Repository: sentry Updated Branches: refs/heads/master d6d4bf280 -> c6c9fabb4
SENTRY-1358: Implement Grant role_name To User user_name in V2 (Ke Jia via Dapeng Sun) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/c6c9fabb Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/c6c9fabb Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/c6c9fabb Branch: refs/heads/master Commit: c6c9fabb48ec896904bc0370e69540b7cb2bc3cb Parents: d6d4bf2 Author: Sun Dapeng <[email protected]> Authored: Thu Jul 14 10:11:18 2016 +0800 Committer: Sun Dapeng <[email protected]> Committed: Thu Jul 14 10:11:18 2016 +0800 ---------------------------------------------------------------------- .../DefaultSentryAccessController.java | 24 ++++++++++++++++---- .../TestPrivilegeWithGrantOption.java | 15 ++++++++++++ 2 files changed, 34 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/c6c9fabb/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java index 09e2a62..0d22cae 100644 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java @@ -466,7 +466,6 @@ public class DefaultSentryAccessController extends SentryHiveAccessController { } } } - /** * Grant(isGrant is true) or revoke(isGrant is false) role to/from group via sentryClient, which * is a instance of SentryPolicyServiceClientV2 @@ -483,21 +482,36 @@ public class DefaultSentryAccessController extends SentryHiveAccessController { sentryClient = getSentryClient(); // get principals Set<String> groups = Sets.newHashSet(); + Set<String> users = Sets.newHashSet(); for (HivePrincipal principal : hivePrincipals) { - if (principal.getType() != HivePrincipalType.GROUP) { + if (principal.getType() == HivePrincipalType.GROUP) { + groups.add(principal.getName()); + } else if (principal.getType() == HivePrincipalType.USER) { + users.add(principal.getName()); + } else { String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType(); throw new HiveAuthzPluginException(msg); + } - groups.add(principal.getName()); } // grant/revoke role to/from principals for (String roleName : roles) { if (isGrant) { - sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups); + if (groups.size() > 0) { + sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups); + } + if (users.size() > 0) { + sentryClient.grantRoleToUsers(grantorPrinc.getName(), roleName, users); + } } else { - sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups); + if (groups.size() > 0) { + sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups); + } + if (users.size() > 0) { + sentryClient.revokeRoleFromUsers(grantorPrinc.getName(), roleName, users); + } } } http://git-wip-us.apache.org/repos/asf/sentry/blob/c6c9fabb/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java index 74a7ec7..284f54c 100644 --- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java +++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java @@ -131,6 +131,21 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithStaticConfigur } + @Test + public void testOnGrantOrRevokeRoleToUser() throws Exception { + // setup db objects needed by the test + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE"); + statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE"); + statement.execute("CREATE DATABASE db_1"); + statement.execute("CREATE ROLE group1_role"); + statement.execute("GRANT ROLE group1_role TO USER " + USER1_1); + statement.execute("REVOKE ROLE group1_role FROM USER " + USER1_1); + + connection.close(); + } + /* * Admin grant DB_1 user1 without grant option, grant user3 with grant option, * user1 tries to grant it to user2, but failed.
