Support listing/removal of all privileges
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/820900ae Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/820900ae Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/820900ae Branch: refs/heads/akolb-ha-cli Commit: 820900aef18bb77bf7d6ed0528314d12812fe195 Parents: 6b679e6 Author: Alexander Kolbasov <[email protected]> Authored: Tue Dec 13 18:29:26 2016 -0800 Committer: Alexander Kolbasov <[email protected]> Committed: Wed May 10 23:28:29 2017 -0700 ---------------------------------------------------------------------- .../org/apache/sentry/shell/PrivsShell.java | 9 ++ .../java/org/apache/sentry/shell/ShellUtil.java | 97 +++++++++++++++++--- .../org/apache/sentry/shell/TopLevelShell.java | 20 ++++ 3 files changed, 112 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/820900ae/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java ---------------------------------------------------------------------- diff --git a/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java b/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java index cf2ebbd..82369cd 100644 --- a/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java +++ b/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java @@ -35,10 +35,19 @@ public class PrivsShell implements ShellDependent { } @Command + public String list() { + return tools.listPrivileges(); + } + + @Command public List<String> list(String roleName) { return tools.listPrivileges(roleName); } + @Command + public void revoke(String roleName, String privilege) { + tools.revokePrivilegeFromRole(roleName, privilege); + } public PrivsShell(SentryPolicyServiceClient sentryClient, String authUser) { this.tools = new ShellUtil(sentryClient, authUser); http://git-wip-us.apache.org/repos/asf/sentry/blob/820900ae/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java ---------------------------------------------------------------------- diff --git a/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java b/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java index fbd382a..4decf28 100644 --- a/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java +++ b/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java @@ -22,7 +22,6 @@ import com.google.common.collect.Sets; import org.apache.commons.lang.StringUtils; import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.provider.db.service.thrift.*; -import org.apache.sentry.service.thrift.SentryServiceUtil; import org.apache.sentry.service.thrift.ServiceConstants; import java.util.*; @@ -36,23 +35,13 @@ import static org.apache.sentry.service.thrift.SentryServiceUtil.convertToTSentr class ShellUtil { List<String> listRoles() { - Set<TSentryRole> roles = null; + List<String> roles = null; try { - roles = sentryClient.listRoles(authUser); + return getRoles(); } catch (SentryUserException e) { System.out.println("Error listing roles: " + e.toString()); } - List<String> result = new ArrayList<>(); - if (roles == null || roles.isEmpty()) { - return result; - } - - for(TSentryRole role: roles) { - result.add(role.getRoleName()); - } - - Collections.sort(result); - return result; + return new LinkedList<>(); } List<String> listRoles(String group) { @@ -252,6 +241,86 @@ class ShellUtil { return result; } + /** + * List all privileges + * @return string with privilege info for all roles + */ + String listPrivileges() { + List<String> roles = null; + try { + roles = getRoles(); + } catch (SentryUserException e) { + System.out.println("failed to get role names: " + e.toString()); + } + + if (roles == null || roles.isEmpty()) { + return ""; + } + + StringBuilder result = new StringBuilder(); + for (String role: roles) { + List<String> privs = listPrivileges(role); + if (privs.isEmpty()) { + continue; + } + result.append(role).append(" = "); + result.append(StringUtils.join(listPrivileges(role), ",\n\t")); + result.append('\n'); + } + return result.toString(); + } + + void revokePrivilegeFromRole(String roleName, String privilegeStr) { + TSentryPrivilege tSentryPrivilege = convertToTSentryPrivilege(privilegeStr); + boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; + + try { + if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { + sentryClient.revokeServerPrivilege(authUser, roleName, tSentryPrivilege.getServerName(), + grantOption); + return; + } + if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { + sentryClient.revokeDatabasePrivilege(authUser, roleName, tSentryPrivilege.getServerName(), + tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); + return; + } + if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { + sentryClient.revokeTablePrivilege(authUser, roleName, tSentryPrivilege.getServerName(), + tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), + tSentryPrivilege.getAction(), grantOption); + return; + } + if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { + sentryClient.revokeColumnPrivilege(authUser, roleName, tSentryPrivilege.getServerName(), + tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), + tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); + return; + } + if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { + sentryClient.revokeURIPrivilege(authUser, roleName, tSentryPrivilege.getServerName(), + tSentryPrivilege.getURI(), grantOption); + return; + } + } catch (SentryUserException e) { + System.out.println("failed to revoke privilege: " + e.toString()); + } + } + + + private List<String>getRoles() throws SentryUserException { + // Collect role names + Set<TSentryRole> roles = null; + roles = sentryClient.listRoles(authUser); + List<String> roleNames = new ArrayList<>(); + for(TSentryRole role: roles) { + roleNames.add(role.getRoleName()); + } + + Collections.sort(roleNames); + return roleNames; + } + ShellUtil(SentryPolicyServiceClient sentryClient, String authUser) { this.sentryClient = sentryClient; this.authUser = authUser; http://git-wip-us.apache.org/repos/asf/sentry/blob/820900ae/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java ---------------------------------------------------------------------- diff --git a/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java b/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java index b677f0f..d5d74b4 100644 --- a/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java +++ b/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java @@ -108,6 +108,26 @@ public class TopLevelShell implements ShellDependent, Runnable { tools.removeRoles(roles); } + @Command(description = "list Sentry privileges") + public String listPrivileges() { + return tools.listPrivileges(); + } + + @Command(description = "list Sentry privileges") + public List<String> listPrivileges(String roleName) { + return tools.listPrivileges(roleName); + } + + @Command(description = "Grant privilege to role") + public void grantPrivilege(String roleName, String privilege) { + tools.grantPrivilegeToRole(roleName, privilege); + } + + @Command + public void revokePrivilege(String roleName, String privilege) { + tools.revokePrivilegeFromRole(roleName, privilege); + } + @Override public void cliSetShell(Shell theShell) { this.shell = theShell;
