http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java deleted file mode 100644 index 6ddc1de..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java +++ /dev/null @@ -1,247 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.tools; - -import com.google.common.annotations.VisibleForTesting; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.GnuParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.OptionGroup; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.commons.cli.Parser; -import org.apache.commons.lang.StringUtils; - -/** - * SentryShellCommon provides the function for parsing the argument. - * For hive model and generic model, child class should be implemented as a sentry admin tool. - */ -abstract public class SentryShellCommon { - - protected String roleName; - protected String groupName; - protected String privilegeStr; - protected String confPath; - // flag for the command - protected boolean isCreateRole = false; - protected boolean isDropRole = false; - protected boolean isAddRoleGroup = false; - protected boolean isDeleteRoleGroup = false; - protected boolean isGrantPrivilegeRole = false; - protected boolean isRevokePrivilegeRole = false; - protected boolean isListRole = false; - protected boolean isListPrivilege = false; - protected boolean isPrintHelp = false; - // flag for the parameter check - protected boolean roleNameRequired = false; - protected boolean groupNameRequired = false; - protected boolean privilegeStrRequired = false; - - public final static String OPTION_DESC_HELP = "Shell usage"; - public final static String OPTION_DESC_CONF = "sentry-site file path"; - public final static String OPTION_DESC_ROLE_NAME = "Role name"; - public final static String OPTION_DESC_GROUP_NAME = "Group name"; - public final static String OPTION_DESC_PRIVILEGE = "Privilege string"; - public final static String PREFIX_MESSAGE_MISSING_OPTION = "Missing required option: "; - - public final static String GROUP_SPLIT_CHAR = ","; - - /** - * parse arguments - * - * <pre> - * -conf,--sentry_conf <filepath> sentry config file path - * -cr,--create_role -r <rolename> create role - * -dr,--drop_role -r <rolename> drop role - * -arg,--add_role_group -r <rolename> -g <groupname> add role to group - * -drg,--delete_role_group -r <rolename> -g <groupname> delete role from group - * -gpr,--grant_privilege_role -r <rolename> -p <privilege> grant privilege to role - * -rpr,--revoke_privilege_role -r <rolename> -p <privilege> revoke privilege from role - * -lr,--list_role -g <groupname> list roles for group - * -lp,--list_privilege -r <rolename> list privilege for role - * -t,--type <typeame> the shell for hive model or generic model - * </pre> - * - * @param args - */ - protected boolean parseArgs(String[] args) { - Options simpleShellOptions = new Options(); - - Option crOpt = new Option("cr", "create_role", false, "Create role"); - crOpt.setRequired(false); - - Option drOpt = new Option("dr", "drop_role", false, "Drop role"); - drOpt.setRequired(false); - - Option argOpt = new Option("arg", "add_role_group", false, "Add role to group"); - argOpt.setRequired(false); - - Option drgOpt = new Option("drg", "delete_role_group", false, "Delete role from group"); - drgOpt.setRequired(false); - - Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role"); - gprOpt.setRequired(false); - - Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role"); - rprOpt.setRequired(false); - - Option lrOpt = new Option("lr", "list_role", false, "List role"); - lrOpt.setRequired(false); - - Option lpOpt = new Option("lp", "list_privilege", false, "List privilege"); - lpOpt.setRequired(false); - - // required args group - OptionGroup simpleShellOptGroup = new OptionGroup(); - simpleShellOptGroup.addOption(crOpt); - simpleShellOptGroup.addOption(drOpt); - simpleShellOptGroup.addOption(argOpt); - simpleShellOptGroup.addOption(drgOpt); - simpleShellOptGroup.addOption(gprOpt); - simpleShellOptGroup.addOption(rprOpt); - simpleShellOptGroup.addOption(lrOpt); - simpleShellOptGroup.addOption(lpOpt); - simpleShellOptGroup.setRequired(true); - simpleShellOptions.addOptionGroup(simpleShellOptGroup); - - // optional args - Option pOpt = new Option("p", "privilege", true, OPTION_DESC_PRIVILEGE); - pOpt.setRequired(false); - simpleShellOptions.addOption(pOpt); - - Option gOpt = new Option("g", "groupname", true, OPTION_DESC_GROUP_NAME); - gOpt.setRequired(false); - simpleShellOptions.addOption(gOpt); - - Option rOpt = new Option("r", "rolename", true, OPTION_DESC_ROLE_NAME); - rOpt.setRequired(false); - simpleShellOptions.addOption(rOpt); - - // this argument should be parsed in the bin/sentryShell - Option tOpt = new Option("t", "type", true, "[hive|solr|sqoop|.....]"); - tOpt.setRequired(false); - simpleShellOptions.addOption(tOpt); - - // file path of sentry-site - Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, OPTION_DESC_CONF); - sentrySitePathOpt.setRequired(true); - simpleShellOptions.addOption(sentrySitePathOpt); - - // help option - Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP); - helpOpt.setRequired(false); - simpleShellOptions.addOption(helpOpt); - - // this Options is parsed first for help option - Options helpOptions = new Options(); - helpOptions.addOption(helpOpt); - - try { - Parser parser = new GnuParser(); - - // parse help option first - CommandLine cmd = parser.parse(helpOptions, args, true); - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("h")) { - // get the help option, print the usage and exit - usage(simpleShellOptions); - return false; - } - } - - // without help option - cmd = parser.parse(simpleShellOptions, args); - - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("p")) { - privilegeStr = opt.getValue(); - } else if (opt.getOpt().equals("g")) { - groupName = opt.getValue(); - } else if (opt.getOpt().equals("r")) { - roleName = opt.getValue(); - } else if (opt.getOpt().equals("cr")) { - isCreateRole = true; - roleNameRequired = true; - } else if (opt.getOpt().equals("dr")) { - isDropRole = true; - roleNameRequired = true; - } else if (opt.getOpt().equals("arg")) { - isAddRoleGroup = true; - roleNameRequired = true; - groupNameRequired = true; - } else if (opt.getOpt().equals("drg")) { - isDeleteRoleGroup = true; - roleNameRequired = true; - groupNameRequired = true; - } else if (opt.getOpt().equals("gpr")) { - isGrantPrivilegeRole = true; - roleNameRequired = true; - privilegeStrRequired = true; - } else if (opt.getOpt().equals("rpr")) { - isRevokePrivilegeRole = true; - roleNameRequired = true; - privilegeStrRequired = true; - } else if (opt.getOpt().equals("lr")) { - isListRole = true; - } else if (opt.getOpt().equals("lp")) { - isListPrivilege = true; - roleNameRequired = true; - } else if (opt.getOpt().equals("conf")) { - confPath = opt.getValue(); - } - } - checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME); - checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME); - checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE); - } catch (ParseException pe) { - System.out.println(pe.getMessage()); - usage(simpleShellOptions); - return false; - } - return true; - } - - private void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException { - if (isRequired && StringUtils.isEmpty(paramValue)) { - throw new ParseException(PREFIX_MESSAGE_MISSING_OPTION + paramName); - } - } - - // print usage - private void usage(Options sentryOptions) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("sentryShell", sentryOptions); - } - - // hive model and generic model should implement this method - public abstract void run() throws Exception; - - @VisibleForTesting - public boolean executeShell(String[] args) throws Exception { - boolean result = true; - if (parseArgs(args)) { - run(); - } else { - result = false; - } - return result; - } -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java deleted file mode 100644 index dc7f829..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java +++ /dev/null @@ -1,98 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.tools; - -import org.apache.commons.lang.StringUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.tools.command.hive.*; -import org.apache.sentry.service.thrift.SentryServiceClientFactory; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * SentryShellHive is an admin tool, and responsible for the management of repository. - * The following function are supported: - * create role, drop role, add group to role, delete group from role, grant privilege to role, - * revoke privilege from role, list roles for group, list privilege for role. - */ -public class SentryShellHive extends SentryShellCommon { - - private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellHive.class); - - public void run() throws Exception { - Command command = null; - SentryPolicyServiceClient client = SentryServiceClientFactory.create(getSentryConf()); - UserGroupInformation ugi = UserGroupInformation.getLoginUser(); - String requestorName = ugi.getShortUserName(); - - if (isCreateRole) { - command = new CreateRoleCmd(roleName); - } else if (isDropRole) { - command = new DropRoleCmd(roleName); - } else if (isAddRoleGroup) { - command = new GrantRoleToGroupsCmd(roleName, groupName); - } else if (isDeleteRoleGroup) { - command = new RevokeRoleFromGroupsCmd(roleName, groupName); - } else if (isGrantPrivilegeRole) { - command = new GrantPrivilegeToRoleCmd(roleName, privilegeStr); - } else if (isRevokePrivilegeRole) { - command = new RevokePrivilegeFromRoleCmd(roleName, privilegeStr); - } else if (isListRole) { - command = new ListRolesCmd(groupName); - } else if (isListPrivilege) { - command = new ListPrivilegesCmd(roleName); - } - - // check the requestor name - if (StringUtils.isEmpty(requestorName)) { - // The exception message will be recoreded in log file. - throw new Exception("The requestor name is empty."); - } - - if (command != null) { - command.execute(client, requestorName); - } - } - - private Configuration getSentryConf() { - Configuration conf = new Configuration(); - conf.addResource(new Path(confPath)); - return conf; - } - - public static void main(String[] args) throws Exception { - SentryShellHive sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - } catch (Exception e) { - LOGGER.error(e.getMessage(), e); - Throwable current = e; - // find the first printable message; - while (current != null && current.getMessage() == null) { - current = current.getCause(); - } - System.out.println("The operation failed." + - (current.getMessage() == null ? "" : " Message: " + current.getMessage())); - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java deleted file mode 100644 index 79aed49..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -/** - * The interface for all admin commands, eg, CreateRoleCmd. - */ -public interface Command { - void execute(SentryPolicyServiceClient client, String requestorName) throws Exception; -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java deleted file mode 100644 index 2d2dcb5..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java +++ /dev/null @@ -1,117 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.service.thrift.ServiceConstants; - -public final class CommandUtil { - - public static final String SPLIT_CHAR = ","; - - private CommandUtil() { - // Make constructor private to avoid instantiation - } - - // parse the privilege in String and get the TSentryPrivilege as result - public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception { - TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { - KeyValue tempKV = new KeyValue(authorizable); - String key = tempKV.getKey(); - String value = tempKV.getValue(); - - if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setServerName(value); - } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setDbName(value); - } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setTableName(value); - } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setColumnName(value); - } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setURI(value); - } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setAction(value); - } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { - TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE - : TSentryGrantOption.FALSE; - tSentryPrivilege.setGrantOption(grantOption); - } - } - tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege)); - validatePrivilegeHierarchy(tSentryPrivilege); - return tSentryPrivilege; - } - - // for the different hierarchy for hive: - // 1: server->url - // 2: server->database->table->column - // if both of them are found in the privilege string, the privilege scope will be set as - // PrivilegeScope.URI - private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) { - ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER; - if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) { - privilegeScope = ServiceConstants.PrivilegeScope.URI; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) { - privilegeScope = ServiceConstants.PrivilegeScope.COLUMN; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) { - privilegeScope = ServiceConstants.PrivilegeScope.TABLE; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) { - privilegeScope = ServiceConstants.PrivilegeScope.DATABASE; - } - return privilegeScope.toString(); - } - - // check the privilege value for the specific privilege scope - // eg, for the table scope, server and database can't be empty - private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception { - String serverName = tSentryPrivilege.getServerName(); - String dbName = tSentryPrivilege.getDbName(); - String tableName = tSentryPrivilege.getTableName(); - String columnName = tSentryPrivilege.getColumnName(); - String uri = tSentryPrivilege.getURI(); - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) - || StringUtils.isEmpty(tableName)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope()) - && (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) - || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName))) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java deleted file mode 100644 index 5a4834a..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -/** - * The class for admin command to create role. - */ -public class CreateRoleCmd implements Command { - - private String roleName; - - public CreateRoleCmd(String roleName) { - this.roleName = roleName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - client.createRole(requestorName, roleName); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java deleted file mode 100644 index facec0e..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -/** - * The class for admin command to drop role. - */ -public class DropRoleCmd implements Command { - - private String roleName; - - public DropRoleCmd(String roleName) { - this.roleName = roleName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - client.dropRole(requestorName, roleName); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java deleted file mode 100644 index a1ef2f9..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java +++ /dev/null @@ -1,61 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.service.thrift.ServiceConstants; - -/** - * The class for admin command to grant privilege to role. - */ -public class GrantPrivilegeToRoleCmd implements Command { - - private String roleName; - private String privilegeStr; - - public GrantPrivilegeToRoleCmd(String roleName, String privilegeStr) { - this.roleName = roleName; - this.privilegeStr = privilegeStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); - boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getURI(), grantOption); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java deleted file mode 100644 index 07a3de4..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import com.google.common.collect.Sets; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.tools.SentryShellCommon; - -import java.util.Set; - -/** - * The class for admin command to grant role to group. - */ -public class GrantRoleToGroupsCmd implements Command { - - private String roleName; - private String groupNamesStr; - - public GrantRoleToGroupsCmd(String roleName, String groupNamesStr) { - this.roleName = roleName; - this.groupNamesStr = groupNamesStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<String> groups = Sets.newHashSet(groupNamesStr.split(SentryShellCommon.GROUP_SPLIT_CHAR)); - client.grantRoleToGroups(requestorName, roleName, groups); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java deleted file mode 100644 index 5f3e9fb..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java +++ /dev/null @@ -1,97 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import com.google.common.collect.Lists; -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; - -import java.util.List; -import java.util.Set; - -/** - * The class for admin command to list privileges. - */ -public class ListPrivilegesCmd implements Command { - - private String roleName; - - public ListPrivilegesCmd(String roleName) { - this.roleName = roleName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<TSentryPrivilege> privileges = client - .listAllPrivilegesByRoleName(requestorName, roleName); - if (privileges != null) { - for (TSentryPrivilege privilege : privileges) { - String privilegeStr = convertToPrivilegeStr(privilege); - System.out.println(privilegeStr); - } - } - } - - // convert TSentryPrivilege to privilege in string - private String convertToPrivilegeStr(TSentryPrivilege tSentryPrivilege) { - List<String> privileges = Lists.newArrayList(); - if (tSentryPrivilege != null) { - String serverName = tSentryPrivilege.getServerName(); - String dbName = tSentryPrivilege.getDbName(); - String tableName = tSentryPrivilege.getTableName(); - String columnName = tSentryPrivilege.getColumnName(); - String uri = tSentryPrivilege.getURI(); - String action = tSentryPrivilege.getAction(); - String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" - : "false"); - if (!StringUtils.isEmpty(serverName)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME, - serverName)); - if (!StringUtils.isEmpty(uri)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME, - uri)); - } else if (!StringUtils.isEmpty(dbName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName)); - if (!StringUtils.isEmpty(tableName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName)); - if (!StringUtils.isEmpty(columnName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName)); - } - } - } - if (!StringUtils.isEmpty(action)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); - } - } - // only append the grant option to privilege string if it's true - if ("true".equals(grantOption)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); - } - } - return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java deleted file mode 100644 index 283f2c0..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; - -import java.util.Set; - -/** - * The class for admin command to list roles. - */ -public class ListRolesCmd implements Command { - - private String groupName; - - public ListRolesCmd(String groupName) { - this.groupName = groupName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<TSentryRole> roles; - if (StringUtils.isEmpty(groupName)) { - roles = client.listRoles(requestorName); - } else { - roles = client.listRolesByGroupName(requestorName, groupName); - } - if (roles != null) { - for (TSentryRole role : roles) { - System.out.println(role.getRoleName()); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java deleted file mode 100644 index f3da6c4..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java +++ /dev/null @@ -1,62 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.service.thrift.ServiceConstants; - -/** - * The class for admin command to revoke privileges from role. - */ -public class RevokePrivilegeFromRoleCmd implements Command { - - private String roleName; - private String privilegeStr; - - public RevokePrivilegeFromRoleCmd(String roleName, String privilegeStr) { - this.roleName = roleName; - this.privilegeStr = privilegeStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); - boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.revokeServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - grantOption); - } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.revokeDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.revokeTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.revokeColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.revokeURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getURI(), grantOption); - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java deleted file mode 100644 index 86773ca..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import com.google.common.collect.Sets; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -import java.util.Set; - -/** - * The class for admin command to revoke role from group. - */ -public class RevokeRoleFromGroupsCmd implements Command { - - private String roleName; - private String groupNamesStr; - - public RevokeRoleFromGroupsCmd(String roleName, String groupNamesStr) { - this.roleName = roleName; - this.groupNamesStr = groupNamesStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<String> groups = Sets.newHashSet(groupNamesStr.split(CommandUtil.SPLIT_CHAR)); - client.revokeRoleFromGroups(requestorName, roleName, groups); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java deleted file mode 100644 index d97a07e..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java +++ /dev/null @@ -1,139 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.io.IOException; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; -import java.net.InetSocketAddress; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.SecurityUtil; -import org.apache.curator.x.discovery.ServiceInstance; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.service.persistent.HAContext; -import org.apache.sentry.provider.db.service.persistent.ServiceManager; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Preconditions; - -public class HAClientInvocationHandler extends SentryClientInvocationHandler { - - private static final Logger LOGGER = LoggerFactory.getLogger(HAClientInvocationHandler.class); - - private final Configuration conf; - private ServiceManager manager; - private ServiceInstance<Void> currentServiceInstance; - private SentryPolicyServiceClient client = null; - - private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured "; - public static final String SENTRY_HA_ERROR_MESSAGE = "No Sentry server available. Please ensure that at least one Sentry server is online"; - - public HAClientInvocationHandler(Configuration conf) throws Exception { - this.conf = conf; - checkClientConf(); - } - - @Override - public Object invokeImpl(Object proxy, Method method, Object[] args) throws - SentryUserException { - Object result = null; - try { - if (!method.isAccessible()) { - method.setAccessible(true); - } - // The client is initialized in the first call instead of constructor. - // This way we can propagate the connection exception to caller cleanly - if (client == null) { - renewSentryClient(); - } - result = method.invoke(client, args); - } catch (IllegalAccessException e) { - throw new SentryUserException(e.getMessage(), e.getCause()); - } catch (InvocationTargetException e) { - if (e.getTargetException() instanceof SentryUserException) { - throw (SentryUserException)e.getTargetException(); - } else { - LOGGER.warn(THRIFT_EXCEPTION_MESSAGE + ": Error in connect current" + - " service, will retry other service.", e); - if (client != null) { - client.close(); - client = null; - } - } - } catch (IOException e1) { - throw new SentryUserException("Error connecting to sentry service " - + e1.getMessage(), e1); - } - return result; - } - - // Retrieve the new connection endpoint from ZK and connect to new server - private void renewSentryClient() throws IOException { - try { - manager = new ServiceManager(HAContext.getHAContext(conf)); - } catch (Exception e1) { - throw new IOException("Failed to extract Sentry node info from zookeeper", e1); - } - - try { - while (true) { - currentServiceInstance = manager.getServiceInstance(); - if (currentServiceInstance == null) { - throw new IOException(SENTRY_HA_ERROR_MESSAGE); - } - InetSocketAddress serverAddress = - ServiceManager.convertServiceInstance(currentServiceInstance); - conf.set(ServiceConstants.ClientConfig.SERVER_RPC_ADDRESS, serverAddress.getHostName()); - conf.setInt(ServiceConstants.ClientConfig.SERVER_RPC_PORT, serverAddress.getPort()); - try { - client = new SentryPolicyServiceClientDefaultImpl(conf); - LOGGER.info("Sentry Client using server " + serverAddress.getHostName() + - ":" + serverAddress.getPort()); - break; - } catch (IOException e) { - manager.reportError(currentServiceInstance); - LOGGER.info("Transport exception while opening transport:", e, e.getMessage()); - } - } - } finally { - manager.close(); - } - } - - private void checkClientConf() { - if (conf.getBoolean(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, - ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY_DEFAULT)) { - String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), - ServerConfig.PRINCIPAL + " is required"); - Preconditions.checkArgument(serverPrincipal.contains(SecurityUtil.HOSTNAME_PATTERN), - ServerConfig.PRINCIPAL + " : " + serverPrincipal + " should contain " + SecurityUtil.HOSTNAME_PATTERN); - } - } - - @Override - public void close() { - if (client != null) { - client.close(); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java deleted file mode 100644 index a35bf1d..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java +++ /dev/null @@ -1,154 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; - -import org.apache.commons.pool2.PooledObjectFactory; -import org.apache.commons.pool2.impl.AbandonedConfig; -import org.apache.commons.pool2.impl.GenericObjectPool; -import org.apache.commons.pool2.impl.GenericObjectPoolConfig; -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; -import org.apache.thrift.transport.TTransportException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * The PoolClientInvocationHandler is a proxy class for handling thrift call. For every thrift call, - * get the instance of SentryPolicyServiceBaseClient from the commons-pool, and return the instance - * to the commons-pool after complete the call. For any exception with the call, discard the - * instance and create a new one added to the commons-pool. Then, get the instance and do the call - * again. For the thread safe, the commons-pool will manage the connection pool, and every thread - * can get the connection by borrowObject() and return the connection to the pool by returnObject(). - */ - -public class PoolClientInvocationHandler extends SentryClientInvocationHandler { - - private static final Logger LOGGER = LoggerFactory.getLogger(PoolClientInvocationHandler.class); - - private final Configuration conf; - private PooledObjectFactory<SentryPolicyServiceClient> poolFactory; - private GenericObjectPool<SentryPolicyServiceClient> pool; - private GenericObjectPoolConfig poolConfig; - private int connectionRetryTotal; - - private static final String POOL_EXCEPTION_MESSAGE = "Pool exception occured "; - - public PoolClientInvocationHandler(Configuration conf) throws Exception { - this.conf = conf; - readConfiguration(); - poolFactory = new SentryServiceClientPoolFactory(conf); - pool = new GenericObjectPool<SentryPolicyServiceClient>(poolFactory, poolConfig, new AbandonedConfig()); - } - - @Override - public Object invokeImpl(Object proxy, Method method, Object[] args) throws Exception { - int retryCount = 0; - Object result = null; - while (retryCount < connectionRetryTotal) { - try { - // The wapper here is for the retry of thrift call, the default retry number is 3. - result = invokeFromPool(method, args); - break; - } catch (TTransportException e) { - // TTransportException means there has connection problem, create a new connection and try - // again. Get the lock of pool and add new connection. - synchronized (pool) { - // If there has room, create new instance and add it to the commons-pool, this instance - // will be back first from the commons-pool because the configuration is LIFO. - if (pool.getNumIdle() + pool.getNumActive() < pool.getMaxTotal()) { - pool.addObject(); - } - } - // Increase the retry num, and throw the exception if can't retry again. - retryCount++; - if (retryCount == connectionRetryTotal) { - throw new SentryUserException(e.getMessage(), e); - } - } - } - return result; - } - - private Object invokeFromPool(Method method, Object[] args) throws Exception { - Object result = null; - SentryPolicyServiceClient client; - try { - // get the connection from the pool, don't know if the connection is broken. - client = pool.borrowObject(); - } catch (Exception e) { - LOGGER.debug(POOL_EXCEPTION_MESSAGE, e); - throw new SentryUserException(e.getMessage(), e); - } - try { - // do the thrift call - result = method.invoke(client, args); - } catch (InvocationTargetException e) { - // Get the target exception, check if SentryUserException or TTransportException is wrapped. - // TTransportException means there has connection problem with the pool. - Throwable targetException = e.getCause(); - if (targetException instanceof SentryUserException) { - Throwable sentryTargetException = targetException.getCause(); - // If there has connection problem, eg, invalid connection if the service restarted, - // sentryTargetException instanceof TTransportException = true. - if (sentryTargetException instanceof TTransportException) { - // If the exception is caused by connection problem, destroy the instance and - // remove it from the commons-pool. Throw the TTransportException for reconnect. - pool.invalidateObject(client); - throw new TTransportException(sentryTargetException); - } - // The exception is thrown by thrift call, eg, SentryAccessDeniedException. - throw (SentryUserException) targetException; - } - throw e; - } finally{ - try { - // return the instance to commons-pool - pool.returnObject(client); - } catch (Exception e) { - LOGGER.error(POOL_EXCEPTION_MESSAGE, e); - throw e; - } - } - return result; - } - - @Override - public void close() { - try { - pool.close(); - } catch (Exception e) { - LOGGER.debug(POOL_EXCEPTION_MESSAGE, e); - } - } - - private void readConfiguration() { - poolConfig = new GenericObjectPoolConfig(); - // config the pool size for commons-pool - poolConfig.setMaxTotal(conf.getInt(ClientConfig.SENTRY_POOL_MAX_TOTAL, ClientConfig.SENTRY_POOL_MAX_TOTAL_DEFAULT)); - poolConfig.setMinIdle(conf.getInt(ClientConfig.SENTRY_POOL_MIN_IDLE, ClientConfig.SENTRY_POOL_MIN_IDLE_DEFAULT)); - poolConfig.setMaxIdle(conf.getInt(ClientConfig.SENTRY_POOL_MAX_IDLE, ClientConfig.SENTRY_POOL_MAX_IDLE_DEFAULT)); - // get the retry number for reconnecting service - connectionRetryTotal = conf.getInt(ClientConfig.SENTRY_POOL_RETRY_TOTAL, - ClientConfig.SENTRY_POOL_RETRY_TOTAL_DEFAULT); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java deleted file mode 100644 index a41be7f..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.lang.reflect.InvocationHandler; -import java.lang.reflect.Method; - -/** - * SentryClientInvocationHandler is the base interface for all the InvocationHandler in SENTRY - */ -public abstract class SentryClientInvocationHandler implements InvocationHandler { - - /** - * Close the InvocationHandler: An InvocationHandler may create some contexts, - * these contexts should be close when the method "close()" of client be called. - */ - @Override - public final Object invoke(Object proxy, Method method, Object[] args) throws Exception { - // close() doesn't throw exception we supress that in case of connection - // loss. Changing SentryPolicyServiceClient#close() to throw an - // exception would be a backward incompatible change for Sentry clients. - if ("close".equals(method.getName()) && null == args) { - close(); - return null; - } - return invokeImpl(proxy, method, args); - } - - /** - * Subclass should implement this method for special function - */ - public abstract Object invokeImpl(Object proxy, Method method, Object[] args) throws Exception; - - /** - * An abstract method "close", an invocationHandler should close its contexts at here. - */ - public abstract void close(); - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java deleted file mode 100644 index 48ee66a..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java +++ /dev/null @@ -1,52 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.service.thrift; - -import java.lang.reflect.Proxy; - -import org.apache.hadoop.conf.Configuration; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl; -import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; - -public final class SentryServiceClientFactory { - - private SentryServiceClientFactory() { - } - - public static SentryPolicyServiceClient create(Configuration conf) throws Exception { - boolean haEnabled = conf.getBoolean(ClientConfig.SERVER_HA_ENABLED, false); - boolean pooled = conf.getBoolean(ClientConfig.SENTRY_POOL_ENABLED, false); - if (pooled) { - return (SentryPolicyServiceClient) Proxy - .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(), - SentryPolicyServiceClientDefaultImpl.class.getInterfaces(), - new PoolClientInvocationHandler(conf)); - } else if (haEnabled) { - return (SentryPolicyServiceClient) Proxy - .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(), - SentryPolicyServiceClientDefaultImpl.class.getInterfaces(), - new HAClientInvocationHandler(conf)); - } else { - return new SentryPolicyServiceClientDefaultImpl(conf); - } - } - -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java deleted file mode 100644 index 3a38b24..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java +++ /dev/null @@ -1,78 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.service.thrift; - -import java.lang.reflect.Proxy; - -import org.apache.commons.pool2.BasePooledObjectFactory; -import org.apache.commons.pool2.PooledObject; -import org.apache.commons.pool2.impl.DefaultPooledObject; -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl; -import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * SentryServiceClientPoolFactory is for connection pool to manage the object. Implement the related - * method to create object, destroy object and wrap object. - */ - -public class SentryServiceClientPoolFactory extends BasePooledObjectFactory<SentryPolicyServiceClient> { - - private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceClientPoolFactory.class); - - private Configuration conf; - - public SentryServiceClientPoolFactory(Configuration conf) { - this.conf = conf; - } - - @Override - public SentryPolicyServiceClient create() throws Exception { - LOGGER.debug("Creating Sentry Service Client..."); - boolean haEnabled = conf.getBoolean(ClientConfig.SERVER_HA_ENABLED, false); - if (haEnabled) { - return (SentryPolicyServiceClient) Proxy - .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(), - SentryPolicyServiceClientDefaultImpl.class.getInterfaces(), - new HAClientInvocationHandler(conf)); - } else { - return new SentryPolicyServiceClientDefaultImpl(conf); - } - } - - @Override - public PooledObject<SentryPolicyServiceClient> wrap(SentryPolicyServiceClient client) { - return new DefaultPooledObject<SentryPolicyServiceClient>(client); - } - - @Override - public void destroyObject(PooledObject<SentryPolicyServiceClient> pooledObject) { - SentryPolicyServiceClient client = pooledObject.getObject(); - LOGGER.debug("Destroying Sentry Service Client: " + client); - if (client != null) { - // The close() of TSocket or TSaslClientTransport is called actually, and there has no - // exception even there has some problems, eg, the client is closed already. - // The close here is just try to close the socket and the client will be destroyed soon. - client.close(); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-service/pom.xml b/sentry-service/pom.xml index ae42d0f..4bcb7f1 100644 --- a/sentry-service/pom.xml +++ b/sentry-service/pom.xml @@ -32,6 +32,7 @@ limitations under the License. <modules> <module>sentry-service-common</module> <module>sentry-service-server</module> + <module>sentry-service-client</module> </modules> </project> http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-client/pom.xml b/sentry-service/sentry-service-client/pom.xml new file mode 100644 index 0000000..614f0d3 --- /dev/null +++ b/sentry-service/sentry-service-client/pom.xml @@ -0,0 +1,61 @@ +<?xml version="1.0"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-service</artifactId> + <version>1.8.0-SNAPSHOT</version> + </parent> + + <artifactId>sentry-service-client</artifactId> + <name>Sentry Service Client</name> + + <dependencies> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-service-common</artifactId> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-kafka</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-db</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-core-model-search</artifactId> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-provider-file</artifactId> + </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-pool2</artifactId> + </dependency> + </dependencies> + +</project> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java new file mode 100644 index 0000000..11cdee7 --- /dev/null +++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java @@ -0,0 +1,196 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db.generic.service.thrift; + +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; + +public interface SentryGenericServiceClient { + + /** + * Create a sentry role + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @throws SentryUserException + */ + void createRole(String requestorUserName, String roleName, + String component) throws SentryUserException; + + void createRoleIfNotExist(String requestorUserName, + String roleName, String component) throws SentryUserException; + + /** + * Drop a sentry role + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @throws SentryUserException + */ + void dropRole(String requestorUserName, String roleName, + String component) throws SentryUserException; + + void dropRoleIfExists(String requestorUserName, String roleName, + String component) throws SentryUserException; + + /** + * add a sentry role to groups. + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param groups: The name of groups + * @throws SentryUserException + */ + void addRoleToGroups(String requestorUserName, String roleName, + String component, Set<String> groups) throws SentryUserException; + + /** + * delete a sentry role from groups. + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param groups: The name of groups + * @throws SentryUserException + */ + void deleteRoleToGroups(String requestorUserName, String roleName, + String component, Set<String> groups) throws SentryUserException; + + /** + * grant privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param privilege + * @throws SentryUserException + */ + void grantPrivilege(String requestorUserName, String roleName, + String component, TSentryPrivilege privilege) throws SentryUserException; + + /** + * revoke privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: Name of the role + * @param component: The request is issued to which component + * @param privilege + * @throws SentryUserException + */ + void revokePrivilege(String requestorUserName, String roleName, + String component, TSentryPrivilege privilege) throws SentryUserException; + + /** + * drop privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param component: The request is issued to which component + * @param privilege + * @throws SentryUserException + */ + void dropPrivilege(String requestorUserName,String component, + TSentryPrivilege privilege) throws SentryUserException; + + /** + * rename privilege + * @param requestorUserName: user on whose behalf the request is issued + * @param component: The request is issued to which component + * @param serviceName: The Authorizable belongs to which service + * @param oldAuthorizables + * @param newAuthorizables + * @throws SentryUserException + */ + void renamePrivilege(String requestorUserName, String component, + String serviceName, List<? extends Authorizable> oldAuthorizables, + List<? extends Authorizable> newAuthorizables) throws SentryUserException; + + /** + * Gets sentry role objects for a given groupName using the Sentry service + * @param requestorUserName : user on whose behalf the request is issued + * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName) + * @param component: The request is issued to which component + * @return Set of thrift sentry role objects + * @throws SentryUserException + */ + Set<TSentryRole> listRolesByGroupName( + String requestorUserName, + String groupName, + String component) + throws SentryUserException; + + Set<TSentryRole> listUserRoles(String requestorUserName, String component) + throws SentryUserException; + + Set<TSentryRole> listAllRoles(String requestorUserName, String component) + throws SentryUserException; + + /** + * Gets sentry privileges for a given roleName and Authorizable Hierarchy using the Sentry service + * @param requestorUserName: user on whose behalf the request is issued + * @param roleName: + * @param component: The request is issued to which component + * @param serviceName + * @param authorizables + * @return + * @throws SentryUserException + */ + Set<TSentryPrivilege> listPrivilegesByRoleName( + String requestorUserName, String roleName, String component, + String serviceName, List<? extends Authorizable> authorizables) + throws SentryUserException; + + Set<TSentryPrivilege> listPrivilegesByRoleName( + String requestorUserName, String roleName, String component, + String serviceName) throws SentryUserException; + + /** + * get sentry permissions from provider as followings: + * @param: component: The request is issued to which component + * @param: serviceName: The privilege belongs to which service + * @param: roleSet + * @param: groupNames + * @param: the authorizables + * @returns the set of permissions + * @throws SentryUserException + */ + Set<String> listPrivilegesForProvider(String component, + String serviceName, ActiveRoleSet roleSet, Set<String> groups, + List<? extends Authorizable> authorizables) throws SentryUserException; + + /** + * Get sentry privileges based on valid active roles and the authorize objects. Note that + * it is client responsibility to ensure the requestor username, etc. is not impersonated. + * + * @param component: The request respond to which component. + * @param serviceName: The name of service. + * @param requestorUserName: The requestor user name. + * @param authorizablesSet: The set of authorize objects. One authorize object is represented + * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3. + * @param groups: The requested groups. + * @param roleSet: The active roles set. + * + * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>). + * @throws SentryUserException + */ + Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component, + String serviceName, String requestorUserName, Set<String> authorizablesSet, + Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException; + + void close(); +}
