Repository: sentry Updated Branches: refs/heads/sentry-ha-redesign 3a02a6282 -> f19a68cb6
SENTRY-1360: Refactor grantPrivilege of Sentry Client (Dapeng Sun, reviewed by Colin Ma) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/f19a68cb Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/f19a68cb Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/f19a68cb Branch: refs/heads/sentry-ha-redesign Commit: f19a68cb69e72a9df3dbd3cefeb3a51535c71360 Parents: 3a02a62 Author: Alexander Kolbasov <[email protected]> Authored: Fri Mar 10 22:03:46 2017 -0800 Committer: Alexander Kolbasov <[email protected]> Committed: Sun Mar 12 20:36:44 2017 -0700 ---------------------------------------------------------------------- .../thrift/SentryPolicyServiceClient.java | 7 ++ .../SentryPolicyServiceClientDefaultImpl.java | 80 +++++++++++--------- .../db/tools/command/hive/CommandUtil.java | 4 +- .../command/hive/GrantPrivilegeToRoleCmd.java | 22 +----- 4 files changed, 56 insertions(+), 57 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/f19a68cb/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 8949667..c2b03e5 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -104,6 +104,13 @@ public interface SentryPolicyServiceClient { String server, String db, String table, List<String> columnNames, String action, Boolean grantOption) throws SentryUserException; + Set<TSentryPrivilege> grantPrivileges(String requestorUserName, String + roleName, Set<TSentryPrivilege> privileges) throws SentryUserException; + + TSentryPrivilege grantPrivilege(String requestorUserName, String roleName, + TSentryPrivilege privilege) throws + SentryUserException; + void revokeURIPrivilege(String requestorUserName, String roleName, String server, String uri) throws SentryUserException; http://git-wip-us.apache.org/repos/asf/sentry/blob/f19a68cb/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java index 9494b75..2cf748e 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java @@ -530,6 +530,45 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService null, db, table, columnNames, action, grantOption); } + public synchronized Set<TSentryPrivilege> grantPrivileges( + String requestorUserName, String roleName, + Set<TSentryPrivilege> privileges) throws SentryUserException { + return grantPrivilegesCore(requestorUserName, roleName, privileges); + } + + public synchronized TSentryPrivilege grantPrivilege(String requestorUserName, String roleName, + TSentryPrivilege privilege) throws SentryUserException { + return grantPrivilegeCore(requestorUserName, roleName, privilege); + } + + private TSentryPrivilege grantPrivilegeCore(String requestorUserName, String roleName, + TSentryPrivilege privilege) throws SentryUserException { + Set<TSentryPrivilege> results = + grantPrivilegesCore(requestorUserName, roleName, ImmutableSet.of(privilege)); + if (results != null && results.size() > 0) { + return results.iterator().next(); + } else { + return new TSentryPrivilege(); + } + } + + private Set<TSentryPrivilege> grantPrivilegesCore(String requestorUserName, String roleName, + Set<TSentryPrivilege> privileges) throws SentryUserException { + TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); + request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); + request.setRequestorUserName(requestorUserName); + request.setRoleName(roleName); + request.setPrivileges(privileges); + try { + TAlterSentryRoleGrantPrivilegeResponse response = + client.alter_sentry_role_grant_privilege(request); + Status.throwIfNotOk(response.getStatus()); + return response.getPrivileges(); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + @VisibleForTesting public static TSentryAuthorizable setupSentryAuthorizable( List<? extends Authorizable> authorizable) { @@ -568,25 +607,9 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, String column, String action, Boolean grantOption) throws SentryUserException { - TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - Set<TSentryPrivilege> privileges = convertColumnPrivilege(scope, - serverName, uri, db, table, column, action, grantOption); - request.setPrivileges(privileges); - try { - TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); - Status.throwIfNotOk(response.getStatus()); - if (response.isSetPrivileges() - && response.getPrivilegesSize()>0 ) { - return response.getPrivileges().iterator().next(); - } else { - return new TSentryPrivilege(); - } - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } + TSentryPrivilege privilege = + convertToTSentryPrivilege(scope, serverName, uri, db, table, column, action, grantOption); + return grantPrivilegeCore(requestorUserName, roleName, privilege); } private Set<TSentryPrivilege> grantPrivileges(String requestorUserName, @@ -601,20 +624,9 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns, String action, Boolean grantOption) throws SentryUserException { - TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); Set<TSentryPrivilege> privileges = convertColumnPrivileges(scope, serverName, uri, db, table, columns, action, grantOption); - request.setPrivileges(privileges); - try { - TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); - Status.throwIfNotOk(response.getStatus()); - return response.getPrivileges(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } + return grantPrivilegesCore(requestorUserName, roleName, privileges); } public synchronized void revokePrivileges(String requestorUserName, String roleName, Set<TSentryPrivilege> privileges) throws SentryUserException { @@ -815,10 +827,9 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService return setBuilder.build(); } - private Set<TSentryPrivilege> convertColumnPrivilege( + private TSentryPrivilege convertToTSentryPrivilege( PrivilegeScope scope, String serverName, String uri, String db, String table, String column, String action, Boolean grantOption) { - ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder(); TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setPrivilegeScope(scope.toString()); privilege.setServerName(serverName); @@ -829,8 +840,7 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService privilege.setAction(action); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(convertTSentryGrantOption(grantOption)); - setBuilder.add(privilege); - return setBuilder.build(); + return privilege; } private TSentryGrantOption convertTSentryGrantOption(Boolean grantOption) { http://git-wip-us.apache.org/repos/asf/sentry/blob/f19a68cb/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java index 2d2dcb5..51ee9ef 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java @@ -18,9 +18,10 @@ package org.apache.sentry.provider.db.tools.command.hive; import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.SentryConstants; import org.apache.sentry.core.common.utils.KeyValue; import org.apache.sentry.core.common.utils.PolicyFileConstants; +import org.apache.sentry.core.common.utils.SentryConstants; +import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; import org.apache.sentry.service.thrift.ServiceConstants; @@ -51,6 +52,7 @@ public final class CommandUtil { tSentryPrivilege.setColumnName(value); } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setURI(value); + tSentryPrivilege.setAction(AccessConstants.ALL); } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { tSentryPrivilege.setAction(value); } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { http://git-wip-us.apache.org/repos/asf/sentry/blob/f19a68cb/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java index a1ef2f9..e3d06a9 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java @@ -18,9 +18,7 @@ package org.apache.sentry.provider.db.tools.command.hive; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.service.thrift.ServiceConstants; /** * The class for admin command to grant privilege to role. @@ -38,24 +36,6 @@ public class GrantPrivilegeToRoleCmd implements Command { @Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); - boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); - } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getURI(), grantOption); - } + client.grantPrivilege(requestorName, roleName, tSentryPrivilege); } }
