SENTRY-1734: Create/Alter/Drop database/table should check corresponding property before drop privileges (Alex Kolbasov, reviewed by: Hao Hao)
Change-Id: Id0f6655b68f844e47e281b907b93f3442d33ccfe Reviewed-on: http://gerrit.sjc.cloudera.com:8080/22205 Tested-by: Jenkins User Reviewed-by: Alexander Kolbasov <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/ae2589d6 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/ae2589d6 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/ae2589d6 Branch: refs/for/cdh5-1.5.1_ha Commit: ae2589d67f1a745fcdeb9841589395534e3c1450 Parents: d419afe Author: Alexander Kolbasov <[email protected]> Authored: Sun Apr 30 18:56:32 2017 -0700 Committer: Alexander Kolbasov <[email protected]> Committed: Sun Apr 30 20:15:54 2017 -0700 ---------------------------------------------------------------------- .../sentry/service/thrift/HMSFollower.java | 107 +++++++++++-------- 1 file changed, 60 insertions(+), 47 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/ae2589d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java index fb35baf..122da84 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java @@ -32,12 +32,12 @@ import org.apache.hadoop.security.SaslRpcServer; import org.apache.hadoop.security.SecurityUtil; import org.apache.hive.hcatalog.messaging.HCatEventMessage; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.core.common.exception.*; -import org.apache.sentry.provider.db.SentryInvalidInputException; -import org.apache.sentry.provider.db.SentryNoSuchObjectException; +import org.apache.sentry.core.common.exception.SentryInvalidHMSEventException; import org.apache.sentry.hdfs.PermissionsUpdate; import org.apache.sentry.hdfs.FullUpdateInitializer; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; +import org.apache.sentry.provider.db.SentryInvalidInputException; +import org.apache.sentry.provider.db.SentryNoSuchObjectException; import org.apache.sentry.provider.db.SentryPolicyStorePlugin; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable; @@ -177,7 +177,7 @@ public class HMSFollower implements Runnable { throw e; } finally { // Shutdown kerberos context if HMS connection failed to setup to avoid thread leaks. - if (kerberosContext != null && client == null) { + if ((kerberosContext != null) && (client == null)) { kerberosContext.shutDown(); kerberosContext = null; } @@ -285,7 +285,7 @@ public class HMSFollower implements Runnable { } else { LOGGER.error("ThriftException occured fetching Notification entries, will try", e); } - } catch (SentryInvalidInputException|SentryInvalidHMSEventException e) { + } catch (SentryInvalidInputException |SentryInvalidHMSEventException e) { LOGGER.error("Encounter SentryInvalidInputException|SentryInvalidHMSEventException " + "while processing notification log", e); } catch (Throwable t) { @@ -359,7 +359,11 @@ public class HMSFollower implements Runnable { final CounterWait counterWait = sentryStore.getCounterWait(); for (NotificationEvent event : events) { - String dbName, tableName, oldLocation, newLocation, location; + String dbName; + String tableName; + String oldLocation; + String newLocation; + String location; List<String> locations; NotificationProcessor notificationProcessor = new NotificationProcessor(sentryStore, LOGGER); switch (HCatEventMessage.EventType.valueOf(event.getEventType())) { @@ -367,13 +371,15 @@ public class HMSFollower implements Runnable { SentryJSONCreateDatabaseMessage message = deserializer.getCreateDatabaseMessage(event.getMessage()); dbName = message.getDB(); location = message.getLocation(); - if (dbName == null || location == null) { + if ((dbName == null) || (location == null)) { throw new SentryInvalidHMSEventException(String.format("Create database event " + "has incomplete information. dbName = %s location = %s", StringUtils.defaultIfBlank(dbName, "null"), StringUtils.defaultIfBlank(location, "null"))); } - dropSentryDbPrivileges(dbName, event); + if (syncWithPolicyStore(AUTHZ_SYNC_CREATE_WITH_POLICY_STORE)) { + dropSentryDbPrivileges(dbName, event); + } notificationProcessor.processCreateDatabase(dbName,location, event.getEventId()); break; case DROP_DATABASE: @@ -382,11 +388,12 @@ public class HMSFollower implements Runnable { dbName = dropDatabaseMessage.getDB(); location = dropDatabaseMessage.getLocation(); if (dbName == null) { - throw new SentryInvalidHMSEventException(String.format("Drop database event " + - "has incomplete information. dbName = %s", - StringUtils.defaultIfBlank(dbName, "null"))); + throw new SentryInvalidHMSEventException( + "Drop database event has incomplete information: dbName = null"); + } + if (syncWithPolicyStore(AUTHZ_SYNC_DROP_WITH_POLICY_STORE)) { + dropSentryDbPrivileges(dbName, event); } - dropSentryDbPrivileges(dbName, event); notificationProcessor.processDropDatabase(dbName, location, event.getEventId()); break; case CREATE_TABLE: @@ -394,27 +401,31 @@ public class HMSFollower implements Runnable { dbName = createTableMessage.getDB(); tableName = createTableMessage.getTable(); location = createTableMessage.getLocation(); - if (dbName == null || tableName == null || location == null) { + if ((dbName == null) || (tableName == null) || (location == null)) { throw new SentryInvalidHMSEventException(String.format("Create table event " + "has incomplete information. dbName = %s, tableName = %s, location = %s", StringUtils.defaultIfBlank(dbName, "null"), StringUtils.defaultIfBlank(tableName, "null"), StringUtils.defaultIfBlank(location, "null"))); } - dropSentryTablePrivileges(dbName, tableName, event); + if (syncWithPolicyStore(AUTHZ_SYNC_CREATE_WITH_POLICY_STORE)) { + dropSentryTablePrivileges(dbName, tableName, event); + } notificationProcessor.processCreateTable(dbName, tableName, location, event.getEventId()); break; case DROP_TABLE: SentryJSONDropTableMessage dropTableMessage = deserializer.getDropTableMessage(event.getMessage()); dbName = dropTableMessage.getDB(); tableName = dropTableMessage.getTable(); - if (dbName == null || tableName == null) { + if ((dbName == null) || (tableName == null)) { throw new SentryInvalidHMSEventException(String.format("Drop table event " + "has incomplete information. dbName = %s, tableName = %s", StringUtils.defaultIfBlank(dbName, "null"), StringUtils.defaultIfBlank(tableName, "null"))); } - dropSentryTablePrivileges(dbName, tableName, event); + if (syncWithPolicyStore(AUTHZ_SYNC_DROP_WITH_POLICY_STORE)) { + dropSentryTablePrivileges(dbName, tableName, event); + } notificationProcessor.processDropTable(dbName, tableName, event.getEventId()); break; case ALTER_TABLE: @@ -427,8 +438,12 @@ public class HMSFollower implements Runnable { oldLocation = alterTableMessage.getOldLocation(); newLocation = alterTableMessage.getNewLocation(); - if (oldDbName == null || oldTableName == null || newDbName == null || newTableName == null || - oldLocation == null || newLocation == null) { + if ((oldDbName == null) || + (oldTableName == null) || + (newDbName == null) || + (newTableName == null) || + (oldLocation == null) || + (newLocation == null)) { throw new SentryInvalidHMSEventException(String.format("Alter table event " + "has incomplete information. oldDbName = %s, oldTableName = %s, oldLocation = %s, " + "newDbName = %s, newTableName = %s, newLocation = %s", @@ -460,7 +475,7 @@ public class HMSFollower implements Runnable { dbName = addPartitionMessage.getDB(); tableName = addPartitionMessage.getTable(); locations = addPartitionMessage.getLocations(); - if (dbName == null || tableName == null || locations == null) { + if ((dbName == null) || (tableName == null) || (locations == null)) { LOGGER.error(String.format("Create table event has incomplete information. " + "dbName = %s, tableName = %s, locations = %s", StringUtils.defaultIfBlank(dbName, "null"), @@ -476,7 +491,7 @@ public class HMSFollower implements Runnable { dbName = dropPartitionMessage.getDB(); tableName = dropPartitionMessage.getTable(); locations = dropPartitionMessage.getLocations(); - if (dbName == null || tableName == null || locations == null) { + if ((dbName == null) || (tableName == null) || (locations == null)) { throw new SentryInvalidHMSEventException(String.format("Drop partition event " + "has incomplete information. dbName = %s, tableName = %s, location = %s", StringUtils.defaultIfBlank(dbName, "null"), @@ -494,7 +509,10 @@ public class HMSFollower implements Runnable { oldLocation = alterPartitionMessage.getOldLocation(); newLocation = alterPartitionMessage.getNewLocation(); - if (dbName == null || tableName == null || oldLocation == null || newLocation == null) { + if ((dbName == null) || + (tableName == null) || + (oldLocation == null) || + (newLocation == null)) { throw new SentryInvalidHMSEventException(String.format("Alter partition event " + "has incomplete information. dbName = %s, tableName = %s, " + "oldLocation = %s, newLocation = %s", @@ -507,6 +525,9 @@ public class HMSFollower implements Runnable { notificationProcessor.processAlterPartition(dbName, tableName, oldLocation, newLocation, event.getEventId()); break; + case INSERT: + // TODO DO we need to do anything here? + break; } currentEventID = event.getEventId(); // Wake up any HMS waiters that are waiting for this ID. @@ -519,36 +540,28 @@ public class HMSFollower implements Runnable { } private void dropSentryDbPrivileges(String dbName, NotificationEvent event) throws Exception { - if (!syncWithPolicyStore(AUTHZ_SYNC_DROP_WITH_POLICY_STORE)) { - return; - } else { - try { - TSentryAuthorizable authorizable = new TSentryAuthorizable(hiveInstance); - authorizable.setDb(dbName); - sentryStore.dropPrivilege(authorizable, onDropSentryPrivilege(authorizable)); - } catch (SentryNoSuchObjectException e) { - LOGGER.info("Drop Sentry privilege ignored as there are no privileges on the database: %s", dbName); - } catch (Exception e) { - throw new SentryInvalidInputException("Could not process Drop database event." + - "Event: " + event.toString(), e); - } + try { + TSentryAuthorizable authorizable = new TSentryAuthorizable(hiveInstance); + authorizable.setDb(dbName); + sentryStore.dropPrivilege(authorizable, onDropSentryPrivilege(authorizable)); + } catch (SentryNoSuchObjectException e) { + LOGGER.info("Drop Sentry privilege ignored as there are no privileges on the database: %s", dbName); + } catch (Exception e) { + throw new SentryInvalidInputException("Could not process Drop database event." + + "Event: " + event.toString(), e); } } private void dropSentryTablePrivileges(String dbName, String tableName, NotificationEvent event) throws Exception { - if (!syncWithPolicyStore(AUTHZ_SYNC_CREATE_WITH_POLICY_STORE)) { - return; - } else { - try { - TSentryAuthorizable authorizable = new TSentryAuthorizable(hiveInstance); - authorizable.setDb(dbName); - authorizable.setTable(tableName); - sentryStore.dropPrivilege(authorizable, onDropSentryPrivilege(authorizable)); - } catch (SentryNoSuchObjectException e) { - LOGGER.info("Drop Sentry privilege ignored as there are no privileges on the table: %s.%s", dbName, tableName); - } catch (Exception e) { - throw new SentryInvalidInputException("Could not process Create table event. Event: " + event.toString(), e); - } + try { + TSentryAuthorizable authorizable = new TSentryAuthorizable(hiveInstance); + authorizable.setDb(dbName); + authorizable.setTable(tableName); + sentryStore.dropPrivilege(authorizable, onDropSentryPrivilege(authorizable)); + } catch (SentryNoSuchObjectException e) { + LOGGER.info("Drop Sentry privilege ignored as there are no privileges on the table: %s.%s", dbName, tableName); + } catch (Exception e) { + throw new SentryInvalidInputException("Could not process Create table event. Event: " + event.toString(), e); } }
