Repository: sentry Updated Branches: refs/heads/master ca8137e89 -> 6fbff11fa
SENTRY-1360: Refactor grantPrivilege of Sentry Client (Dapeng Sun, reviewed by Colin Ma) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/79659ad9 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/79659ad9 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/79659ad9 Branch: refs/heads/master Commit: 79659ad986bc5b9641182d8c02a95d3fd910ae52 Parents: ca8137e Author: Sun Dapeng <[email protected]> Authored: Wed Jun 29 14:38:07 2016 +0800 Committer: Sun Dapeng <[email protected]> Committed: Wed Jun 29 14:38:07 2016 +0800 ---------------------------------------------------------------------- .../thrift/SentryPolicyServiceClient.java | 7 ++ .../SentryPolicyServiceClientDefaultImpl.java | 103 ++++++++++--------- .../db/tools/command/hive/CommandUtil.java | 4 +- .../command/hive/GrantPrivilegeToRoleCmd.java | 22 +--- 4 files changed, 67 insertions(+), 69 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/79659ad9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 1e72b74..8afa28b 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -104,6 +104,13 @@ public interface SentryPolicyServiceClient { String server, String db, String table, List<String> columnNames, String action, Boolean grantOption) throws SentryUserException; + Set<TSentryPrivilege> grantPrivileges(String requestorUserName, String + roleName, Set<TSentryPrivilege> privileges) throws SentryUserException; + + TSentryPrivilege grantPrivilege(String requestorUserName, String roleName, + TSentryPrivilege privilege) throws + SentryUserException; + void revokeURIPrivilege(String requestorUserName, String roleName, String server, String uri) throws SentryUserException; http://git-wip-us.apache.org/repos/asf/sentry/blob/79659ad9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java index 1039e6e..25d515b 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java @@ -24,22 +24,29 @@ import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.Map; import java.util.Set; - import javax.security.auth.callback.CallbackHandler; -import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.core.common.exception.SentryUserException; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.Preconditions; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Lists; +import com.google.common.collect.Maps; +import com.google.common.collect.Sets; +import org.apache.commons.lang.StringUtils; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.core.common.utils.PolicyFileConstants; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.common.utils.PolicyFileConstants; import org.apache.sentry.service.thrift.SentryServiceUtil; import org.apache.sentry.service.thrift.ServiceConstants; import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; @@ -57,14 +64,6 @@ import org.apache.thrift.transport.TTransportException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Preconditions; -import com.google.common.collect.ImmutableList; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; -import com.google.common.collect.Maps; -import com.google.common.collect.Sets; - /* A Sentry Client in which all the operations are synchronized for thread safety Note: When using this client, if there is an exception in RPC, socket can get into an inconsistent state. @@ -434,6 +433,45 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService null, db, table, columnNames, action, grantOption); } + public synchronized Set<TSentryPrivilege> grantPrivileges( + String requestorUserName, String roleName, + Set<TSentryPrivilege> privileges) throws SentryUserException { + return grantPrivilegesCore(requestorUserName, roleName, privileges); + } + + public synchronized TSentryPrivilege grantPrivilege(String requestorUserName, String roleName, + TSentryPrivilege privilege) throws SentryUserException { + return grantPrivilegeCore(requestorUserName, roleName, privilege); + } + + private TSentryPrivilege grantPrivilegeCore(String requestorUserName, String roleName, + TSentryPrivilege privilege) throws SentryUserException { + Set<TSentryPrivilege> results = + grantPrivilegesCore(requestorUserName, roleName, ImmutableSet.of(privilege)); + if (results != null && results.size() > 0) { + return results.iterator().next(); + } else { + return new TSentryPrivilege(); + } + } + + private Set<TSentryPrivilege> grantPrivilegesCore(String requestorUserName, String roleName, + Set<TSentryPrivilege> privileges) throws SentryUserException { + TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); + request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); + request.setRequestorUserName(requestorUserName); + request.setRoleName(roleName); + request.setPrivileges(privileges); + try { + TAlterSentryRoleGrantPrivilegeResponse response = + client.alter_sentry_role_grant_privilege(request); + Status.throwIfNotOk(response.getStatus()); + return response.getPrivileges(); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + @VisibleForTesting public static TSentryAuthorizable setupSentryAuthorizable( List<? extends Authorizable> authorizable) { @@ -472,25 +510,9 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, String column, String action, Boolean grantOption) throws SentryUserException { - TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - Set<TSentryPrivilege> privileges = convertColumnPrivilege(scope, - serverName, uri, db, table, column, action, grantOption); - request.setPrivileges(privileges); - try { - TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); - Status.throwIfNotOk(response.getStatus()); - if (response.isSetPrivileges() - && response.getPrivilegesSize()>0 ) { - return response.getPrivileges().iterator().next(); - } else { - return new TSentryPrivilege(); - } - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } + TSentryPrivilege privilege = + convertToTSentryPrivilege(scope, serverName, uri, db, table, column, action, grantOption); + return grantPrivilegeCore(requestorUserName, roleName, privilege); } private Set<TSentryPrivilege> grantPrivileges(String requestorUserName, @@ -505,20 +527,9 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns, String action, Boolean grantOption) throws SentryUserException { - TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); Set<TSentryPrivilege> privileges = convertColumnPrivileges(scope, serverName, uri, db, table, columns, action, grantOption); - request.setPrivileges(privileges); - try { - TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); - Status.throwIfNotOk(response.getStatus()); - return response.getPrivileges(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } + return grantPrivilegesCore(requestorUserName, roleName, privileges); } public synchronized void revokeURIPrivilege(String requestorUserName, @@ -701,10 +712,9 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService return setBuilder.build(); } - private Set<TSentryPrivilege> convertColumnPrivilege( + private TSentryPrivilege convertToTSentryPrivilege( PrivilegeScope scope, String serverName, String uri, String db, String table, String column, String action, Boolean grantOption) { - ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder(); TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setPrivilegeScope(scope.toString()); privilege.setServerName(serverName); @@ -715,8 +725,7 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService privilege.setAction(action); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(convertTSentryGrantOption(grantOption)); - setBuilder.add(privilege); - return setBuilder.build(); + return privilege; } private TSentryGrantOption convertTSentryGrantOption(Boolean grantOption) { http://git-wip-us.apache.org/repos/asf/sentry/blob/79659ad9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java index 2d2dcb5..51ee9ef 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java @@ -18,9 +18,10 @@ package org.apache.sentry.provider.db.tools.command.hive; import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.SentryConstants; import org.apache.sentry.core.common.utils.KeyValue; import org.apache.sentry.core.common.utils.PolicyFileConstants; +import org.apache.sentry.core.common.utils.SentryConstants; +import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; import org.apache.sentry.service.thrift.ServiceConstants; @@ -51,6 +52,7 @@ public final class CommandUtil { tSentryPrivilege.setColumnName(value); } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setURI(value); + tSentryPrivilege.setAction(AccessConstants.ALL); } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setAction(value); } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { http://git-wip-us.apache.org/repos/asf/sentry/blob/79659ad9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java index a1ef2f9..e3d06a9 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java @@ -18,9 +18,7 @@ package org.apache.sentry.provider.db.tools.command.hive; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.service.thrift.ServiceConstants; /** * The class for admin command to grant privilege to role. @@ -38,24 +36,6 @@ public class GrantPrivilegeToRoleCmd implements Command { @Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); - boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getURI(), grantOption); - } + client.grantPrivilege(requestorName, roleName, tSentryPrivilege); } }
