http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java deleted file mode 100644 index d75e24b..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java +++ /dev/null @@ -1,595 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools; - -import java.io.BufferedReader; -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileReader; -import java.io.FileWriter; -import java.io.IOException; -import java.io.PrintStream; -import java.net.MalformedURLException; -import java.sql.Connection; -import java.sql.DriverManager; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.ArrayList; -import java.util.IllegalFormatException; -import java.util.List; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.CommandLineParser; -import org.apache.commons.cli.GnuParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.OptionBuilder; -import org.apache.commons.cli.OptionGroup; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.commons.io.output.NullOutputStream; -import org.apache.hadoop.conf.Configuration; -import org.apache.hive.beeline.BeeLine; -import org.apache.sentry.Command; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.common.exception.SentrySiteConfigurationException; -import org.apache.sentry.provider.db.service.persistent.SentryStoreSchemaInfo; -import org.apache.sentry.provider.db.tools.SentrySchemaHelper.NestedScriptParser; -import org.apache.sentry.service.thrift.SentryService; -import org.apache.sentry.service.thrift.ServiceConstants; - -public class SentrySchemaTool { - private static final String SENTRY_SCRIP_DIR = File.separatorChar + "scripts" - + File.separatorChar + "sentrystore" + File.separatorChar + "upgrade"; - private String userName = null; - private String passWord = null; - private String connectionURL = null; - private String driver = null; - private boolean dryRun = false; - private String dbOpts = null; - private boolean verbose = false; - private final Configuration sentryConf; - private final String dbType; - private final SentryStoreSchemaInfo sentryStoreSchemaInfo; - - public SentrySchemaTool(Configuration sentryConf, String dbType) - throws SentryUserException, IOException { - this(System.getenv("SENTRY_HOME") + SENTRY_SCRIP_DIR, sentryConf, dbType); - } - - public SentrySchemaTool(String sentryScripPath, Configuration sentryConf, - String dbType) throws SentryUserException, IOException { - if (sentryScripPath == null || sentryScripPath.isEmpty()) { - throw new SentryUserException("No Sentry script dir provided"); - } - this.sentryConf = sentryConf; - this.dbType = dbType; - this.sentryStoreSchemaInfo = new SentryStoreSchemaInfo(sentryScripPath, - dbType); - userName = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER, - ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER_DEFAULT); - //Password will be read from Credential provider specified using property - // CREDENTIAL_PROVIDER_PATH("hadoop.security.credential.provider.path" in sentry-site.xml - // it falls back to reading directly from sentry-site.xml - char[] passTmp = sentryConf.getPassword(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS); - if(passTmp != null) { - passWord = new String(passTmp); - } else { - throw new SentrySiteConfigurationException("Error reading " + ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS); - } - - try { - connectionURL = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_URL); - if(dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY)) { - driver = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER, - ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER_DEFAULT); - } else { - driver = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER); - } - // load required JDBC driver - Class.forName(driver); - } catch (IOException e) { - throw new SentryUserException("Missing property: " + e.getMessage()); - } catch (ClassNotFoundException e) { - throw new SentryUserException("Failed to load driver", e); - } - } - - public Configuration getConfiguration() { - return sentryConf; - } - - public void setUserName(String userName) { - this.userName = userName; - } - - public void setPassWord(String passWord) { - this.passWord = passWord; - } - - public void setDryRun(boolean dryRun) { - this.dryRun = dryRun; - } - - public void setVerbose(boolean verbose) { - this.verbose = verbose; - } - - public String getDbOpts() { - return dbOpts; - } - - public void setDbOpts(String dbOpts) { - this.dbOpts = dbOpts; - } - - private static void printAndExit(Options cmdLineOptions) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("schemaTool", cmdLineOptions); - System.exit(1); - } - - /*** - * Print Hive version and schema version - * @throws SentryUserException - */ - public void showInfo() throws SentryUserException { - Connection sentryStoreConn = getConnectionToMetastore(true); - System.out.println("Sentry distribution version:\t " - + SentryStoreSchemaInfo.getSentryVersion()); - System.out.println("SentryStore schema version:\t " - + getMetaStoreSchemaVersion(sentryStoreConn)); - } - - // read schema version from sentry store - private String getMetaStoreSchemaVersion(Connection sentryStoreConn) - throws SentryUserException { - String versionQuery; - if (SentrySchemaHelper.getDbCommandParser(dbType).needsQuotedIdentifier()) { - versionQuery = "select t.\"SCHEMA_VERSION\" from \"SENTRY_VERSION\" t"; - } else { - versionQuery = "select t.SCHEMA_VERSION from SENTRY_VERSION t"; - } - try (Statement stmt = sentryStoreConn.createStatement(); - ResultSet res = stmt.executeQuery(versionQuery)) { - if (!res.next()) { - throw new SentryUserException("Didn't find version data in sentry store"); - } - String currentSchemaVersion = res.getString(1); - sentryStoreConn.close(); - return currentSchemaVersion; - } catch (SQLException e) { - throw new SentryUserException("Failed to get schema version.", e); - } - } - - // test the connection sentry store using the config property - private void testConnectionToMetastore() throws SentryUserException { - try (Connection conn = getConnectionToMetastore(true)) { - conn.close(); - } catch (SQLException e) { - throw new SentryUserException("Failed to close sentry store connection", e); - } - } - - /*** - * get JDBC connection to sentry store db - * - * @param printInfo print connection parameters - * @return - * @throws SentryUserException - */ - private Connection getConnectionToMetastore(boolean printInfo) - throws SentryUserException { - if (printInfo) { - System.out.println("Sentry store connection URL:\t " + connectionURL); - System.out.println("Sentry store Connection Driver :\t " + driver); - System.out.println("Sentry store connection User:\t " + userName); - } - if (userName == null || userName.isEmpty()) { - throw new SentryUserException("UserName empty "); - } - try { - // Connect using the JDBC URL and user/pass from conf - return DriverManager.getConnection(connectionURL, userName, passWord); - } catch (SQLException e) { - throw new SentryUserException("Failed to make connection to Sentry store.", e); - } - } - - /** - * check if the current schema version in sentry store matches the Hive version - * @throws SentryUserException - */ - public void verifySchemaVersion() throws SentryUserException { - // don't check version if its a dry run - if (dryRun) { - return; - } - String newSchemaVersion = - getMetaStoreSchemaVersion(getConnectionToMetastore(false)); - // verify that the new version is added to schema - if (!sentryStoreSchemaInfo.getSentrySchemaVersion().equalsIgnoreCase( - newSchemaVersion)) { - throw new SentryUserException("Found unexpected schema version " - + newSchemaVersion); - } - } - - /** - * Perform sentry store schema upgrade. extract the current schema version from sentry store - * @throws SentryUserException - */ - public void doUpgrade() throws SentryUserException { - String fromVersion = getMetaStoreSchemaVersion(getConnectionToMetastore(false)); - if (fromVersion == null || fromVersion.isEmpty()) { - throw new SentryUserException( - "Schema version not stored in the sentry store. " - + - "Metastore schema is too old or corrupt. Try specifying the version manually"); - } - doUpgrade(fromVersion); - } - - /** - * Perform sentry store schema upgrade - * - * @param fromSchemaVer - * Existing version of the sentry store. If null, then read from the sentry store - * @throws SentryUserException - */ - public void doUpgrade(String fromSchemaVer) throws SentryUserException { - if (sentryStoreSchemaInfo.getSentrySchemaVersion().equals(fromSchemaVer)) { - System.out.println("No schema upgrade required from version " + fromSchemaVer); - return; - } - // Find the list of scripts to execute for this upgrade - List<String> upgradeScripts = - sentryStoreSchemaInfo.getUpgradeScripts(fromSchemaVer); - testConnectionToMetastore(); - System.out.println("Starting upgrade sentry store schema from version " + - fromSchemaVer + " to " - + sentryStoreSchemaInfo.getSentrySchemaVersion()); - String scriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir(); - try { - for (String scriptFile : upgradeScripts) { - System.out.println("Upgrade script " + scriptFile); - if (!dryRun) { - runBeeLine(scriptDir, scriptFile); - System.out.println("Completed " + scriptFile); - } - } - } catch (IOException eIO) { - throw new SentryUserException( - "Upgrade FAILED! Metastore state would be inconsistent !!", eIO); - } - - // Revalidated the new version after upgrade - verifySchemaVersion(); - } - - /** - * Initialize the sentry store schema to current version - * - * @throws SentryUserException - */ - public void doInit() throws SentryUserException { - doInit(sentryStoreSchemaInfo.getSentrySchemaVersion()); - - // Revalidated the new version after upgrade - verifySchemaVersion(); - } - - /** - * Initialize the sentry store schema - * - * @param toVersion - * If null then current hive version is used - * @throws SentryUserException - */ - public void doInit(String toVersion) throws SentryUserException { - testConnectionToMetastore(); - System.out.println("Starting sentry store schema initialization to " + toVersion); - - String initScriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir(); - String initScriptFile = sentryStoreSchemaInfo.generateInitFileName(toVersion); - - try { - System.out.println("Initialization script " + initScriptFile); - if (!dryRun) { - runBeeLine(initScriptDir, initScriptFile); - System.out.println("Initialization script completed"); - } - } catch (IOException e) { - throw new SentryUserException("Schema initialization FAILED!" - + " Metastore state would be inconsistent !!", e); - } - } - - // Flatten the nested upgrade script into a buffer - public static String buildCommand(NestedScriptParser dbCommandParser, - String scriptDir, String scriptFile) throws IllegalFormatException, IOException { - - BufferedReader bfReader = - new BufferedReader(new FileReader(scriptDir + File.separatorChar + scriptFile)); - String currLine; - StringBuilder sb = new StringBuilder(); - String currentCommand = null; - while ((currLine = bfReader.readLine()) != null) { - currLine = currLine.trim(); - if (currLine.isEmpty()) { - continue; // skip empty lines - } - - if (currentCommand == null) { - currentCommand = currLine; - } else { - currentCommand = currentCommand + " " + currLine; - } - if (dbCommandParser.isPartialCommand(currLine)) { - // if its a partial line, continue collecting the pieces - continue; - } - - // if this is a valid executable command then add it to the buffer - if (!dbCommandParser.isNonExecCommand(currentCommand)) { - currentCommand = dbCommandParser.cleanseCommand(currentCommand); - - if (dbCommandParser.isNestedScript(currentCommand)) { - // if this is a nested sql script then flatten it - String currScript = dbCommandParser.getScriptName(currentCommand); - sb.append(buildCommand(dbCommandParser, scriptDir, currScript)); - } else { - // Now we have a complete statement, process it - // write the line to buffer - sb.append(currentCommand); - sb.append(System.getProperty("line.separator")); - } - } - currentCommand = null; - } - bfReader.close(); - return sb.toString(); - } - - // run beeline on the given sentry store scrip, flatten the nested scripts into single file - private void runBeeLine(String scriptDir, String scriptFile) throws IOException { - NestedScriptParser dbCommandParser = - SentrySchemaHelper.getDbCommandParser(dbType); - dbCommandParser.setDbOpts(getDbOpts()); - // expand the nested script - String sqlCommands = buildCommand(dbCommandParser, scriptDir, scriptFile); - File tmpFile = File.createTempFile("schematool", ".sql"); - tmpFile.deleteOnExit(); - - // write out the buffer into a file. Add beeline commands for autocommit and close - try (FileWriter fstream = new FileWriter(tmpFile.getPath()); - BufferedWriter out = new BufferedWriter(fstream)) { - - out.write("!set Silent " + verbose + System.getProperty("line.separator")); - out.write("!autocommit on" + System.getProperty("line.separator")); - out.write("!set Isolation TRANSACTION_READ_COMMITTED" - + System.getProperty("line.separator")); - out.write("!set AllowMultiLineCommand false" - + System.getProperty("line.separator")); - out.write(sqlCommands); - out.write("!closeall" + System.getProperty("line.separator")); - out.close(); - } - runBeeLine(tmpFile.getPath()); - } - - // Generate the beeline args per hive conf and execute the given script - public void runBeeLine(String sqlScriptFile) throws IOException { - List<String> argList = new ArrayList<String>(); - argList.add("-u"); - argList.add(connectionURL); - argList.add("-d"); - argList - .add(driver); - argList.add("-n"); - argList.add(userName); - argList.add("-p"); - argList.add(passWord); - argList.add("-f"); - argList.add(sqlScriptFile); - - BeeLine beeLine = new BeeLine(); - if (!verbose) { - beeLine.setOutputStream(new PrintStream(new NullOutputStream())); - // beeLine.getOpts().setSilent(true); - } - // beeLine.getOpts().setAllowMultiLineCommand(false); - // beeLine.getOpts().setIsolation("TRANSACTION_READ_COMMITTED"); - int status = beeLine.begin(argList.toArray(new String[0]), null); - if (status != 0) { - throw new IOException("Schema script failed, errorcode " + status); - } - } - - private String getValidConfVar(String confVar) throws IOException { - String confVarKey = confVar; - String confVarValue = sentryConf.get(confVarKey); - if (confVarValue == null || confVarValue.isEmpty()) { - throw new IOException("Empty " + confVar); - } - return confVarValue; - } - - // Create the required command line options - @SuppressWarnings("static-access") - private static void initOptions(Options cmdLineOptions) { - Option help = new Option("help", "print this message"); - Option upgradeOpt = new Option("upgradeSchema", "Schema upgrade"); - Option upgradeFromOpt = OptionBuilder.withArgName("upgradeFrom").hasArg(). - withDescription("Schema upgrade from a version"). - create("upgradeSchemaFrom"); - Option initOpt = new Option("initSchema", "Schema initialization"); - Option initToOpt = OptionBuilder.withArgName("initTo").hasArg(). - withDescription("Schema initialization to a version"). - create("initSchemaTo"); - Option infoOpt = new Option("info", "Show config and schema details"); - - OptionGroup optGroup = new OptionGroup(); - optGroup.addOption(upgradeOpt).addOption(initOpt). - addOption(help).addOption(upgradeFromOpt). - addOption(initToOpt).addOption(infoOpt); - optGroup.setRequired(true); - - Option userNameOpt = OptionBuilder.withArgName("user") - .hasArg() - .withDescription("Override config file user name") - .create("userName"); - Option passwdOpt = OptionBuilder.withArgName("password") - .hasArg() - .withDescription("Override config file password") - .create("passWord"); - Option dbTypeOpt = OptionBuilder.withArgName("databaseType") - .hasArg().withDescription("Metastore database type [" + - SentrySchemaHelper.DB_DERBY + "," + - SentrySchemaHelper.DB_MYSQL + "," + - SentrySchemaHelper.DB_ORACLE + "," + - SentrySchemaHelper.DB_POSTGRACE + "," + - SentrySchemaHelper.DB_DB2 + "]") - .create("dbType"); - Option dbOpts = OptionBuilder.withArgName("databaseOpts") - .hasArgs().withDescription("Backend DB specific options") - .create("dbOpts"); - - Option dryRunOpt = new Option("dryRun", "list SQL scripts (no execute)"); - Option verboseOpt = new Option("verbose", "only print SQL statements"); - - Option configOpt = OptionBuilder.withArgName("confName").hasArgs() - .withDescription("Sentry Service configuration file").isRequired(true) - .create(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG); - - cmdLineOptions.addOption(help); - cmdLineOptions.addOption(dryRunOpt); - cmdLineOptions.addOption(userNameOpt); - cmdLineOptions.addOption(passwdOpt); - cmdLineOptions.addOption(dbTypeOpt); - cmdLineOptions.addOption(verboseOpt); - cmdLineOptions.addOption(dbOpts); - cmdLineOptions.addOption(configOpt); - cmdLineOptions.addOptionGroup(optGroup); - } - - public static class CommandImpl implements Command { - @Override - public void run(String[] args) throws Exception { - CommandLineParser parser = new GnuParser(); - CommandLine line = null; - String dbType = null; - String schemaVer = null; - Options cmdLineOptions = new Options(); - String configFileName = null; - - // Argument handling - initOptions(cmdLineOptions); - try { - line = parser.parse(cmdLineOptions, args); - } catch (ParseException e) { - System.err.println("SentrySchemaTool:Parsing failed. Reason: " - + e.getLocalizedMessage()); - printAndExit(cmdLineOptions); - } - - if (line.hasOption("help")) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("schemaTool", cmdLineOptions); - return; - } - - if (line.hasOption("dbType")) { - dbType = line.getOptionValue("dbType"); - if (!dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY) - && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_MYSQL) - && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_POSTGRACE) - && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_ORACLE) - && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DB2)) { - System.err.println("Unsupported dbType " + dbType); - printAndExit(cmdLineOptions); - } - } else { - System.err.println("no dbType supplied"); - printAndExit(cmdLineOptions); - } - if (line.hasOption(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG)) { - configFileName = line - .getOptionValue(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG); - } else { - System.err.println("no config file specified"); - printAndExit(cmdLineOptions); - } - try { - SentrySchemaTool schemaTool = new SentrySchemaTool( - SentryService.loadConfig(configFileName), dbType); - - if (line.hasOption("userName")) { - schemaTool.setUserName(line.getOptionValue("userName")); - } - if (line.hasOption("passWord")) { - schemaTool.setPassWord(line.getOptionValue("passWord")); - } - if (line.hasOption("dryRun")) { - schemaTool.setDryRun(true); - } - if (line.hasOption("verbose")) { - schemaTool.setVerbose(true); - } - if (line.hasOption("dbOpts")) { - schemaTool.setDbOpts(line.getOptionValue("dbOpts")); - } - - if (line.hasOption("info")) { - schemaTool.showInfo(); - } else if (line.hasOption("upgradeSchema")) { - schemaTool.doUpgrade(); - } else if (line.hasOption("upgradeSchemaFrom")) { - schemaVer = line.getOptionValue("upgradeSchemaFrom"); - schemaTool.doUpgrade(schemaVer); - } else if (line.hasOption("initSchema")) { - schemaTool.doInit(); - } else if (line.hasOption("initSchemaTo")) { - schemaVer = line.getOptionValue("initSchemaTo"); - schemaTool.doInit(schemaVer); - } else { - System.err.println("no valid option supplied"); - printAndExit(cmdLineOptions); - } - } catch (SentryUserException e) { - System.err.println(e); - if (line.hasOption("verbose")) { - e.printStackTrace(); - } - System.err.println("*** Sentry schemaTool failed ***"); - System.exit(1); - } catch (MalformedURLException e) { - System.err.println(e); - if (line.hasOption("verbose")) { - e.printStackTrace(); - } - System.err.println("*** Sentry schemaTool failed ***"); - System.exit(1); - } - System.out.println("Sentry schemaTool completed"); - } - } - -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java deleted file mode 100644 index 6ddc1de..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java +++ /dev/null @@ -1,247 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.tools; - -import com.google.common.annotations.VisibleForTesting; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.GnuParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.OptionGroup; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.commons.cli.Parser; -import org.apache.commons.lang.StringUtils; - -/** - * SentryShellCommon provides the function for parsing the argument. - * For hive model and generic model, child class should be implemented as a sentry admin tool. - */ -abstract public class SentryShellCommon { - - protected String roleName; - protected String groupName; - protected String privilegeStr; - protected String confPath; - // flag for the command - protected boolean isCreateRole = false; - protected boolean isDropRole = false; - protected boolean isAddRoleGroup = false; - protected boolean isDeleteRoleGroup = false; - protected boolean isGrantPrivilegeRole = false; - protected boolean isRevokePrivilegeRole = false; - protected boolean isListRole = false; - protected boolean isListPrivilege = false; - protected boolean isPrintHelp = false; - // flag for the parameter check - protected boolean roleNameRequired = false; - protected boolean groupNameRequired = false; - protected boolean privilegeStrRequired = false; - - public final static String OPTION_DESC_HELP = "Shell usage"; - public final static String OPTION_DESC_CONF = "sentry-site file path"; - public final static String OPTION_DESC_ROLE_NAME = "Role name"; - public final static String OPTION_DESC_GROUP_NAME = "Group name"; - public final static String OPTION_DESC_PRIVILEGE = "Privilege string"; - public final static String PREFIX_MESSAGE_MISSING_OPTION = "Missing required option: "; - - public final static String GROUP_SPLIT_CHAR = ","; - - /** - * parse arguments - * - * <pre> - * -conf,--sentry_conf <filepath> sentry config file path - * -cr,--create_role -r <rolename> create role - * -dr,--drop_role -r <rolename> drop role - * -arg,--add_role_group -r <rolename> -g <groupname> add role to group - * -drg,--delete_role_group -r <rolename> -g <groupname> delete role from group - * -gpr,--grant_privilege_role -r <rolename> -p <privilege> grant privilege to role - * -rpr,--revoke_privilege_role -r <rolename> -p <privilege> revoke privilege from role - * -lr,--list_role -g <groupname> list roles for group - * -lp,--list_privilege -r <rolename> list privilege for role - * -t,--type <typeame> the shell for hive model or generic model - * </pre> - * - * @param args - */ - protected boolean parseArgs(String[] args) { - Options simpleShellOptions = new Options(); - - Option crOpt = new Option("cr", "create_role", false, "Create role"); - crOpt.setRequired(false); - - Option drOpt = new Option("dr", "drop_role", false, "Drop role"); - drOpt.setRequired(false); - - Option argOpt = new Option("arg", "add_role_group", false, "Add role to group"); - argOpt.setRequired(false); - - Option drgOpt = new Option("drg", "delete_role_group", false, "Delete role from group"); - drgOpt.setRequired(false); - - Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role"); - gprOpt.setRequired(false); - - Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role"); - rprOpt.setRequired(false); - - Option lrOpt = new Option("lr", "list_role", false, "List role"); - lrOpt.setRequired(false); - - Option lpOpt = new Option("lp", "list_privilege", false, "List privilege"); - lpOpt.setRequired(false); - - // required args group - OptionGroup simpleShellOptGroup = new OptionGroup(); - simpleShellOptGroup.addOption(crOpt); - simpleShellOptGroup.addOption(drOpt); - simpleShellOptGroup.addOption(argOpt); - simpleShellOptGroup.addOption(drgOpt); - simpleShellOptGroup.addOption(gprOpt); - simpleShellOptGroup.addOption(rprOpt); - simpleShellOptGroup.addOption(lrOpt); - simpleShellOptGroup.addOption(lpOpt); - simpleShellOptGroup.setRequired(true); - simpleShellOptions.addOptionGroup(simpleShellOptGroup); - - // optional args - Option pOpt = new Option("p", "privilege", true, OPTION_DESC_PRIVILEGE); - pOpt.setRequired(false); - simpleShellOptions.addOption(pOpt); - - Option gOpt = new Option("g", "groupname", true, OPTION_DESC_GROUP_NAME); - gOpt.setRequired(false); - simpleShellOptions.addOption(gOpt); - - Option rOpt = new Option("r", "rolename", true, OPTION_DESC_ROLE_NAME); - rOpt.setRequired(false); - simpleShellOptions.addOption(rOpt); - - // this argument should be parsed in the bin/sentryShell - Option tOpt = new Option("t", "type", true, "[hive|solr|sqoop|.....]"); - tOpt.setRequired(false); - simpleShellOptions.addOption(tOpt); - - // file path of sentry-site - Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, OPTION_DESC_CONF); - sentrySitePathOpt.setRequired(true); - simpleShellOptions.addOption(sentrySitePathOpt); - - // help option - Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP); - helpOpt.setRequired(false); - simpleShellOptions.addOption(helpOpt); - - // this Options is parsed first for help option - Options helpOptions = new Options(); - helpOptions.addOption(helpOpt); - - try { - Parser parser = new GnuParser(); - - // parse help option first - CommandLine cmd = parser.parse(helpOptions, args, true); - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("h")) { - // get the help option, print the usage and exit - usage(simpleShellOptions); - return false; - } - } - - // without help option - cmd = parser.parse(simpleShellOptions, args); - - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("p")) { - privilegeStr = opt.getValue(); - } else if (opt.getOpt().equals("g")) { - groupName = opt.getValue(); - } else if (opt.getOpt().equals("r")) { - roleName = opt.getValue(); - } else if (opt.getOpt().equals("cr")) { - isCreateRole = true; - roleNameRequired = true; - } else if (opt.getOpt().equals("dr")) { - isDropRole = true; - roleNameRequired = true; - } else if (opt.getOpt().equals("arg")) { - isAddRoleGroup = true; - roleNameRequired = true; - groupNameRequired = true; - } else if (opt.getOpt().equals("drg")) { - isDeleteRoleGroup = true; - roleNameRequired = true; - groupNameRequired = true; - } else if (opt.getOpt().equals("gpr")) { - isGrantPrivilegeRole = true; - roleNameRequired = true; - privilegeStrRequired = true; - } else if (opt.getOpt().equals("rpr")) { - isRevokePrivilegeRole = true; - roleNameRequired = true; - privilegeStrRequired = true; - } else if (opt.getOpt().equals("lr")) { - isListRole = true; - } else if (opt.getOpt().equals("lp")) { - isListPrivilege = true; - roleNameRequired = true; - } else if (opt.getOpt().equals("conf")) { - confPath = opt.getValue(); - } - } - checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME); - checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME); - checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE); - } catch (ParseException pe) { - System.out.println(pe.getMessage()); - usage(simpleShellOptions); - return false; - } - return true; - } - - private void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException { - if (isRequired && StringUtils.isEmpty(paramValue)) { - throw new ParseException(PREFIX_MESSAGE_MISSING_OPTION + paramName); - } - } - - // print usage - private void usage(Options sentryOptions) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("sentryShell", sentryOptions); - } - - // hive model and generic model should implement this method - public abstract void run() throws Exception; - - @VisibleForTesting - public boolean executeShell(String[] args) throws Exception { - boolean result = true; - if (parseArgs(args)) { - run(); - } else { - result = false; - } - return result; - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java deleted file mode 100644 index dc7f829..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java +++ /dev/null @@ -1,98 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.tools; - -import org.apache.commons.lang.StringUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.tools.command.hive.*; -import org.apache.sentry.service.thrift.SentryServiceClientFactory; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * SentryShellHive is an admin tool, and responsible for the management of repository. - * The following function are supported: - * create role, drop role, add group to role, delete group from role, grant privilege to role, - * revoke privilege from role, list roles for group, list privilege for role. - */ -public class SentryShellHive extends SentryShellCommon { - - private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellHive.class); - - public void run() throws Exception { - Command command = null; - SentryPolicyServiceClient client = SentryServiceClientFactory.create(getSentryConf()); - UserGroupInformation ugi = UserGroupInformation.getLoginUser(); - String requestorName = ugi.getShortUserName(); - - if (isCreateRole) { - command = new CreateRoleCmd(roleName); - } else if (isDropRole) { - command = new DropRoleCmd(roleName); - } else if (isAddRoleGroup) { - command = new GrantRoleToGroupsCmd(roleName, groupName); - } else if (isDeleteRoleGroup) { - command = new RevokeRoleFromGroupsCmd(roleName, groupName); - } else if (isGrantPrivilegeRole) { - command = new GrantPrivilegeToRoleCmd(roleName, privilegeStr); - } else if (isRevokePrivilegeRole) { - command = new RevokePrivilegeFromRoleCmd(roleName, privilegeStr); - } else if (isListRole) { - command = new ListRolesCmd(groupName); - } else if (isListPrivilege) { - command = new ListPrivilegesCmd(roleName); - } - - // check the requestor name - if (StringUtils.isEmpty(requestorName)) { - // The exception message will be recoreded in log file. - throw new Exception("The requestor name is empty."); - } - - if (command != null) { - command.execute(client, requestorName); - } - } - - private Configuration getSentryConf() { - Configuration conf = new Configuration(); - conf.addResource(new Path(confPath)); - return conf; - } - - public static void main(String[] args) throws Exception { - SentryShellHive sentryShell = new SentryShellHive(); - try { - sentryShell.executeShell(args); - } catch (Exception e) { - LOGGER.error(e.getMessage(), e); - Throwable current = e; - // find the first printable message; - while (current != null && current.getMessage() == null) { - current = current.getCause(); - } - System.out.println("The operation failed." + - (current.getMessage() == null ? "" : " Message: " + current.getMessage())); - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java deleted file mode 100644 index 79aed49..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -/** - * The interface for all admin commands, eg, CreateRoleCmd. - */ -public interface Command { - void execute(SentryPolicyServiceClient client, String requestorName) throws Exception; -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java deleted file mode 100644 index 51ee9ef..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java +++ /dev/null @@ -1,119 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.service.thrift.ServiceConstants; - -public final class CommandUtil { - - public static final String SPLIT_CHAR = ","; - - private CommandUtil() { - // Make constructor private to avoid instantiation - } - - // parse the privilege in String and get the TSentryPrivilege as result - public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception { - TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { - KeyValue tempKV = new KeyValue(authorizable); - String key = tempKV.getKey(); - String value = tempKV.getValue(); - - if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setServerName(value); - } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setDbName(value); - } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setTableName(value); - } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setColumnName(value); - } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setURI(value); - tSentryPrivilege.setAction(AccessConstants.ALL); - } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setAction(value); - } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { - TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE - : TSentryGrantOption.FALSE; - tSentryPrivilege.setGrantOption(grantOption); - } - } - tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege)); - validatePrivilegeHierarchy(tSentryPrivilege); - return tSentryPrivilege; - } - - // for the different hierarchy for hive: - // 1: server->url - // 2: server->database->table->column - // if both of them are found in the privilege string, the privilege scope will be set as - // PrivilegeScope.URI - private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) { - ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER; - if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) { - privilegeScope = ServiceConstants.PrivilegeScope.URI; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) { - privilegeScope = ServiceConstants.PrivilegeScope.COLUMN; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) { - privilegeScope = ServiceConstants.PrivilegeScope.TABLE; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) { - privilegeScope = ServiceConstants.PrivilegeScope.DATABASE; - } - return privilegeScope.toString(); - } - - // check the privilege value for the specific privilege scope - // eg, for the table scope, server and database can't be empty - private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception { - String serverName = tSentryPrivilege.getServerName(); - String dbName = tSentryPrivilege.getDbName(); - String tableName = tSentryPrivilege.getTableName(); - String columnName = tSentryPrivilege.getColumnName(); - String uri = tSentryPrivilege.getURI(); - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) - || StringUtils.isEmpty(tableName)) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope()) - && (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) - || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName))) { - throw new IllegalArgumentException("The hierarchy of privilege is not correct."); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java deleted file mode 100644 index 5a4834a..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -/** - * The class for admin command to create role. - */ -public class CreateRoleCmd implements Command { - - private String roleName; - - public CreateRoleCmd(String roleName) { - this.roleName = roleName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - client.createRole(requestorName, roleName); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java deleted file mode 100644 index facec0e..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -/** - * The class for admin command to drop role. - */ -public class DropRoleCmd implements Command { - - private String roleName; - - public DropRoleCmd(String roleName) { - this.roleName = roleName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - client.dropRole(requestorName, roleName); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java deleted file mode 100644 index e3d06a9..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java +++ /dev/null @@ -1,41 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; - -/** - * The class for admin command to grant privilege to role. - */ -public class GrantPrivilegeToRoleCmd implements Command { - - private String roleName; - private String privilegeStr; - - public GrantPrivilegeToRoleCmd(String roleName, String privilegeStr) { - this.roleName = roleName; - this.privilegeStr = privilegeStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); - client.grantPrivilege(requestorName, roleName, tSentryPrivilege); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java deleted file mode 100644 index 07a3de4..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java +++ /dev/null @@ -1,44 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import com.google.common.collect.Sets; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.tools.SentryShellCommon; - -import java.util.Set; - -/** - * The class for admin command to grant role to group. - */ -public class GrantRoleToGroupsCmd implements Command { - - private String roleName; - private String groupNamesStr; - - public GrantRoleToGroupsCmd(String roleName, String groupNamesStr) { - this.roleName = roleName; - this.groupNamesStr = groupNamesStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<String> groups = Sets.newHashSet(groupNamesStr.split(SentryShellCommon.GROUP_SPLIT_CHAR)); - client.grantRoleToGroups(requestorName, roleName, groups); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java deleted file mode 100644 index 5f3e9fb..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java +++ /dev/null @@ -1,97 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import com.google.common.collect.Lists; -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; - -import java.util.List; -import java.util.Set; - -/** - * The class for admin command to list privileges. - */ -public class ListPrivilegesCmd implements Command { - - private String roleName; - - public ListPrivilegesCmd(String roleName) { - this.roleName = roleName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<TSentryPrivilege> privileges = client - .listAllPrivilegesByRoleName(requestorName, roleName); - if (privileges != null) { - for (TSentryPrivilege privilege : privileges) { - String privilegeStr = convertToPrivilegeStr(privilege); - System.out.println(privilegeStr); - } - } - } - - // convert TSentryPrivilege to privilege in string - private String convertToPrivilegeStr(TSentryPrivilege tSentryPrivilege) { - List<String> privileges = Lists.newArrayList(); - if (tSentryPrivilege != null) { - String serverName = tSentryPrivilege.getServerName(); - String dbName = tSentryPrivilege.getDbName(); - String tableName = tSentryPrivilege.getTableName(); - String columnName = tSentryPrivilege.getColumnName(); - String uri = tSentryPrivilege.getURI(); - String action = tSentryPrivilege.getAction(); - String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" - : "false"); - if (!StringUtils.isEmpty(serverName)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME, - serverName)); - if (!StringUtils.isEmpty(uri)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME, - uri)); - } else if (!StringUtils.isEmpty(dbName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName)); - if (!StringUtils.isEmpty(tableName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName)); - if (!StringUtils.isEmpty(columnName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName)); - } - } - } - if (!StringUtils.isEmpty(action)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); - } - } - // only append the grant option to privilege string if it's true - if ("true".equals(grantOption)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); - } - } - return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java deleted file mode 100644 index 283f2c0..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; - -import java.util.Set; - -/** - * The class for admin command to list roles. - */ -public class ListRolesCmd implements Command { - - private String groupName; - - public ListRolesCmd(String groupName) { - this.groupName = groupName; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<TSentryRole> roles; - if (StringUtils.isEmpty(groupName)) { - roles = client.listRoles(requestorName); - } else { - roles = client.listRolesByGroupName(requestorName, groupName); - } - if (roles != null) { - for (TSentryRole role : roles) { - System.out.println(role.getRoleName()); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java deleted file mode 100644 index fe6aca5..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; - -/** - * The class for admin command to revoke privileges from role. - */ -public class RevokePrivilegeFromRoleCmd implements Command { - - private String roleName; - private String privilegeStr; - - public RevokePrivilegeFromRoleCmd(String roleName, String privilegeStr) { - this.roleName = roleName; - this.privilegeStr = privilegeStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); - client.revokePrivilege(requestorName, roleName, tSentryPrivilege); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java deleted file mode 100644 index 86773ca..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.tools.command.hive; - -import com.google.common.collect.Sets; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; - -import java.util.Set; - -/** - * The class for admin command to revoke role from group. - */ -public class RevokeRoleFromGroupsCmd implements Command { - - private String roleName; - private String groupNamesStr; - - public RevokeRoleFromGroupsCmd(String roleName, String groupNamesStr) { - this.roleName = roleName; - this.groupNamesStr = groupNamesStr; - } - - @Override - public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - Set<String> groups = Sets.newHashSet(groupNamesStr.split(CommandUtil.SPLIT_CHAR)); - client.revokeRoleFromGroups(requestorName, roleName, groups); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java deleted file mode 100644 index b668b95..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java +++ /dev/null @@ -1,110 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.util.Arrays; -import java.util.List; - -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.UnsupportedCallbackException; -import javax.security.sasl.AuthorizeCallback; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.SaslRpcServer; -import org.apache.sentry.core.common.exception.ConnectionDeniedException; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; - -public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler { - - private final Configuration conf; - public GSSCallback(Configuration conf) { - super(); - this.conf = conf; - } - - boolean comparePrincipals(String principal1, String principal2) { - String[] principalParts1 = SaslRpcServer.splitKerberosName(principal1); - String[] principalParts2 = SaslRpcServer.splitKerberosName(principal2); - if (principalParts1.length == 0 || principalParts2.length == 0) { - return false; - } - if (principalParts1.length == principalParts2.length) { - for (int i=0; i < principalParts1.length; i++) { - if (!principalParts1[i].equals(principalParts2[i])) { - return false; - } - } - return true; - } else { - return false; - } - } - - boolean allowConnect(String principal) { - String allowedPrincipals = conf.get(ServerConfig.ALLOW_CONNECT); - if (allowedPrincipals == null) { - return false; - } - String principalShortName = getShortName(principal); - List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*")); - for (String item : items) { - if (comparePrincipals(item, principalShortName)) { - return true; - } - } - return false; - } - - private String getShortName(String principal) { - String parts[] = SaslRpcServer.splitKerberosName(principal); - return parts[0]; - } - - @Override - public void handle(Callback[] callbacks) - throws UnsupportedCallbackException, ConnectionDeniedException { - AuthorizeCallback ac = null; - for (Callback callback : callbacks) { - if (callback instanceof AuthorizeCallback) { - ac = (AuthorizeCallback) callback; - } else { - throw new UnsupportedCallbackException(callback, - "Unrecognized SASL GSSAPI Callback"); - } - } - if (ac != null) { - String authid = ac.getAuthenticationID(); - String authzid = ac.getAuthorizationID(); - - if (allowConnect(authid)) { - if (authid.equals(authzid)) { - ac.setAuthorized(true); - } else { - ac.setAuthorized(false); - } - if (ac.isAuthorized()) { - ac.setAuthorizedID(authzid); - } - } else { - throw new ConnectionDeniedException(ac, - "Connection to sentry service denied due to lack of client credentials", - authid); - } - } - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java deleted file mode 100644 index d97a07e..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java +++ /dev/null @@ -1,139 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.io.IOException; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; -import java.net.InetSocketAddress; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.security.SecurityUtil; -import org.apache.curator.x.discovery.ServiceInstance; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.service.persistent.HAContext; -import org.apache.sentry.provider.db.service.persistent.ServiceManager; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.base.Preconditions; - -public class HAClientInvocationHandler extends SentryClientInvocationHandler { - - private static final Logger LOGGER = LoggerFactory.getLogger(HAClientInvocationHandler.class); - - private final Configuration conf; - private ServiceManager manager; - private ServiceInstance<Void> currentServiceInstance; - private SentryPolicyServiceClient client = null; - - private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured "; - public static final String SENTRY_HA_ERROR_MESSAGE = "No Sentry server available. Please ensure that at least one Sentry server is online"; - - public HAClientInvocationHandler(Configuration conf) throws Exception { - this.conf = conf; - checkClientConf(); - } - - @Override - public Object invokeImpl(Object proxy, Method method, Object[] args) throws - SentryUserException { - Object result = null; - try { - if (!method.isAccessible()) { - method.setAccessible(true); - } - // The client is initialized in the first call instead of constructor. - // This way we can propagate the connection exception to caller cleanly - if (client == null) { - renewSentryClient(); - } - result = method.invoke(client, args); - } catch (IllegalAccessException e) { - throw new SentryUserException(e.getMessage(), e.getCause()); - } catch (InvocationTargetException e) { - if (e.getTargetException() instanceof SentryUserException) { - throw (SentryUserException)e.getTargetException(); - } else { - LOGGER.warn(THRIFT_EXCEPTION_MESSAGE + ": Error in connect current" + - " service, will retry other service.", e); - if (client != null) { - client.close(); - client = null; - } - } - } catch (IOException e1) { - throw new SentryUserException("Error connecting to sentry service " - + e1.getMessage(), e1); - } - return result; - } - - // Retrieve the new connection endpoint from ZK and connect to new server - private void renewSentryClient() throws IOException { - try { - manager = new ServiceManager(HAContext.getHAContext(conf)); - } catch (Exception e1) { - throw new IOException("Failed to extract Sentry node info from zookeeper", e1); - } - - try { - while (true) { - currentServiceInstance = manager.getServiceInstance(); - if (currentServiceInstance == null) { - throw new IOException(SENTRY_HA_ERROR_MESSAGE); - } - InetSocketAddress serverAddress = - ServiceManager.convertServiceInstance(currentServiceInstance); - conf.set(ServiceConstants.ClientConfig.SERVER_RPC_ADDRESS, serverAddress.getHostName()); - conf.setInt(ServiceConstants.ClientConfig.SERVER_RPC_PORT, serverAddress.getPort()); - try { - client = new SentryPolicyServiceClientDefaultImpl(conf); - LOGGER.info("Sentry Client using server " + serverAddress.getHostName() + - ":" + serverAddress.getPort()); - break; - } catch (IOException e) { - manager.reportError(currentServiceInstance); - LOGGER.info("Transport exception while opening transport:", e, e.getMessage()); - } - } - } finally { - manager.close(); - } - } - - private void checkClientConf() { - if (conf.getBoolean(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, - ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY_DEFAULT)) { - String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), - ServerConfig.PRINCIPAL + " is required"); - Preconditions.checkArgument(serverPrincipal.contains(SecurityUtil.HOSTNAME_PATTERN), - ServerConfig.PRINCIPAL + " : " + serverPrincipal + " should contain " + SecurityUtil.HOSTNAME_PATTERN); - } - } - - @Override - public void close() { - if (client != null) { - client.close(); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java deleted file mode 100644 index a79ce5f..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java +++ /dev/null @@ -1,133 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.util.HashMap; -import java.util.Map; - -import javax.security.auth.login.AppConfigurationEntry; -import javax.security.auth.login.Configuration; - -/** - * Creates a programmatic version of a jaas.conf file. This can be used instead of writing a jaas.conf file and setting - * the system property, "java.security.auth.login.config", to point to that file. It is meant to be used for connecting to - * ZooKeeper. - * <p> - * example usage: - * JaasConfiguration.addEntry("Client", principal, keytabFile); - * javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance()); - */ -public final class JaasConfiguration extends Configuration { - private static Map<String, AppConfigurationEntry> entries = new HashMap<String, AppConfigurationEntry>(); - private static JaasConfiguration me = null; - private static final String krb5LoginModuleName; - - static { - if (System.getProperty("java.vendor").contains("IBM")) { - krb5LoginModuleName = "com.ibm.security.auth.module.Krb5LoginModule"; - } - else { - krb5LoginModuleName = "com.sun.security.auth.module.Krb5LoginModule"; - } - } - - private JaasConfiguration() { - // don't need to do anything here but we want to make it private - } - - /** - * Return the singleton. You'd typically use it only to do this: - * <p> - * javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance()); - * - * @return - */ - public static Configuration getInstance() { - if (me == null) { - me = new JaasConfiguration(); - } - return me; - } - - /** - * Add an entry to the jaas configuration with the passed in name, principal, and keytab. The other necessary options will be - * set for you. - * - * @param name The name of the entry (e.g. "Client") - * @param principal The principal of the user - * @param keytab The location of the keytab - */ - public static void addEntryForKeytab(String name, String principal, String keytab) { - Map<String, String> options = new HashMap<String, String>(); - options.put("keyTab", keytab); - options.put("principal", principal); - options.put("useKeyTab", "true"); - options.put("storeKey", "true"); - options.put("useTicketCache", "false"); - AppConfigurationEntry entry = new AppConfigurationEntry(krb5LoginModuleName, - AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options); - entries.put(name, entry); - } - - /** - * Add an entry to the jaas configuration with the passed in name. The other - * necessary options will be set for you. - * - * @param name The name of the entry (e.g. "Client") - */ - public static void addEntryForTicketCache(String sectionName) { - Map<String, String> options = new HashMap<String, String>(); - options.put("useKeyTab", "false"); - options.put("storeKey", "false"); - options.put("useTicketCache", "true"); - AppConfigurationEntry entry = new AppConfigurationEntry(krb5LoginModuleName, - AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options); - entries.put(sectionName, entry); - } - - /** - * Removes the specified entry. - * - * @param name The name of the entry to remove - */ - public static void removeEntry(String name) { - entries.remove(name); - } - - /** - * Clears all entries. - */ - public static void clearEntries() { - entries.clear(); - } - - /** - * Returns the entries map. - * - * @return the entries map - */ - public static Map<String, AppConfigurationEntry> getEntries() { - return entries; - } - - @Override - public AppConfigurationEntry[] getAppConfigurationEntry(String name) { - return new AppConfigurationEntry[]{entries.get(name)}; - } -} - http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java deleted file mode 100644 index 41e4fe4..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java +++ /dev/null @@ -1,107 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.io.File; -import java.util.HashMap; -import java.util.Map; - -import javax.security.auth.login.AppConfigurationEntry; - -public class KerberosConfiguration extends javax.security.auth.login.Configuration { - private String principal; - private String keytab; - private boolean isInitiator; - private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM"); - - private KerberosConfiguration(String principal, File keytab, - boolean client) { - this.principal = principal; - this.keytab = keytab.getAbsolutePath(); - this.isInitiator = client; - } - - public static javax.security.auth.login.Configuration createClientConfig(String principal, - File keytab) { - return new KerberosConfiguration(principal, keytab, true); - } - - public static javax.security.auth.login.Configuration createServerConfig(String principal, - File keytab) { - return new KerberosConfiguration(principal, keytab, false); - } - - private static String getKrb5LoginModuleName() { - return (IBM_JAVA ? "com.ibm.security.auth.module.Krb5LoginModule" - : "com.sun.security.auth.module.Krb5LoginModule"); - } - - @Override - public AppConfigurationEntry[] getAppConfigurationEntry(String name) { - Map<String, String> options = new HashMap<String, String>(); - - if (IBM_JAVA) { - // IBM JAVA's UseKeytab covers both keyTab and useKeyTab options - options.put("useKeytab",keytab.startsWith("file://") ? keytab : "file://" + keytab); - - options.put("principal", principal); - options.put("refreshKrb5Config", "true"); - - // Both "initiator" and "acceptor" - options.put("credsType", "both"); - } else { - options.put("keyTab", keytab); - options.put("principal", principal); - options.put("useKeyTab", "true"); - options.put("storeKey", "true"); - options.put("doNotPrompt", "true"); - options.put("useTicketCache", "true"); - options.put("renewTGT", "true"); - options.put("refreshKrb5Config", "true"); - options.put("isInitiator", Boolean.toString(isInitiator)); - } - - String ticketCache = System.getenv("KRB5CCNAME"); - if (IBM_JAVA) { - // If cache is specified via env variable, it takes priority - if (ticketCache != null) { - // IBM JAVA only respects system property so copy ticket cache to system property - // The first value searched when "useDefaultCcache" is true. - System.setProperty("KRB5CCNAME", ticketCache); - } else { - ticketCache = System.getProperty("KRB5CCNAME"); - } - - if (ticketCache != null) { - options.put("useDefaultCcache", "true"); - options.put("renewTGT", "true"); - } - } else { - if (ticketCache != null) { - options.put("ticketCache", ticketCache); - } - } - options.put("debug", "true"); - - return new AppConfigurationEntry[]{ - new AppConfigurationEntry(getKrb5LoginModuleName(), - AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, - options)}; - } -} -
