql | 7 - .../main/resources/003-SENTRY-380.oracle.sql | 7 - .../main/resources/003-SENTRY-380.postgres.sql | 7 - .../src/main/resources/004-SENTRY-74.derby.sql | 4 - .../src/main/resources/004-SENTRY-74.mysql.sql | 4 - .../src/main/resources/004-SENTRY-74.oracle.sql | 4 - .../main/resources/004-SENTRY-74.postgres.sql | 4 - .../src/main/resources/005-SENTRY-398.derby.sql | 43 - .../src/main/resources/005-SENTRY-398.mysql.sql | 62 - .../main/resources/005-SENTRY-398.oracle.sql | 55 - .../main/resources/005-SENTRY-398.postgres.sql | 54 - .../src/main/resources/006-SENTRY-711.derby.sql | 27 - .../src/main/resources/006-SENTRY-711.mysql.sql | 28 - .../main/resources/006-SENTRY-711.oracle.sql | 28 - .../main/resources/006-SENTRY-711.postgres.sql | 28 - .../src/main/resources/sentry-db2-1.4.0.sql | 112 - .../src/main/resources/sentry-db2-1.5.0.sql | 155 - .../src/main/resources/sentry-db2-1.6.0.sql | 155 - .../src/main/resources/sentry-db2-1.7.0.sql | 155 - .../src/main/resources/sentry-db2-1.8.0.sql | 183 -- .../src/main/resources/sentry-derby-1.4.0.sql | 112 - .../src/main/resources/sentry-derby-1.5.0.sql | 155 - .../src/main/resources/sentry-derby-1.6.0.sql | 155 - .../src/main/resources/sentry-derby-1.7.0.sql | 155 - .../src/main/resources/sentry-derby-1.8.0.sql | 184 -- .../src/main/resources/sentry-mysql-1.4.0.sql | 126 - .../src/main/resources/sentry-mysql-1.5.0.sql | 192 -- .../src/main/resources/sentry-mysql-1.6.0.sql | 193 -- .../src/main/resources/sentry-mysql-1.7.0.sql | 193 -- .../src/main/resources/sentry-mysql-1.8.0.sql | 223 -- .../src/main/resources/sentry-oracle-1.4.0.sql | 110 - .../src/main/resources/sentry-oracle-1.5.0.sql | 168 -- .../src/main/resources/sentry-oracle-1.6.0.sql | 168 -- .../src/main/resources/sentry-oracle-1.7.0.sql | 168 -- .../src/main/resources/sentry-oracle-1.8.0.sql | 197 -- .../main/resources/sentry-postgres-1.4.0.sql | 124 - .../main/resources/sentry-postgres-1.5.0.sql | 182 -- .../main/resources/sentry-postgres-1.6.0.sql | 182 -- .../main/resources/sentry-postgres-1.7.0.sql | 182 -- .../main/resources/sentry-postgres-1.8.0.sql | 211 -- .../sentry-upgrade-db2-1.4.0-to-1.5.0.sql | 61 - .../sentry-upgrade-db2-1.5.0-to-1.6.0.sql | 2 - .../sentry-upgrade-db2-1.6.0-to-1.7.0.sql | 2 - .../sentry-upgrade-db2-1.7.0-to-1.8.0.sql | 31 - .../sentry-upgrade-derby-1.4.0-to-1.5.0.sql | 8 - .../sentry-upgrade-derby-1.5.0-to-1.6.0.sql | 2 - .../sentry-upgrade-derby-1.6.0-to-1.7.0.sql | 2 - .../sentry-upgrade-derby-1.7.0-to-1.8.0.sql | 4 - .../sentry-upgrade-mysql-1.4.0-to-1.5.0.sql | 10 - .../sentry-upgrade-mysql-1.5.0-to-1.6.0.sql | 5 - .../sentry-upgrade-mysql-1.6.0-to-1.7.0.sql | 5 - .../sentry-upgrade-mysql-1.7.0-to-1.8.0.sql | 6 - .../sentry-upgrade-oracle-1.4.0-to-1.5.0.sql | 9 - .../sentry-upgrade-oracle-1.5.0-to-1.6.0.sql | 5 - .../sentry-upgrade-oracle-1.6.0-to-1.7.0.sql | 5 - .../sentry-upgrade-oracle-1.7.0-to-1.8.0.sql | 6 - .../sentry-upgrade-postgres-1.4.0-to-1.5.0.sql | 9 - .../sentry-upgrade-postgres-1.5.0-to-1.6.0.sql | 5 - .../sentry-upgrade-postgres-1.6.0-to-1.7.0.sql | 5 - .../sentry-upgrade-postgres-1.7.0-to-1.8.0.sql | 6 - .../src/main/resources/upgrade.order.db2 | 4 - .../src/main/resources/upgrade.order.derby | 4 - .../src/main/resources/upgrade.order.mysql | 4 - .../src/main/resources/upgrade.order.oracle | 4 - .../src/main/resources/upgrade.order.postgres | 4 - .../src/main/webapp/SentryService.html | 61 - .../src/main/webapp/css/bootstrap-theme.min.css | 10 - .../src/main/webapp/css/bootstrap.min.css | 9 - .../src/main/webapp/css/sentry.css | 52 - .../src/main/webapp/sentry.png | Bin 3223 -> 0 bytes .../persistent/SentryStoreIntegrationBase.java | 91 - .../persistent/TestDelegateSentryStore.java | 182 -- .../TestPrivilegeOperatePersistence.java | 1139 -------- .../persistent/TestSentryGMPrivilege.java | 207 -- .../service/persistent/TestSentryRole.java | 372 --- .../SentryGenericServiceIntegrationBase.java | 73 - .../TestAuditLogForSentryGenericService.java | 296 -- .../TestSentryGenericPolicyProcessor.java | 353 --- .../TestSentryGenericServiceIntegration.java | 503 ---- .../generic/tools/TestSentryConfigToolSolr.java | 261 -- .../db/generic/tools/TestSentryShellKafka.java | 542 ---- .../db/generic/tools/TestSentryShellSolr.java | 525 ---- .../TestRollingFileWithoutDeleteAppender.java | 106 - .../entity/TestDbAuditMetadataLogEntity.java | 69 - .../entity/TestGMAuditMetadataLogEntity.java | 74 - .../db/log/entity/TestJsonLogEntityFactory.java | 272 -- .../log/entity/TestJsonLogEntityFactoryGM.java | 259 -- .../provider/db/log/util/TestCommandUtil.java | 416 --- .../service/persistent/TestSentryPrivilege.java | 245 -- .../persistent/TestSentryServiceDiscovery.java | 123 - .../db/service/persistent/TestSentryStore.java | 2090 -------------- .../persistent/TestSentryStoreImportExport.java | 1164 -------- .../TestSentryStoreToAuthorizable.java | 86 - .../service/persistent/TestSentryVersion.java | 85 - .../service/thrift/SentryMiniKdcTestcase.java | 68 - .../TestAuthorizingDDLAuditLogWithKerberos.java | 295 -- .../thrift/TestConnectionWithTicketTimeout.java | 57 - .../thrift/TestNotificationHandlerInvoker.java | 112 - .../thrift/TestSentryPolicyStoreProcessor.java | 81 - .../TestSentryServerForHaWithoutKerberos.java | 219 -- ...estSentryServerForPoolHAWithoutKerberos.java | 36 - .../TestSentryServerForPoolWithoutKerberos.java | 36 - .../thrift/TestSentryServerWithoutKerberos.java | 214 -- .../thrift/TestSentryServiceClientPool.java | 111 - .../thrift/TestSentryServiceFailureCase.java | 74 - .../TestSentryServiceForHAWithKerberos.java | 75 - .../TestSentryServiceForPoolHAWithKerberos.java | 36 - .../TestSentryServiceForPoolWithKerberos.java | 36 - .../thrift/TestSentryServiceImportExport.java | 751 ----- .../thrift/TestSentryServiceIntegration.java | 1102 -------- .../TestSentryServiceWithInvalidMsgSize.java | 119 - .../thrift/TestSentryServiceWithKerberos.java | 58 - .../thrift/TestSentryWebServerWithKerberos.java | 136 - .../thrift/TestSentryWebServerWithSSL.java | 52 - .../TestSentryWebServerWithoutSecurity.java | 87 - .../provider/db/tools/TestSentrySchemaTool.java | 94 - .../provider/db/tools/TestSentryShellHive.java | 608 ---- .../thrift/SentryServiceIntegrationBase.java | 355 --- .../src/test/resources/cacerts.jks | Bin 954 -> 0 bytes .../src/test/resources/keystore.jks | Bin 2245 -> 0 bytes .../src/test/resources/log4j.properties | 34 - .../src/test/resources/solr_case.ini | 26 - .../test/resources/solr_config_import_tool.ini | 29 - .../src/test/resources/solr_invalid.ini | 21 - .../apache/sentry/provider/file/PolicyFile.java | 202 -- sentry-service/pom.xml | 1 + .../service/thrift/SentryServiceUtil.java | 158 ++ .../sentry/service/thrift/ServiceConstants.java | 2 + sentry-service/sentry-service-server/pom.xml | 283 ++ .../provider/db/SentryPolicyStorePlugin.java | 60 + .../service/persistent/DelegateSentryStore.java | 542 ++++ .../service/persistent/PrivilegeObject.java | 231 ++ .../persistent/PrivilegeOperatePersistence.java | 485 ++++ .../service/persistent/SentryStoreLayer.java | 198 ++ .../service/thrift/NotificationHandler.java | 47 + .../thrift/NotificationHandlerInvoker.java | 164 ++ .../thrift/SentryGenericPolicyProcessor.java | 835 ++++++ .../SentryGenericPolicyProcessorFactory.java | 41 + .../SentryGenericPolicyProcessorWrapper.java | 39 + .../log/appender/AuditLoggerTestAppender.java | 52 + .../RollingFileWithoutDeleteAppender.java | 175 ++ .../db/log/entity/AuditMetadataLogEntity.java | 155 + .../db/log/entity/DBAuditMetadataLogEntity.java | 124 + .../db/log/entity/GMAuditMetadataLogEntity.java | 97 + .../provider/db/log/entity/JsonLogEntity.java | 25 + .../db/log/entity/JsonLogEntityFactory.java | 351 +++ .../provider/db/log/util/CommandUtil.java | 233 ++ .../sentry/provider/db/log/util/Constants.java | 162 ++ .../db/service/model/MSentryGMPrivilege.java | 497 ++++ .../provider/db/service/model/MSentryGroup.java | 116 + .../db/service/model/MSentryPrivilege.java | 332 +++ .../provider/db/service/model/MSentryRole.java | 216 ++ .../provider/db/service/model/MSentryUser.java | 116 + .../db/service/model/MSentryVersion.java | 66 + .../provider/db/service/model/package.jdo | 242 ++ .../db/service/persistent/CommitContext.java | 42 + .../db/service/persistent/SentryStore.java | 2672 ++++++++++++++++++ .../persistent/SentryStoreSchemaInfo.java | 143 + .../db/service/persistent/ServiceRegister.java | 52 + .../provider/db/service/thrift/ConfServlet.java | 69 + .../db/service/thrift/NotificationHandler.java | 79 + .../thrift/NotificationHandlerInvoker.java | 176 ++ .../db/service/thrift/PolicyStoreConstants.java | 32 + .../db/service/thrift/SentryAuthFilter.java | 92 + ...SentryHealthCheckServletContextListener.java | 35 + .../db/service/thrift/SentryMetrics.java | 162 ++ .../SentryMetricsServletContextListener.java | 32 + .../thrift/SentryPolicyStoreProcessor.java | 1111 ++++++++ .../SentryPolicyStoreProcessorFactory.java | 40 + .../service/thrift/SentryProcessorWrapper.java | 37 + .../db/service/thrift/SentryWebServer.java | 184 ++ .../provider/db/service/thrift/ThriftUtil.java | 112 + .../provider/db/tools/SentrySchemaHelper.java | 315 +++ .../provider/db/tools/SentrySchemaTool.java | 595 ++++ .../sentry/service/thrift/GSSCallback.java | 110 + .../service/thrift/KerberosConfiguration.java | 107 + .../sentry/service/thrift/ProcessorFactory.java | 31 + .../service/thrift/SentryKerberosContext.java | 157 + .../sentry/service/thrift/SentryService.java | 426 +++ .../service/thrift/SentryServiceFactory.java | 28 + .../src/main/resources/001-SENTRY-327.derby.sql | 2 + .../src/main/resources/001-SENTRY-327.mysql.sql | 2 + .../main/resources/001-SENTRY-327.oracle.sql | 2 + .../main/resources/001-SENTRY-327.postgres.sql | 2 + .../src/main/resources/002-SENTRY-339.derby.sql | 13 + .../src/main/resources/002-SENTRY-339.mysql.sql | 13 + .../main/resources/002-SENTRY-339.oracle.sql | 13 + .../main/resources/002-SENTRY-339.postgres.sql | 13 + .../src/main/resources/003-SENTRY-380.derby.sql | 7 + .../src/main/resources/003-SENTRY-380.mysql.sql | 7 + .../main/resources/003-SENTRY-380.oracle.sql | 7 + .../main/resources/003-SENTRY-380.postgres.sql | 7 + .../src/main/resources/004-SENTRY-74.derby.sql | 4 + .../src/main/resources/004-SENTRY-74.mysql.sql | 4 + .../src/main/resources/004-SENTRY-74.oracle.sql | 4 + .../main/resources/004-SENTRY-74.postgres.sql | 4 + .../src/main/resources/005-SENTRY-398.derby.sql | 43 + .../src/main/resources/005-SENTRY-398.mysql.sql | 62 + .../main/resources/005-SENTRY-398.oracle.sql | 55 + .../main/resources/005-SENTRY-398.postgres.sql | 54 + .../src/main/resources/006-SENTRY-711.derby.sql | 27 + .../src/main/resources/006-SENTRY-711.mysql.sql | 28 + .../main/resources/006-SENTRY-711.oracle.sql | 28 + .../main/resources/006-SENTRY-711.postgres.sql | 28 + .../src/main/resources/sentry-db2-1.4.0.sql | 112 + .../src/main/resources/sentry-db2-1.5.0.sql | 155 + .../src/main/resources/sentry-db2-1.6.0.sql | 155 + .../src/main/resources/sentry-db2-1.7.0.sql | 155 + .../src/main/resources/sentry-db2-1.8.0.sql | 183 ++ .../src/main/resources/sentry-derby-1.4.0.sql | 112 + .../src/main/resources/sentry-derby-1.5.0.sql | 155 + .../src/main/resources/sentry-derby-1.6.0.sql | 155 + .../src/main/resources/sentry-derby-1.7.0.sql | 155 + .../src/main/resources/sentry-derby-1.8.0.sql | 184 ++ .../src/main/resources/sentry-mysql-1.4.0.sql | 126 + .../src/main/resources/sentry-mysql-1.5.0.sql | 192 ++ .../src/main/resources/sentry-mysql-1.6.0.sql | 193 ++ .../src/main/resources/sentry-mysql-1.7.0.sql | 193 ++ .../src/main/resources/sentry-mysql-1.8.0.sql | 223 ++ .../src/main/resources/sentry-oracle-1.4.0.sql | 110 + .../src/main/resources/sentry-oracle-1.5.0.sql | 168 ++ .../src/main/resources/sentry-oracle-1.6.0.sql | 168 ++ .../src/main/resources/sentry-oracle-1.7.0.sql | 168 ++ .../src/main/resources/sentry-oracle-1.8.0.sql | 197 ++ .../main/resources/sentry-postgres-1.4.0.sql | 124 + .../main/resources/sentry-postgres-1.5.0.sql | 182 ++ .../main/resources/sentry-postgres-1.6.0.sql | 182 ++ .../main/resources/sentry-postgres-1.7.0.sql | 182 ++ .../main/resources/sentry-postgres-1.8.0.sql | 211 ++ .../sentry-upgrade-db2-1.4.0-to-1.5.0.sql | 61 + .../sentry-upgrade-db2-1.5.0-to-1.6.0.sql | 2 + .../sentry-upgrade-db2-1.6.0-to-1.7.0.sql | 2 + .../sentry-upgrade-db2-1.7.0-to-1.8.0.sql | 31 + .../sentry-upgrade-derby-1.4.0-to-1.5.0.sql | 8 + .../sentry-upgrade-derby-1.5.0-to-1.6.0.sql | 2 + .../sentry-upgrade-derby-1.6.0-to-1.7.0.sql | 2 + .../sentry-upgrade-derby-1.7.0-to-1.8.0.sql | 4 + .../sentry-upgrade-mysql-1.4.0-to-1.5.0.sql | 10 + .../sentry-upgrade-mysql-1.5.0-to-1.6.0.sql | 5 + .../sentry-upgrade-mysql-1.6.0-to-1.7.0.sql | 5 + .../sentry-upgrade-mysql-1.7.0-to-1.8.0.sql | 6 + .../sentry-upgrade-oracle-1.4.0-to-1.5.0.sql | 9 + .../sentry-upgrade-oracle-1.5.0-to-1.6.0.sql | 5 + .../sentry-upgrade-oracle-1.6.0-to-1.7.0.sql | 5 + .../sentry-upgrade-oracle-1.7.0-to-1.8.0.sql | 6 + .../sentry-upgrade-postgres-1.4.0-to-1.5.0.sql | 9 + .../sentry-upgrade-postgres-1.5.0-to-1.6.0.sql | 5 + .../sentry-upgrade-postgres-1.6.0-to-1.7.0.sql | 5 + .../sentry-upgrade-postgres-1.7.0-to-1.8.0.sql | 6 + .../src/main/resources/upgrade.order.db2 | 4 + .../src/main/resources/upgrade.order.derby | 4 + .../src/main/resources/upgrade.order.mysql | 4 + .../src/main/resources/upgrade.order.oracle | 4 + .../src/main/resources/upgrade.order.postgres | 4 + .../src/main/webapp/SentryService.html | 61 + .../src/main/webapp/css/bootstrap-theme.min.css | 10 + .../src/main/webapp/css/bootstrap.min.css | 9 + .../src/main/webapp/css/sentry.css | 52 + .../src/main/webapp/sentry.png | Bin 0 -> 3223 bytes .../persistent/SentryStoreIntegrationBase.java | 91 + .../persistent/TestDelegateSentryStore.java | 182 ++ .../TestPrivilegeOperatePersistence.java | 1139 ++++++++ .../persistent/TestSentryGMPrivilege.java | 207 ++ .../service/persistent/TestSentryRole.java | 372 +++ .../SentryGenericServiceIntegrationBase.java | 73 + .../TestAuditLogForSentryGenericService.java | 296 ++ .../TestSentryGenericPolicyProcessor.java | 349 +++ .../TestSentryGenericServiceIntegration.java | 503 ++++ .../generic/tools/TestSentryConfigToolSolr.java | 261 ++ .../db/generic/tools/TestSentryShellKafka.java | 542 ++++ .../db/generic/tools/TestSentryShellSolr.java | 525 ++++ .../TestRollingFileWithoutDeleteAppender.java | 103 + .../entity/TestDbAuditMetadataLogEntity.java | 67 + .../entity/TestGMAuditMetadataLogEntity.java | 72 + .../db/log/entity/TestJsonLogEntityFactory.java | 272 ++ .../log/entity/TestJsonLogEntityFactoryGM.java | 259 ++ .../provider/db/log/util/TestCommandUtil.java | 416 +++ .../service/persistent/TestSentryPrivilege.java | 245 ++ .../persistent/TestSentryServiceDiscovery.java | 123 + .../db/service/persistent/TestSentryStore.java | 2090 ++++++++++++++ .../persistent/TestSentryStoreImportExport.java | 1164 ++++++++ .../TestSentryStoreToAuthorizable.java | 86 + .../service/persistent/TestSentryVersion.java | 84 + .../service/thrift/SentryMiniKdcTestcase.java | 68 + .../TestAuthorizingDDLAuditLogWithKerberos.java | 295 ++ .../thrift/TestConnectionWithTicketTimeout.java | 57 + .../thrift/TestNotificationHandlerInvoker.java | 112 + .../thrift/TestSentryPolicyStoreProcessor.java | 81 + .../TestSentryServerForHaWithoutKerberos.java | 219 ++ ...estSentryServerForPoolHAWithoutKerberos.java | 36 + .../TestSentryServerForPoolWithoutKerberos.java | 37 + .../thrift/TestSentryServerWithoutKerberos.java | 214 ++ .../thrift/TestSentryServiceClientPool.java | 111 + .../thrift/TestSentryServiceFailureCase.java | 74 + .../TestSentryServiceForHAWithKerberos.java | 75 + .../TestSentryServiceForPoolHAWithKerberos.java | 39 + .../TestSentryServiceForPoolWithKerberos.java | 37 + .../thrift/TestSentryServiceImportExport.java | 751 +++++ .../thrift/TestSentryServiceIntegration.java | 1102 ++++++++ .../TestSentryServiceWithInvalidMsgSize.java | 119 + .../thrift/TestSentryServiceWithKerberos.java | 58 + .../thrift/TestSentryWebServerWithKerberos.java | 136 + .../thrift/TestSentryWebServerWithSSL.java | 52 + .../TestSentryWebServerWithoutSecurity.java | 87 + .../provider/db/tools/TestSentrySchemaTool.java | 94 + .../provider/db/tools/TestSentryShellHive.java | 608 ++++ .../thrift/SentryServiceIntegrationBase.java | 355 +++ .../src/test/resources/cacerts.jks | Bin 0 -> 954 bytes .../src/test/resources/keystore.jks | Bin 0 -> 2245 bytes .../src/test/resources/log4j.properties | 34 + .../src/test/resources/solr_case.ini | 26 + .../test/resources/solr_config_import_tool.ini | 29 + .../src/test/resources/solr_invalid.ini | 21 + sentry-tests/sentry-tests-hive/pom.xml | 2 +- .../dbprovider/AbstractTestWithDbProvider.java | 2 +- .../e2e/dbprovider/TestConcurrentClients.java | 2 +- .../tests/e2e/dbprovider/TestDbComplexView.java | 2 +- .../tests/e2e/dbprovider/TestDbConnections.java | 2 +- .../tests/e2e/dbprovider/TestDbEndToEnd.java | 2 +- .../sentry/tests/e2e/ha/TestHaEnd2End.java | 2 +- .../tests/e2e/hdfs/TestHDFSIntegration.java | 2 +- .../AbstractTestWithStaticConfiguration.java | 2 +- .../sentry/tests/e2e/hive/TestConfigTool.java | 2 +- .../sentry/tests/e2e/hive/TestCrossDbOps.java | 2 +- .../e2e/hive/TestCustomSerdePrivileges.java | 2 +- .../sentry/tests/e2e/hive/TestEndToEnd.java | 2 +- .../e2e/hive/TestExportImportPrivileges.java | 2 +- .../tests/e2e/hive/TestJDBCInterface.java | 2 +- .../tests/e2e/hive/TestLockPrivileges.java | 2 +- .../e2e/hive/TestMetadataObjectRetrieval.java | 2 +- .../tests/e2e/hive/TestMetadataPermissions.java | 2 +- .../tests/e2e/hive/TestMovingToProduction.java | 2 +- .../tests/e2e/hive/TestOperationsPart1.java | 2 +- .../tests/e2e/hive/TestOperationsPart2.java | 2 +- .../tests/e2e/hive/TestPerDBConfiguration.java | 2 +- .../e2e/hive/TestPerDatabasePolicyFile.java | 2 +- .../e2e/hive/TestPrivilegeAtTransform.java | 2 +- .../e2e/hive/TestPrivilegesAtColumnScope.java | 2 +- .../e2e/hive/TestPrivilegesAtDatabaseScope.java | 2 +- .../e2e/hive/TestPrivilegesAtFunctionScope.java | 2 +- .../hive/TestPrivilegesAtTableScopePart1.java | 2 +- .../hive/TestPrivilegesAtTableScopePart2.java | 2 +- .../tests/e2e/hive/TestReloadPrivileges.java | 2 +- .../e2e/hive/TestRuntimeMetadataRetrieval.java | 2 +- .../sentry/tests/e2e/hive/TestSandboxOps.java | 2 +- .../hive/TestSentryOnFailureHookLoading.java | 2 +- .../tests/e2e/hive/TestServerConfiguration.java | 2 +- .../tests/e2e/hive/TestUriPermissions.java | 2 +- .../tests/e2e/hive/TestUserManagement.java | 2 +- .../tests/e2e/hive/TestViewPrivileges.java | 2 +- ...actMetastoreTestWithStaticConfiguration.java | 2 +- .../metastore/SentryPolicyProviderForDb.java | 2 +- .../metastore/TestAuthorizingObjectStore.java | 2 +- .../e2e/metastore/TestMetaStoreWithPigHCat.java | 2 +- .../e2e/metastore/TestMetastoreEndToEnd.java | 2 +- sentry-tests/sentry-tests-kafka/pom.xml | 3 +- .../e2e/kafka/AbstractKafkaSentryTestBase.java | 2 +- sentry-tests/sentry-tests-solr/pom.xml | 2 +- .../AbstractSolrSentryTestWithDbProvider.java | 2 +- sentry-tests/sentry-tests-sqoop/pom.xml | 2 +- .../e2e/sqoop/AbstractSqoopSentryTestBase.java | 2 +- 438 files changed, 32545 insertions(+), 32396 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index ce48f68..a434fdb 100644 --- a/pom.xml +++ b/pom.xml @@ -75,6 +75,7 @@ limitations under the License. <jackson.version>1.8.8</jackson.version> <jdo-api.version>3.0.1</jdo-api.version> <jettyVersion>8.1.19.v20160209</jettyVersion> + <jetty.aggregate>7.6.0.v20120127</jetty.aggregate> <joda-time.version>2.5</joda-time.version> <junit.version>4.10</junit.version> <libfb303.version>0.9.3</libfb303.version> @@ -430,6 +431,11 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-service-server</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> <version>${project.version}</version> </dependency> @@ -470,7 +476,7 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-db</artifactId> + <artifactId>sentry-service-server</artifactId> <version>${project.version}</version> <type>test-jar</type> </dependency> @@ -620,6 +626,11 @@ limitations under the License. <artifactId>jetty-servlet</artifactId> <version>${jettyVersion}</version> </dependency> + <dependency> + <groupId>org.eclipse.jetty.aggregate</groupId> + <artifactId>jetty-all</artifactId> + <version>${jetty.aggregate}</version> + </dependency> </dependencies> </dependencyManagement> http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml index 07aaae3..a46f7d8 100644 --- a/sentry-binding/sentry-binding-hive/pom.xml +++ b/sentry-binding/sentry-binding-hive/pom.xml @@ -112,10 +112,6 @@ limitations under the License. </dependency> <!-- required for SentryGrantRevokeTask --> <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-db</artifactId> - </dependency> - <dependency> <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-minicluster</artifactId> <scope>test</scope> http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java index 4dc8812..0a53088 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java @@ -24,7 +24,7 @@ import org.junit.Assert; import org.apache.commons.io.FileUtils; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.common.utils.PolicyFile; import org.junit.After; import org.junit.Before; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java index 6fe9e6b..040f467 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java @@ -36,7 +36,7 @@ import org.apache.sentry.core.model.db.Server; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.common.utils.PolicyFile; import org.junit.After; import org.junit.Before; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java index 97cf615..f86516f 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java @@ -28,7 +28,7 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.hdfs.MiniDFSCluster; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.policy.common.PolicyEngine; -import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.common.utils.PolicyFile; import org.apache.sentry.provider.file.PolicyFiles; import org.junit.AfterClass; import org.junit.BeforeClass; http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java index 63d2f30..6109059 100644 --- a/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java +++ b/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java @@ -38,7 +38,7 @@ import org.apache.sentry.core.model.kafka.Topic; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.common.utils.PolicyFile; import org.junit.After; import org.junit.Before; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java index 371f361..80e3f4a 100644 --- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java +++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java @@ -35,7 +35,7 @@ import org.apache.sentry.core.model.search.SearchPrivilegeModel; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.common.utils.PolicyFile; import org.junit.After; import org.junit.Before; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java index 8d69402..4bcf3b1 100644 --- a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java +++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java @@ -38,7 +38,7 @@ import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.common.utils.PolicyFile; import org.junit.After; import org.junit.Before; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java new file mode 100644 index 0000000..a6ef0b3 --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java @@ -0,0 +1,202 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.core.common.utils; + +import static org.apache.sentry.core.common.utils.PolicyFileConstants.DATABASES; +import static org.apache.sentry.core.common.utils.PolicyFileConstants.GROUPS; +import static org.apache.sentry.core.common.utils.PolicyFileConstants.ROLES; +import static org.apache.sentry.core.common.utils.PolicyFileConstants.USERS; + +import java.io.File; +import java.util.Collection; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.Charsets; +import com.google.common.base.Joiner; +import com.google.common.collect.ArrayListMultimap; +import com.google.common.collect.Lists; +import com.google.common.collect.Maps; +import com.google.common.collect.Multimap; +import com.google.common.io.Files; + +/** + * PolicyFile creator. Written specifically to be used with tests. Specifically + * due to the fact that methods that would typically return true or false to + * indicate success or failure these methods throw an unchecked exception. + * This is because in a test if you mean to remove a user from the policy file, + * the user should absolutely be there. If not, the test is mis-behaving. + */ +@VisibleForTesting +public class PolicyFile { + + private static final Logger LOGGER = LoggerFactory + .getLogger(PolicyFile.class); + + private static final String NL = System.getProperty("line.separator", "\n"); + + private final Map<String, String> databasesToPolicyFiles = Maps.newHashMap(); + private final Multimap<String, String> usersToGroups = ArrayListMultimap.create(); + private final Multimap<String, String> groupsToRoles = ArrayListMultimap + .create(); + private final Multimap<String, String> rolesToPermissions = ArrayListMultimap + .create(); + + public Multimap<String, String> getGroupsToRoles() { + return groupsToRoles; + } + public Multimap<String, String> getRolesToPermissions() { + return rolesToPermissions; + } + public PolicyFile addRolesToGroup(String groupName, String... roleNames) + throws Exception { + return addRolesToGroup(groupName, false, roleNames); + } + public PolicyFile addRolesToGroup(String groupName, boolean allowDuplicates, String... roleNames) { + return add(groupsToRoles.get(groupName), allowDuplicates, roleNames); + } + public PolicyFile addPermissionsToRole(String roleName, String... permissionNames) { + return addPermissionsToRole(roleName, false, permissionNames); + } + public PolicyFile addPermissionsToRole(String roleName, boolean allowDuplicates, String... permissionNames) { + return add(rolesToPermissions.get(roleName), allowDuplicates, permissionNames); + } + public PolicyFile addGroupsToUser(String userName, String... groupNames) { + LOGGER.warn("Static user:group mapping is not being used"); + return addGroupsToUser(userName, false, groupNames); + } + public PolicyFile addGroupsToUser(String userName, boolean allowDuplicates, String... groupNames) { + LOGGER.warn("Static user:group mapping is not being used"); + return add(usersToGroups.get(userName), allowDuplicates, groupNames); + } + public PolicyFile setUserGroupMapping(Map<String, String> mapping) { + for (Entry<String, String> entry : mapping.entrySet()) { + usersToGroups.put(entry.getKey(), entry.getValue()); + } + return this; + } + public PolicyFile addDatabase(String databaseName, String path) { + String oldPath = databasesToPolicyFiles.put(databaseName, path); + if (oldPath != null) { + throw new IllegalStateException("Database " + databaseName + " already existed in " + + databasesToPolicyFiles + " with value of " + oldPath); + } + databasesToPolicyFiles.put(databaseName, path); + return this; + } + public PolicyFile removeRolesFromGroup(String groupName, String... roleNames) { + return remove(groupsToRoles.get(groupName), roleNames); + } + public PolicyFile removePermissionsFromRole(String roleName, String... permissionNames) { + return remove(rolesToPermissions.get(roleName), permissionNames); + } + public PolicyFile removeGroupsFromUser(String userName, String... groupNames) { + LOGGER.warn("Static user:group mapping is not being used"); + return remove(usersToGroups.get(userName), groupNames); + } + public PolicyFile removeDatabase(String databaseName) { + if(databasesToPolicyFiles.remove(databaseName) == null) { + throw new IllegalStateException("Database " + databaseName + " did not exist in " + + databasesToPolicyFiles); + } + return this; + } + public PolicyFile copy() { + PolicyFile other = new PolicyFile(); + other.databasesToPolicyFiles.putAll(databasesToPolicyFiles); + other.usersToGroups.putAll(usersToGroups); + other.groupsToRoles.putAll(groupsToRoles); + other.rolesToPermissions.putAll(rolesToPermissions); + return other; + } + + public void write(File clientFile, File serverFile) throws Exception { + write(clientFile); + write(serverFile); + } + + public void write(File file) throws Exception { + if(file.exists() && !file.delete()) { + throw new IllegalStateException("Unable to delete " + file); + } + String contents = Joiner.on(NL) + .join(getSection(DATABASES, databasesToPolicyFiles), + getSection(USERS, usersToGroups), + getSection(GROUPS, groupsToRoles), + getSection(ROLES, rolesToPermissions), + ""); + LOGGER.info("Writing policy file to " + file + ":\n" + contents); + Files.write(contents, file, Charsets.UTF_8); + } + + private String getSection(String name, Map<String, String> mapping) { + if(mapping.isEmpty()) { + return ""; + } + Joiner kvJoiner = Joiner.on(" = "); + List<String> lines = Lists.newArrayList(); + lines.add("[" + name + "]"); + for (Entry<String, String> entry : mapping.entrySet()) { + lines.add(kvJoiner.join(entry.getKey(), entry.getValue())); + } + return Joiner.on(NL).join(lines); + } + private String getSection(String name, Multimap<String, String> mapping) { + if(mapping.isEmpty()) { + return ""; + } + Joiner kvJoiner = Joiner.on(" = "); + Joiner itemJoiner = Joiner.on(" , "); + List<String> lines = Lists.newArrayList(); + lines.add("[" + name + "]"); + for(String key : mapping.keySet()) { + lines.add(kvJoiner.join(key, itemJoiner.join(mapping.get(key)))); + } + return Joiner.on(NL).join(lines); + } + + private PolicyFile remove(Collection<String> exitingItems, String[] newItems) { + for(String newItem : newItems) { + if(!exitingItems.remove(newItem)) { + throw new IllegalStateException("Item " + newItem + " did not exist in " + exitingItems); + } + } + return this; + } + private PolicyFile add(Collection<String> exitingItems, boolean allowDuplicates, String[] newItems) { + for(String newItem : newItems) { + if(exitingItems.contains(newItem) && !allowDuplicates) { + throw new IllegalStateException("Item " + newItem + " already exists in " + exitingItems); + } + exitingItems.add(newItem); + } + return this; + } + + //User:Group mapping for the admin user needs to be set separately + public static PolicyFile setAdminOnServer1(String admin) throws Exception { + return new PolicyFile() + .addRolesToGroup(admin, "admin_role") + .addPermissionsToRole("admin_role", "server=server1"); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-dist/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml index 0403770..8b3022f 100644 --- a/sentry-dist/pom.xml +++ b/sentry-dist/pom.xml @@ -76,6 +76,10 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-service-server</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-common</artifactId> </dependency> <dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-dist/src/main/assembly/src.xml ---------------------------------------------------------------------- diff --git a/sentry-dist/src/main/assembly/src.xml b/sentry-dist/src/main/assembly/src.xml index c730c58..6801b85 100644 --- a/sentry-dist/src/main/assembly/src.xml +++ b/sentry-dist/src/main/assembly/src.xml @@ -55,6 +55,7 @@ <include>dev-support/**</include> <include>sentry-binding/**</include> <include>sentry-core/**</include> + <include>sentry-service/**</include> <include>sentry-dist/**</include> <include>sentry-provider/**</include> <include>sentry-policy/**</include> http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-hdfs/sentry-hdfs-common/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/pom.xml b/sentry-hdfs/sentry-hdfs-common/pom.xml index d244edc..281196b 100644 --- a/sentry-hdfs/sentry-hdfs-common/pom.xml +++ b/sentry-hdfs/sentry-hdfs-common/pom.xml @@ -60,26 +60,29 @@ limitations under the License. <version>${curator.version}</version> </dependency> <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-minikdc</artifactId> - <scope>test</scope> - </dependency> - <dependency> <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-db</artifactId> - <scope>provided</scope> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-file</artifactId> + <artifactId>sentry-service-server</artifactId> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-minikdc</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-db</artifactId> + <artifactId>sentry-service-server</artifactId> <type>test-jar</type> <scope>test</scope> </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-file</artifactId> + <scope>test</scope> + </dependency> </dependencies> <build> <sourceDirectory>${basedir}/src/main/java</sourceDirectory> http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java index 1717c42..020b758 100644 --- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java +++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java @@ -35,7 +35,7 @@ import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; -import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.core.common.utils.PolicyFile; import org.junit.After; import org.junit.Before; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index 3d76198..8061433 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -75,40 +75,40 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-model-db</artifactId> + <artifactId>sentry-provider-common</artifactId> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-model-search</artifactId> + <artifactId>sentry-service-common</artifactId> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-model-sqoop</artifactId> + <artifactId>sentry-provider-file</artifactId> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-core-model-kafka</artifactId> + <artifactId>sentry-policy-engine</artifactId> </dependency> <dependency> - <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-common</artifactId> + <groupId>org.apache.hive</groupId> + <artifactId>hive-shims</artifactId> + <scope>provided</scope> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-provider-file</artifactId> + <artifactId>sentry-core-model-db</artifactId> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-policy-engine</artifactId> + <artifactId>sentry-core-model-kafka</artifactId> </dependency> <dependency> <groupId>org.apache.sentry</groupId> - <artifactId>sentry-service-common</artifactId> + <artifactId>sentry-core-model-search</artifactId> </dependency> <dependency> - <groupId>org.apache.hive</groupId> - <artifactId>hive-shims</artifactId> - <scope>provided</scope> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-sqoop</artifactId> </dependency> <dependency> <groupId>org.apache.hive</groupId> @@ -127,11 +127,6 @@ limitations under the License. <artifactId>ant-contrib</artifactId> </dependency> <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-minikdc</artifactId> - <scope>test</scope> - </dependency> - <dependency> <groupId>javax.jdo</groupId> <artifactId>jdo-api</artifactId> </dependency> @@ -156,6 +151,10 @@ limitations under the License. <artifactId>jetty-servlet</artifactId> </dependency> <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + </dependency> + <dependency> <groupId>org.mockito</groupId> <artifactId>mockito-all</artifactId> <scope>test</scope> @@ -165,148 +164,4 @@ limitations under the License. <artifactId>commons-pool2</artifactId> </dependency> </dependencies> - - <build> - <sourceDirectory>${basedir}/src/main/java</sourceDirectory> - <testSourceDirectory>${basedir}/src/test/java</testSourceDirectory> - <resources> - <resource> - <directory>${basedir}/src/main/java/org/apache/sentry/provider/db/service/model</directory> - <includes> - <include>package.jdo</include> - </includes> - </resource> - <resource> - <directory>${basedir}/src/main</directory> - <includes> - <include>webapp/*</include> - <include>webapp/css/*</include> - </includes> - </resource> - </resources> - <plugins> - <plugin> - <groupId>com.google.code.maven-replacer-plugin</groupId> - <artifactId>replacer</artifactId> - <version>1.5.2</version> - <executions> - <execution> - <id>replaceTokens</id> - <phase>clean</phase> - <goals> - <goal>replace</goal> - </goals> - </execution> - </executions> - <configuration> - <file>${basedir}/src/main/webapp/SentryService.html</file> - <replacements> - <replacement> - <token>%PROJECT_VERSION%</token> - <value>${version}</value> - </replacement> - </replacements> - </configuration> - </plugin> - <plugin> - <groupId>org.datanucleus</groupId> - <artifactId>datanucleus-maven-plugin</artifactId> - <configuration> - <api>JDO</api> - <metadataIncludes>**/*.jdo</metadataIncludes> - <verbose>true</verbose> - </configuration> - <executions> - <execution> - <phase>process-classes</phase> - <goals> - <goal>enhance</goal> - </goals> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-jar-plugin</artifactId> - <executions> - <execution> - <goals> - <goal>test-jar</goal> - </goals> - </execution> - </executions> - </plugin> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-surefire-plugin</artifactId> - <configuration> - <reuseForks>false</reuseForks> - </configuration> - </plugin> - </plugins> - </build> - <profiles> - <profile> - <id>datanucleus3</id> - <activation> - <activeByDefault>true</activeByDefault> - </activation> - <properties> - <datanucleus-api-jdo.version>3.2.6</datanucleus-api-jdo.version> - <datanucleus-core.version>3.2.12</datanucleus-core.version> - <datanucleus-rdbms.version>3.2.12</datanucleus-rdbms.version> - </properties> - <dependencies> - <dependency> - <groupId>org.datanucleus</groupId> - <artifactId>datanucleus-core</artifactId> - <version>${datanucleus-core.version}</version> - </dependency> - <dependency> - <groupId>org.datanucleus</groupId> - <artifactId>datanucleus-api-jdo</artifactId> - <version>${datanucleus-api-jdo.version}</version> - </dependency> - <dependency> - <groupId>org.datanucleus</groupId> - <artifactId>datanucleus-rdbms</artifactId> - <version>${datanucleus-rdbms.version}</version> - </dependency> - </dependencies> - </profile> - <profile> - <id>datanucleus4</id> - <activation> - <activeByDefault>false</activeByDefault> - </activation> - <properties> - <datanucleus-api-jdo.version>4.2.1</datanucleus-api-jdo.version> - <datanucleus-core.version>4.1.6</datanucleus-core.version> - <datanucleus-rdbms.version>4.1.7</datanucleus-rdbms.version> - <datanucleus-jdo.version>3.2.0-m3</datanucleus-jdo.version> - </properties> - <dependencies> - <dependency> - <groupId>org.datanucleus</groupId> - <artifactId>datanucleus-core</artifactId> - <version>${datanucleus-core.version}</version> - </dependency> - <dependency> - <groupId>org.datanucleus</groupId> - <artifactId>datanucleus-api-jdo</artifactId> - <version>${datanucleus-api-jdo.version}</version> - </dependency> - <dependency> - <groupId>org.datanucleus</groupId> - <artifactId>datanucleus-rdbms</artifactId> - <version>${datanucleus-rdbms.version}</version> - </dependency> - <dependency> - <groupId>org.datanucleus</groupId> - <artifactId>javax.jdo</artifactId> - <version>${datanucleus-jdo.version}</version> - </dependency> - </dependencies> - </profile> - </profiles> </project> http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java deleted file mode 100644 index 2ff715f..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; -import org.apache.sentry.provider.db.service.thrift.TDropPrivilegesRequest; -import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest; -import org.apache.sentry.provider.db.service.thrift.TRenamePrivilegesRequest; - -public interface SentryPolicyStorePlugin { - - @SuppressWarnings("serial") - class SentryPluginException extends SentryUserException { - public SentryPluginException(String msg) { - super(msg); - } - public SentryPluginException(String msg, Throwable t) { - super(msg, t); - } - } - - void initialize(Configuration conf, SentryStore sentryStore) throws SentryPluginException; - - void onAlterSentryRoleAddGroups(TAlterSentryRoleAddGroupsRequest tRequest) throws SentryPluginException; - - void onAlterSentryRoleDeleteGroups(TAlterSentryRoleDeleteGroupsRequest tRequest) throws SentryPluginException; - - void onAlterSentryRoleGrantPrivilege(TAlterSentryRoleGrantPrivilegeRequest tRequest) throws SentryPluginException; - - void onAlterSentryRoleRevokePrivilege(TAlterSentryRoleRevokePrivilegeRequest tRequest) throws SentryPluginException; - - void onDropSentryRole(TDropSentryRoleRequest tRequest) throws SentryPluginException; - - void onRenameSentryPrivilege(TRenamePrivilegesRequest request) throws SentryPluginException; - - void onDropSentryPrivilege(TDropPrivilegesRequest request) throws SentryPluginException; - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java deleted file mode 100644 index e960dcd..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java +++ /dev/null @@ -1,542 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.persistent; - -import java.io.IOException; -import java.util.Arrays; -import java.util.HashSet; -import java.util.LinkedList; -import java.util.List; -import java.util.Set; - -import javax.jdo.PersistenceManager; -import javax.jdo.Query; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.exception.SentryAccessDeniedException; -import org.apache.sentry.core.common.exception.SentryAlreadyExistsException; -import org.apache.sentry.core.common.exception.SentryGrantDeniedException; -import org.apache.sentry.core.common.exception.SentryInvalidInputException; -import org.apache.sentry.core.common.exception.SentryNoSuchObjectException; -import org.apache.sentry.core.common.exception.SentrySiteConfigurationException; -import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; -import org.apache.sentry.provider.db.service.model.MSentryGroup; -import org.apache.sentry.provider.db.service.model.MSentryRole; -import org.apache.sentry.provider.db.service.persistent.CommitContext; -import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor; -import org.apache.sentry.provider.db.service.thrift.TSentryGroup; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Joiner; -import com.google.common.base.Preconditions; -import com.google.common.base.Strings; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; - -/** - * The DelegateSentryStore will supports the generic authorizable model. It stores the authorizables - * into separated column. Take the authorizables:[DATABASE=db1,TABLE=tb1,COLUMN=cl1] for example, - * The DATABASE,db1,TABLE,tb1,COLUMN and cl1 will be stored into the six columns(resourceName0=db1,resourceType0=DATABASE, - * resourceName1=tb1,resourceType1=TABLE, - * resourceName2=cl1,resourceType2=COLUMN ) of generic privilege table - */ -public class DelegateSentryStore implements SentryStoreLayer { - private SentryStore delegate; - private Configuration conf; - private Set<String> adminGroups; - private PrivilegeOperatePersistence privilegeOperator; - - public DelegateSentryStore(Configuration conf) throws SentryNoSuchObjectException, - SentryAccessDeniedException, SentrySiteConfigurationException, IOException { - this.privilegeOperator = new PrivilegeOperatePersistence(conf); - // The generic model doesn't turn on the thread that cleans hive privileges - conf.set(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,"false"); - this.conf = conf; - //delegated old sentryStore - this.delegate = new SentryStore(conf); - adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings( - ServerConfig.ADMIN_GROUPS, new String[]{})))); - } - - private PersistenceManager openTransaction() { - return delegate.openTransaction(); - } - - private CommitContext commitUpdateTransaction(PersistenceManager pm) { - return delegate.commitUpdateTransaction(pm); - } - - private void rollbackTransaction(PersistenceManager pm) { - delegate.rollbackTransaction(pm); - } - - private void commitTransaction(PersistenceManager pm) { - delegate.commitTransaction(pm); - } - - private MSentryRole getRole(String roleName, PersistenceManager pm) { - return delegate.getMSentryRole(pm, roleName); - } - - @Override - public CommitContext createRole(String component, String role, - String requestor) throws SentryAlreadyExistsException { - return delegate.createSentryRole(role); - } - - /** - * The role is global in the generic model, such as the role may be has more than one component - * privileges, so delete role will remove all privileges related to it. - */ - @Override - public CommitContext dropRole(String component, String role, String requestor) - throws SentryNoSuchObjectException { - boolean rollbackTransaction = true; - PersistenceManager pm = null; - String trimmedRole = toTrimmedLower(role); - try { - pm = openTransaction(); - Query query = pm.newQuery(MSentryRole.class); - query.setFilter("this.roleName == t"); - query.declareParameters("java.lang.String t"); - query.setUnique(true); - MSentryRole sentryRole = (MSentryRole) query.execute(trimmedRole); - if (sentryRole == null) { - throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist"); - } else { - pm.retrieve(sentryRole); - sentryRole.removeGMPrivileges(); - sentryRole.removePrivileges(); - pm.deletePersistent(sentryRole); - } - CommitContext commit = commitUpdateTransaction(pm); - rollbackTransaction = false; - return commit; - } finally { - if (rollbackTransaction) { - rollbackTransaction(pm); - } - } - } - - @Override - public Set<String> getAllRoleNames() { - return delegate.getAllRoleNames(); - } - - @Override - public CommitContext alterRoleAddGroups(String component, String role, - Set<String> groups, String requestor) throws SentryNoSuchObjectException { - return delegate.alterSentryRoleAddGroups(requestor, role, toTSentryGroups(groups)); - } - - @Override - public CommitContext alterRoleDeleteGroups(String component, String role, - Set<String> groups, String requestor) throws SentryNoSuchObjectException { - //called to old sentryStore - return delegate.alterSentryRoleDeleteGroups(role, toTSentryGroups(groups)); - } - - @Override - public CommitContext alterRoleGrantPrivilege(String component, String role, - PrivilegeObject privilege, String grantorPrincipal) - throws SentryUserException { - String trimmedRole = toTrimmedLower(role); - PersistenceManager pm = null; - boolean rollbackTransaction = true; - try{ - pm = openTransaction(); - MSentryRole mRole = getRole(trimmedRole, pm); - if (mRole == null) { - throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist"); - } - /** - * check with grant option - */ - grantOptionCheck(privilege, grantorPrincipal, pm); - - privilegeOperator.grantPrivilege(privilege, mRole, pm); - - CommitContext commitContext = delegate.commitUpdateTransaction(pm); - rollbackTransaction = false; - return commitContext; - - } finally { - if (rollbackTransaction) { - rollbackTransaction(pm); - } - } - } - - @Override - public CommitContext alterRoleRevokePrivilege(String component, - String role, PrivilegeObject privilege, String grantorPrincipal) - throws SentryUserException { - String trimmedRole = toTrimmedLower(role); - PersistenceManager pm = null; - boolean rollbackTransaction = true; - try{ - pm = openTransaction(); - MSentryRole mRole = getRole(trimmedRole, pm); - if (mRole == null) { - throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist"); - } - /** - * check with grant option - */ - grantOptionCheck(privilege, grantorPrincipal, pm); - - privilegeOperator.revokePrivilege(privilege, mRole, pm); - - CommitContext commitContext = commitUpdateTransaction(pm); - rollbackTransaction = false; - return commitContext; - - } finally { - if (rollbackTransaction) { - rollbackTransaction(pm); - } - } - } - - @Override - public CommitContext renamePrivilege(String component, String service, - List<? extends Authorizable> oldAuthorizables, - List<? extends Authorizable> newAuthorizables, String requestor) - throws SentryUserException { - Preconditions.checkNotNull(component); - Preconditions.checkNotNull(service); - Preconditions.checkNotNull(oldAuthorizables); - Preconditions.checkNotNull(newAuthorizables); - - if (oldAuthorizables.size() != newAuthorizables.size()) { - throw new SentryAccessDeniedException( - "rename privilege denied: the size of oldAuthorizables must equals the newAuthorizables " - + "oldAuthorizables:" + Arrays.toString(oldAuthorizables.toArray()) + " " - + "newAuthorizables:" + Arrays.toString(newAuthorizables.toArray())); - } - - PersistenceManager pm = null; - boolean rollbackTransaction = true; - try { - pm = openTransaction(); - - privilegeOperator.renamePrivilege(toTrimmedLower(component), toTrimmedLower(service), - oldAuthorizables, newAuthorizables, requestor, pm); - - CommitContext commitContext = commitUpdateTransaction(pm); - rollbackTransaction = false; - return commitContext; - } finally { - if (rollbackTransaction) { - rollbackTransaction(pm); - } - } - } - - @Override - public CommitContext dropPrivilege(String component, - PrivilegeObject privilege, String requestor) throws SentryUserException { - Preconditions.checkNotNull(requestor); - - PersistenceManager pm = null; - boolean rollbackTransaction = true; - try { - pm = openTransaction(); - - privilegeOperator.dropPrivilege(privilege, pm); - - CommitContext commitContext = commitUpdateTransaction(pm); - rollbackTransaction = false; - return commitContext; - } finally { - if (rollbackTransaction) { - rollbackTransaction(pm); - } - } - } - - /** - * Grant option check - * @param component - * @param pm - * @param privilegeReader - * @throws SentryUserException - */ - private void grantOptionCheck(PrivilegeObject requestPrivilege, String grantorPrincipal,PersistenceManager pm) - throws SentryUserException { - - if (Strings.isNullOrEmpty(grantorPrincipal)) { - throw new SentryInvalidInputException("grantorPrincipal should not be null or empty"); - } - - Set<String> groups = getRequestorGroups(grantorPrincipal); - if (groups == null || groups.isEmpty()) { - throw new SentryGrantDeniedException(grantorPrincipal - + " has no grant!"); - } - //admin group check - if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) { - return; - } - //privilege grant option check - Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups); - if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) { - throw new SentryGrantDeniedException(grantorPrincipal - + " has no grant!"); - } - } - - @Override - public Set<String> getRolesByGroups(String component, Set<String> groups) - throws SentryUserException { - Set<String> roles = Sets.newHashSet(); - if (groups == null) { - return roles; - } - for (TSentryRole tSentryRole : delegate.getTSentryRolesByGroupName(groups, true)) { - roles.add(tSentryRole.getRoleName()); - } - return roles; - } - - @Override - public Set<String> getGroupsByRoles(String component, Set<String> roles) - throws SentryUserException { - Set<String> trimmedRoles = toTrimmedLower(roles); - Set<String> groupNames = Sets.newHashSet(); - if (trimmedRoles.size() == 0) { - return groupNames; - } - - PersistenceManager pm = null; - try{ - pm = openTransaction(); - //get groups by roles - Query query = pm.newQuery(MSentryGroup.class); - StringBuilder filters = new StringBuilder(); - query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role"); - List<String> rolesFiler = new LinkedList<String>(); - for (String role : trimmedRoles) { - rolesFiler.add("role.roleName == \"" + role + "\" "); - } - filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")"); - query.setFilter(filters.toString()); - - List<MSentryGroup> groups = (List<MSentryGroup>)query.execute(); - if (groups == null) { - return groupNames; - } - for (MSentryGroup group : groups) { - groupNames.add(group.getGroupName()); - } - return groupNames; - } finally { - if (pm != null) { - commitTransaction(pm); - } - } - } - - @Override - public Set<PrivilegeObject> getPrivilegesByRole(String component, - Set<String> roles) throws SentryUserException { - Preconditions.checkNotNull(roles); - Set<PrivilegeObject> privileges = Sets.newHashSet(); - if (roles.isEmpty()) { - return privileges; - } - - PersistenceManager pm = null; - try { - pm = openTransaction(); - Set<MSentryRole> mRoles = Sets.newHashSet(); - for (String role : roles) { - MSentryRole mRole = getRole(toTrimmedLower(role), pm); - if (mRole != null) { - mRoles.add(mRole); - } - } - privileges.addAll(privilegeOperator.getPrivilegesByRole(mRoles, pm)); - } finally { - if (pm != null) { - commitTransaction(pm); - } - } - return privileges; - } - - @Override - public Set<PrivilegeObject> getPrivilegesByProvider(String component, - String service, Set<String> roles, Set<String> groups, - List<? extends Authorizable> authorizables) throws SentryUserException { - Preconditions.checkNotNull(component); - Preconditions.checkNotNull(service); - - String trimmedComponent = toTrimmedLower(component); - String trimmedService = toTrimmedLower(service); - - Set<PrivilegeObject> privileges = Sets.newHashSet(); - PersistenceManager pm = null; - try { - pm = openTransaction(); - //CaseInsensitive roleNames - Set<String> trimmedRoles = toTrimmedLower(roles); - - if (groups != null) { - trimmedRoles.addAll(delegate.getRoleNamesForGroups(groups)); - } - - if (trimmedRoles.size() == 0) { - return privileges; - } - - Set<MSentryRole> mRoles = Sets.newHashSet(); - for (String role : trimmedRoles) { - MSentryRole mRole = getRole(role, pm); - if (mRole != null) { - mRoles.add(mRole); - } - } - //get the privileges - privileges.addAll(privilegeOperator.getPrivilegesByProvider(trimmedComponent, trimmedService, mRoles, authorizables, pm)); - } finally { - if (pm != null) { - commitTransaction(pm); - } - } - return privileges; - } - - @Override - public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service, - Set<String> validActiveRoles, List<? extends Authorizable> authorizables) - throws SentryUserException { - - Preconditions.checkNotNull(component); - Preconditions.checkNotNull(service); - - component = toTrimmedLower(component); - service = toTrimmedLower(service); - - Set<MSentryGMPrivilege> privileges = Sets.newHashSet(); - - if (validActiveRoles == null || validActiveRoles.isEmpty()) { - return privileges; - } - - PersistenceManager pm = null; - try { - pm = openTransaction(); - - Set<MSentryRole> mRoles = Sets.newHashSet(); - for (String role : validActiveRoles) { - MSentryRole mRole = getRole(role, pm); - if (mRole != null) { - mRoles.add(mRole); - } - } - - //get the privileges - Set<MSentryGMPrivilege> mSentryGMPrivileges = privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm); - - for (MSentryGMPrivilege mSentryGMPrivilege : mSentryGMPrivileges) { - /** - * force to load all roles related this privilege - * avoid the lazy-loading - */ - pm.retrieve(mSentryGMPrivilege); - privileges.add(mSentryGMPrivilege); - } - - } finally { - commitTransaction(pm); - } - return privileges; - } - - @Override - public void close() { - delegate.stop(); - } - - private Set<TSentryGroup> toTSentryGroups(Set<String> groups) { - Set<TSentryGroup> tSentryGroups = Sets.newHashSet(); - for (String group : groups) { - tSentryGroups.add(new TSentryGroup(group)); - } - return tSentryGroups; - } - - private Set<String> toTrimmedLower(Set<String> s) { - if (s == null) { - return new HashSet<String>(); - } - Set<String> result = Sets.newHashSet(); - for (String v : s) { - result.add(v.trim().toLowerCase()); - } - return result; - } - - private Set<String> toTrimmed(Set<String> s) { - if (s == null) { - return new HashSet<String>(); - } - Set<String> result = Sets.newHashSet(); - for (String v : s) { - result.add(v.trim()); - } - return result; - } - - private String toTrimmedLower(String s) { - if (s == null) { - return ""; - } - return s.trim().toLowerCase(); - } - - private Set<String> getRequestorGroups(String userName) - throws SentryUserException { - return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, userName); - } - - @VisibleForTesting - void clearAllTables() { - boolean rollbackTransaction = true; - PersistenceManager pm = null; - try { - pm = openTransaction(); - pm.newQuery(MSentryRole.class).deletePersistentAll(); - pm.newQuery(MSentryGroup.class).deletePersistentAll(); - pm.newQuery(MSentryGMPrivilege.class).deletePersistentAll(); - commitUpdateTransaction(pm); - rollbackTransaction = false; - } finally { - if (rollbackTransaction) { - rollbackTransaction(pm); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java deleted file mode 100644 index feab1e9..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java +++ /dev/null @@ -1,231 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.persistent; - -import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; - -import java.util.List; -import org.apache.sentry.core.common.Authorizable; -import com.google.common.base.Preconditions; -import com.google.common.collect.Lists; - -public final class PrivilegeObject { - private final String component; - private final String service; - private final String action; - private final Boolean grantOption; - private List<? extends Authorizable> authorizables; - - private PrivilegeObject(String component, String service, String action, - Boolean grantOption, - List<? extends Authorizable> authorizables) { - this.component = component; - this.service = service; - this.action = action; - this.grantOption = grantOption; - this.authorizables = authorizables; - } - - public List<? extends Authorizable> getAuthorizables() { - return authorizables; - } - - public String getAction() { - return action; - } - - public String getComponent() { - return component; - } - - public String getService() { - return service; - } - - public Boolean getGrantOption() { - return grantOption; - } - - @Override - public String toString() { - List<String> authorizable = Lists.newArrayList(); - for (Authorizable az : authorizables) { - authorizable.add(KV_JOINER.join(az.getTypeName(),az.getName())); - } - return "PrivilegeObject [" + ", service=" + service + ", component=" - + component + ", authorizables=" + AUTHORIZABLE_JOINER.join(authorizable) - + ", action=" + action + ", grantOption=" + grantOption + "]"; - } - - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((action == null) ? 0 : action.hashCode()); - result = prime * result + ((component == null) ? 0 : component.hashCode()); - result = prime * result + ((service == null) ? 0 : service.hashCode()); - result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode()); - for (Authorizable authorizable : authorizables) { - result = prime * result + authorizable.getTypeName().hashCode(); - result = prime * result + authorizable.getName().hashCode(); - } - return result; - } - - @Override - public boolean equals(Object obj) { - if (this == obj) { - return true; - } - if (obj == null) { - return false; - } - if (getClass() != obj.getClass()) { - return false; - } - PrivilegeObject other = (PrivilegeObject) obj; - if (action == null) { - if (other.action != null) { - return false; - } - } else if (!action.equals(other.action)) { - return false; - } - if (service == null) { - if (other.service != null) { - return false; - } - } else if (!service.equals(other.service)) { - return false; - } - if (component == null) { - if (other.component != null) { - return false; - } - } else if (!component.equals(other.component)) { - return false; - } - if (grantOption == null) { - if (other.grantOption != null) { - return false; - } - } else if (!grantOption.equals(other.grantOption)) { - return false; - } - - if (authorizables.size() != other.authorizables.size()) { - return false; - } - for (int i = 0; i < authorizables.size(); i++) { - String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(), - authorizables.get(i).getName()); - String o2 = KV_JOINER.join(other.authorizables.get(i).getTypeName(), - other.authorizables.get(i).getName()); - if (!o1.equalsIgnoreCase(o2)) { - return false; - } - } - return true; - } - - public static class Builder { - private String component; - private String service; - private String action; - private Boolean grantOption; - private List<? extends Authorizable> authorizables; - - public Builder() { - - } - - public Builder(PrivilegeObject privilege) { - this.component = privilege.component; - this.service = privilege.service; - this.action = privilege.action; - this.grantOption = privilege.grantOption; - this.authorizables = privilege.authorizables; - } - - public Builder setComponent(String component) { - this.component = component; - return this; - } - - public Builder setService(String service) { - this.service = service; - return this; - } - - public Builder setAction(String action) { - this.action = action; - return this; - } - - public Builder withGrantOption(Boolean grantOption) { - this.grantOption = grantOption; - return this; - } - - public Builder setAuthorizables(List<? extends Authorizable> authorizables) { - this.authorizables = authorizables; - return this; - } - - /** - * TolowerCase the authorizable name, the authorizable type is define when it was created. - * Take the Solr for example, it has two Authorizable objects. They have the type Collection - * and Field, they are can't be changed. So we should unified the authorizable name tolowercase. - * @return new authorizable lists - */ - private List<? extends Authorizable> toLowerAuthorizableName(List<? extends Authorizable> authorizables) { - List<Authorizable> newAuthorizable = Lists.newArrayList(); - if (authorizables == null || authorizables.size() == 0) { - return newAuthorizable; - } - for (final Authorizable authorizable : authorizables) { - newAuthorizable.add(new Authorizable() { - @Override - public String getTypeName() { - return authorizable.getTypeName(); - } - @Override - public String getName() { - return authorizable.getName(); - } - }); - } - return newAuthorizable; - } - - public PrivilegeObject build() { - Preconditions.checkNotNull(component); - Preconditions.checkNotNull(service); - Preconditions.checkNotNull(action); - //CaseInsensitive authorizable name - List<? extends Authorizable> newAuthorizable = toLowerAuthorizableName(authorizables); - - return new PrivilegeObject(component.toLowerCase(), - service.toLowerCase(), - action.toLowerCase(), - grantOption, - newAuthorizable); - } - } -}
