SENTRY-1979 - Consolidate code for converting Hive privilege objects to Strings
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/cd3a60ab Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/cd3a60ab Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/cd3a60ab Branch: refs/heads/akolb-cli Commit: cd3a60abf10d526b6cc5ee2d4cec3c2709fe5b24 Parents: e901041 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Oct 17 09:46:29 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Oct 17 09:46:29 2017 +0100 ---------------------------------------------------------------------- .../db/tools/command/hive/CommandUtil.java | 60 +------------------- .../command/hive/GrantPrivilegeToRoleCmd.java | 4 +- .../tools/command/hive/ListPrivilegesCmd.java | 56 ++---------------- .../hive/RevokePrivilegeFromRoleCmd.java | 6 +- .../provider/db/tools/TestSentryShellHive.java | 12 ++-- 5 files changed, 17 insertions(+), 121 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/cd3a60ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java index 51ee9ef..b6f4140 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java @@ -18,76 +18,20 @@ package org.apache.sentry.provider.db.tools.command.hive; import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; import org.apache.sentry.service.thrift.ServiceConstants; public final class CommandUtil { public static final String SPLIT_CHAR = ","; - + private CommandUtil() { // Make constructor private to avoid instantiation } - // parse the privilege in String and get the TSentryPrivilege as result - public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception { - TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { - KeyValue tempKV = new KeyValue(authorizable); - String key = tempKV.getKey(); - String value = tempKV.getValue(); - - if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setServerName(value); - } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setDbName(value); - } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setTableName(value); - } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setColumnName(value); - } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setURI(value); - tSentryPrivilege.setAction(AccessConstants.ALL); - } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setAction(value); - } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { - TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE - : TSentryGrantOption.FALSE; - tSentryPrivilege.setGrantOption(grantOption); - } - } - tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege)); - validatePrivilegeHierarchy(tSentryPrivilege); - return tSentryPrivilege; - } - - // for the different hierarchy for hive: - // 1: server->url - // 2: server->database->table->column - // if both of them are found in the privilege string, the privilege scope will be set as - // PrivilegeScope.URI - private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) { - ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER; - if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) { - privilegeScope = ServiceConstants.PrivilegeScope.URI; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) { - privilegeScope = ServiceConstants.PrivilegeScope.COLUMN; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) { - privilegeScope = ServiceConstants.PrivilegeScope.TABLE; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) { - privilegeScope = ServiceConstants.PrivilegeScope.DATABASE; - } - return privilegeScope.toString(); - } - // check the privilege value for the specific privilege scope // eg, for the table scope, server and database can't be empty - private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception { + public static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception { String serverName = tSentryPrivilege.getServerName(); String dbName = tSentryPrivilege.getDbName(); String tableName = tSentryPrivilege.getTableName(); http://git-wip-us.apache.org/repos/asf/sentry/blob/cd3a60ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java index e3d06a9..f530c00 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java @@ -19,6 +19,7 @@ package org.apache.sentry.provider.db.tools.command.hive; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.service.thrift.SentryServiceUtil; /** * The class for admin command to grant privilege to role. @@ -35,7 +36,8 @@ public class GrantPrivilegeToRoleCmd implements Command { @Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); + TSentryPrivilege tSentryPrivilege = SentryServiceUtil.convertToTSentryPrivilege(privilegeStr); + CommandUtil.validatePrivilegeHierarchy(tSentryPrivilege); client.grantPrivilege(requestorName, roleName, tSentryPrivilege); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/cd3a60ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java index 5f3e9fb..2cc4f71 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java @@ -17,16 +17,11 @@ */ package org.apache.sentry.provider.db.tools.command.hive; -import com.google.common.collect.Lists; -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.common.utils.PolicyFileConstants; +import java.util.Set; + import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; - -import java.util.List; -import java.util.Set; +import org.apache.sentry.service.thrift.SentryServiceUtil; /** * The class for admin command to list privileges. @@ -45,53 +40,10 @@ public class ListPrivilegesCmd implements Command { .listAllPrivilegesByRoleName(requestorName, roleName); if (privileges != null) { for (TSentryPrivilege privilege : privileges) { - String privilegeStr = convertToPrivilegeStr(privilege); + String privilegeStr = SentryServiceUtil.convertTSentryPrivilegeToStr(privilege); System.out.println(privilegeStr); } } } - // convert TSentryPrivilege to privilege in string - private String convertToPrivilegeStr(TSentryPrivilege tSentryPrivilege) { - List<String> privileges = Lists.newArrayList(); - if (tSentryPrivilege != null) { - String serverName = tSentryPrivilege.getServerName(); - String dbName = tSentryPrivilege.getDbName(); - String tableName = tSentryPrivilege.getTableName(); - String columnName = tSentryPrivilege.getColumnName(); - String uri = tSentryPrivilege.getURI(); - String action = tSentryPrivilege.getAction(); - String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" - : "false"); - if (!StringUtils.isEmpty(serverName)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME, - serverName)); - if (!StringUtils.isEmpty(uri)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME, - uri)); - } else if (!StringUtils.isEmpty(dbName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName)); - if (!StringUtils.isEmpty(tableName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName)); - if (!StringUtils.isEmpty(columnName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName)); - } - } - } - if (!StringUtils.isEmpty(action)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); - } - } - // only append the grant option to privilege string if it's true - if ("true".equals(grantOption)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); - } - } - return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); - } } http://git-wip-us.apache.org/repos/asf/sentry/blob/cd3a60ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java index fe6aca5..4acecee 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java @@ -19,6 +19,7 @@ package org.apache.sentry.provider.db.tools.command.hive; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.service.thrift.SentryServiceUtil; /** * The class for admin command to revoke privileges from role. @@ -35,8 +36,9 @@ public class RevokePrivilegeFromRoleCmd implements Command { @Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { - TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); - client.revokePrivilege(requestorName, roleName, tSentryPrivilege); + TSentryPrivilege tSentryPrivilege = SentryServiceUtil.convertToTSentryPrivilege(privilegeStr); + CommandUtil.validatePrivilegeHierarchy(tSentryPrivilege); + client.revokePrivilege(requestorName, roleName, tSentryPrivilege); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/cd3a60ab/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java index 81059c5..8335bcc 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java @@ -212,9 +212,8 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase { "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); - // for the uri privilege, the action will be awalys * args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; + "server=server1->uri=hdfs://path/testuri->action=*", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); // test the list privilege with -lp @@ -230,7 +229,6 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase { .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert")); assertTrue(privilegeStrs .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true")); - // for the uri privilege, the action will be awalys * assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*")); // test: revoke privilege from role with -rpr @@ -250,7 +248,7 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase { assertEquals("Incorrect number of privileges", 4, privileges.size()); args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; + "server=server1->uri=hdfs://path/testuri->action=*", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); assertEquals("Incorrect number of privileges", 3, privileges.size()); @@ -310,9 +308,8 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase { "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); - // for the uri privilege, the action will be awalys * args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; + "server=server1->uri=hdfs://path/testuri->action=*", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); // test the list privilege with -lp @@ -329,7 +326,6 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase { .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert")); assertTrue(privilegeStrs .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true")); - // for the uri privilege, the action will be awalys * assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*")); // test: revoke privilege from role with -rpr @@ -349,7 +345,7 @@ public class TestSentryShellHive extends SentryServiceIntegrationBase { assertEquals("Incorrect number of privileges", 4, privileges.size()); args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p", - "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; + "server=server1->uri=hdfs://path/testuri->action=*", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); assertEquals("Incorrect number of privileges", 3, privileges.size());
