SENTRY-1974 - Consolidate the Solr + Kafka PrivilegeValidators into a single GenericPrivilegeValidator. - Reviewed by kalyan kumar kalvagadda.
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/3d0f4705 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/3d0f4705 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/3d0f4705 Branch: refs/heads/akolb-cli Commit: 3d0f470529ebc2dc2df7e17f20ba3c13aa13b4d2 Parents: 0607322 Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Oct 6 15:56:06 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Oct 6 15:56:06 2017 +0100 ---------------------------------------------------------------------- .../sentry/kafka/binding/KafkaAuthBinding.java | 4 +- .../binding/solr/authz/SolrAuthzBinding.java | 4 +- .../tools/GenericPrivilegeConverter.java | 178 +++++++++++++++++++ .../tools/KafkaTSentryPrivilegeConverter.java | 128 ------------- .../db/generic/tools/SentryConfigToolSolr.java | 2 +- .../db/generic/tools/SentryShellGeneric.java | 17 +- .../tools/SolrTSentryPrivilegeConverter.java | 137 -------------- .../generic/tools/TestSentryConfigToolSolr.java | 2 +- 8 files changed, 187 insertions(+), 285 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java index d9dcbb7..7a36c5f 100644 --- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java +++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java @@ -61,7 +61,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericService import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.generic.tools.KafkaTSentryPrivilegeConverter; +import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter; import org.apache.sentry.service.thrift.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -156,7 +156,7 @@ public class KafkaAuthBinding { // for convenience, set the PrivilegeConverter. if (authConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { - authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, KafkaTSentryPrivilegeConverter.class.getName()); + authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName()); } // Instantiate the configured providerBackend http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java index 37adb56..0a818e5 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java @@ -54,7 +54,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericService import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.tools.SolrTSentryPrivilegeConverter; +import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter; import org.apache.sentry.service.thrift.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -124,7 +124,7 @@ public class SolrAuthzBinding { // for convenience, set the PrivilegeConverter. if (authzConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { - authzConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, SolrTSentryPrivilegeConverter.class.getName()); + authzConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName()); } // the SearchProviderBackend is deleted in SENTRY-828, this is for the compatible with the http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java new file mode 100644 index 0000000..ea8cf07 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java @@ -0,0 +1,178 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.generic.tools; + +import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR; +import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; +import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE; + +import com.google.common.collect.Lists; + +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; + +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.utils.KeyValue; +import org.apache.sentry.core.common.utils.PolicyFileConstants; +import org.apache.sentry.core.common.utils.SentryConstants; +import org.apache.sentry.core.common.validator.PrivilegeValidator; +import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; +import org.apache.sentry.core.model.kafka.KafkaAuthorizable; +import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables; +import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel; +import org.apache.sentry.core.model.search.SearchModelAuthorizables; +import org.apache.sentry.core.model.search.SearchPrivilegeModel; +import org.apache.sentry.provider.common.AuthorizationComponent; +import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; +import org.apache.shiro.config.ConfigurationException; + +/** + * A TSentryPrivilegeConverter implementation for "Generic" privileges, covering Apache Kafka and Apache Solr. + * It converts privilege Strings to TSentryPrivilege Objects, and vice versa, for Generic clients. + * + * When a privilege String is converted to a TSentryPrivilege in "fromString", the validators associated with the + * given privilege model are also called on the privilege String. + */ +public class GenericPrivilegeConverter implements TSentryPrivilegeConverter { + private String component; + private String service; + private boolean validate; + + public GenericPrivilegeConverter(String component, String service) { + this(component, service, true); + } + + public GenericPrivilegeConverter(String component, String service, boolean validate) { + this.component = component; + this.service = service; + this.validate = validate; + } + + public TSentryPrivilege fromString(String privilegeStr) throws Exception { + privilegeStr = parsePrivilegeString(privilegeStr); + if (validate) { + validatePrivilegeHierarchy(privilegeStr); + } + + TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); + List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>(); + for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { + KeyValue keyValue = new KeyValue(authorizable); + String key = keyValue.getKey(); + String value = keyValue.getValue(); + + Authorizable authz = getAuthorizable(keyValue); + if (authz != null) { + authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName())); + } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { + tSentryPrivilege.setAction(value); + } else { + throw new IllegalArgumentException("Unknown key: " + key); + } + } + + if (tSentryPrivilege.getAction() == null) { + throw new IllegalArgumentException("Privilege is invalid: action required but not specified."); + } + tSentryPrivilege.setComponent(component); + tSentryPrivilege.setServiceName(service); + tSentryPrivilege.setAuthorizables(authorizables); + return tSentryPrivilege; + } + + public String toString(TSentryPrivilege tSentryPrivilege) { + List<String> privileges = Lists.newArrayList(); + if (tSentryPrivilege != null) { + List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables(); + String action = tSentryPrivilege.getAction(); + String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" + : "false"); + + Iterator<TAuthorizable> it = authorizables.iterator(); + if (it != null) { + while (it.hasNext()) { + TAuthorizable tAuthorizable = it.next(); + privileges.add(SentryConstants.KV_JOINER.join( + tAuthorizable.getType(), tAuthorizable.getName())); + } + } + + if (!authorizables.isEmpty()) { + privileges.add(SentryConstants.KV_JOINER.join( + PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); + } + + // only append the grant option to privilege string if it's true + if ("true".equals(grantOption)) { + privileges.add(SentryConstants.KV_JOINER.join( + PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); + } + } + return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); + } + + private String parsePrivilegeString(String privilegeStr) { + if (AuthorizationComponent.KAFKA.equals(component)) { + final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR; + final String hostPrefixLowerCase = hostPrefix.toLowerCase(); + if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) { + return hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr; + } + } + + return privilegeStr; + } + + private void validatePrivilegeHierarchy(String privilegeStr) throws Exception { + List<PrivilegeValidator> validators = getPrivilegeValidators(); + PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr); + for (PrivilegeValidator validator : validators) { + try { + validator.validate(context); + } catch (ConfigurationException e) { + throw new IllegalArgumentException(e); + } + } + } + + private List<PrivilegeValidator> getPrivilegeValidators() throws Exception { + if (AuthorizationComponent.KAFKA.equals(component)) { + return KafkaPrivilegeModel.getInstance().getPrivilegeValidators(); + } else if ("SOLR".equals(component)) { + return SearchPrivilegeModel.getInstance().getPrivilegeValidators(); + } + + throw new Exception("Invalid component specified for GenericPrivilegeCoverter: " + component); + } + + private Authorizable getAuthorizable(KeyValue keyValue) throws Exception { + if (AuthorizationComponent.KAFKA.equals(component)) { + return KafkaModelAuthorizables.from(keyValue); + } else if ("SOLR".equals(component)) { + return SearchModelAuthorizables.from(keyValue); + } + + throw new Exception("Invalid component specified for GenericPrivilegeCoverter: " + component); + } + +} http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java deleted file mode 100644 index c1aac6a..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java +++ /dev/null @@ -1,128 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.collect.Lists; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.common.validator.PrivilegeValidator; -import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; -import org.apache.sentry.core.model.kafka.KafkaAuthorizable; -import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables; -import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; -import org.apache.shiro.config.ConfigurationException; - -import java.util.Iterator; -import java.util.LinkedList; -import java.util.List; - -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR; -import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR; -import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE; - -public class KafkaTSentryPrivilegeConverter implements TSentryPrivilegeConverter { - private String component; - private String service; - - public KafkaTSentryPrivilegeConverter(String component, String service) { - this.component = component; - this.service = service; - } - - public TSentryPrivilege fromString(String privilegeStr) throws Exception { - final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR; - final String hostPrefixLowerCase = hostPrefix.toLowerCase(); - if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) { - privilegeStr = hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr; - } - validatePrivilegeHierarchy(privilegeStr); - TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); - List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>(); - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { - KeyValue keyValue = new KeyValue(authorizable); - String key = keyValue.getKey(); - String value = keyValue.getValue(); - - // is it an authorizable? - KafkaAuthorizable authz = KafkaModelAuthorizables.from(keyValue); - if (authz != null) { - authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName())); - - } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setAction(value); - } - } - - if (tSentryPrivilege.getAction() == null) { - throw new IllegalArgumentException("Privilege is invalid: action required but not specified."); - } - tSentryPrivilege.setComponent(component); - tSentryPrivilege.setServiceName(service); - tSentryPrivilege.setAuthorizables(authorizables); - return tSentryPrivilege; - } - - public String toString(TSentryPrivilege tSentryPrivilege) { - List<String> privileges = Lists.newArrayList(); - if (tSentryPrivilege != null) { - List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables(); - String action = tSentryPrivilege.getAction(); - String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" - : "false"); - - Iterator<TAuthorizable> it = authorizables.iterator(); - if (it != null) { - while (it.hasNext()) { - TAuthorizable tAuthorizable = it.next(); - privileges.add(SentryConstants.KV_JOINER.join( - tAuthorizable.getType(), tAuthorizable.getName())); - } - } - - if (!authorizables.isEmpty()) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); - } - - // only append the grant option to privilege string if it's true - if ("true".equals(grantOption)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); - } - } - return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); - } - - private static void validatePrivilegeHierarchy(String privilegeStr) { - List<PrivilegeValidator> validators = KafkaPrivilegeModel.getInstance().getPrivilegeValidators(); - PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr); - for (PrivilegeValidator validator : validators) { - try { - validator.validate(context); - } catch (ConfigurationException e) { - throw new IllegalArgumentException(e); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java index b958b09..b2664de 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java @@ -106,7 +106,7 @@ public class SentryConfigToolSolr extends SentryConfigToolCommon { Set<String> roles = Sets.newHashSet(); Table<String, String, Set<String>> groupRolePrivilegeTable = policyFileBackend.getGroupRolePrivilegeTable(); - SolrTSentryPrivilegeConverter converter = new SolrTSentryPrivilegeConverter(component, service, false); + GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false); for (String groupName : groupRolePrivilegeTable.rowKeySet()) { for (String roleName : groupRolePrivilegeTable.columnKeySet()) { http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java index 49523a4..e3edc29 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java @@ -34,7 +34,6 @@ import org.apache.sentry.provider.db.generic.tools.command.GrantPrivilegeToRoleC import org.apache.sentry.provider.db.generic.tools.command.ListPrivilegesByRoleCmd; import org.apache.sentry.provider.db.generic.tools.command.ListRolesCmd; import org.apache.sentry.provider.db.generic.tools.command.RevokePrivilegeFromRoleCmd; -import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; import org.apache.sentry.provider.db.tools.SentryShellCommon; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -73,15 +72,15 @@ public class SentryShellGeneric extends SentryShellCommon { command = new DeleteRoleFromGroupCmd(roleName, groupName, component); } else if (isGrantPrivilegeRole) { command = new GrantPrivilegeToRoleCmd(roleName, component, - privilegeStr, getPrivilegeConverter(component, service)); + privilegeStr, new GenericPrivilegeConverter(component, service)); } else if (isRevokePrivilegeRole) { command = new RevokePrivilegeFromRoleCmd(roleName, component, - privilegeStr, getPrivilegeConverter(component, service)); + privilegeStr, new GenericPrivilegeConverter(component, service)); } else if (isListRole) { command = new ListRolesCmd(groupName, component); } else if (isListPrivilege) { command = new ListPrivilegesByRoleCmd(roleName, component, - service, getPrivilegeConverter(component, service)); + service, new GenericPrivilegeConverter(component, service)); } // check the requestor name @@ -116,16 +115,6 @@ public class SentryShellGeneric extends SentryShellCommon { throw new Exception("Invalid type specified for SentryShellGeneric: " + type); } - private TSentryPrivilegeConverter getPrivilegeConverter(String component, String service) throws Exception { - if (type == TYPE.kafka) { - return new KafkaTSentryPrivilegeConverter(component, service); - } else if (type == TYPE.solr) { - return new SolrTSentryPrivilegeConverter(component, service); - } - - throw new Exception("Invalid type specified for SentryShellGeneric: " + type); - } - private Configuration getSentryConf() { Configuration conf = new Configuration(); conf.addResource(new Path(confPath)); http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java deleted file mode 100644 index f24ebed..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java +++ /dev/null @@ -1,137 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.collect.Lists; - -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.model.search.Collection; -import org.apache.sentry.core.model.search.SearchModelAuthorizable; -import org.apache.sentry.core.common.validator.PrivilegeValidator; -import org.apache.sentry.core.common.validator.PrivilegeValidatorContext; -import org.apache.sentry.core.model.search.SearchModelAuthorizables; -import org.apache.sentry.core.model.search.SearchPrivilegeModel; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; -import org.apache.shiro.config.ConfigurationException; - -import java.util.Iterator; -import java.util.LinkedList; -import java.util.List; - -public class SolrTSentryPrivilegeConverter implements TSentryPrivilegeConverter { - private String component; - private String service; - private boolean validate; - - public SolrTSentryPrivilegeConverter(String component, String service) { - this(component, service, true); - } - - public SolrTSentryPrivilegeConverter(String component, String service, boolean validate) { - this.component = component; - this.service = service; - this.validate = validate; - } - - public TSentryPrivilege fromString(String privilegeStr) throws Exception { - if (validate) { - validatePrivilegeHierarchy(privilegeStr); - } - - TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); - List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>(); - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { - KeyValue keyValue = new KeyValue(authorizable); - String key = keyValue.getKey(); - String value = keyValue.getValue(); - - // is it an authorizable? - SearchModelAuthorizable authz = SearchModelAuthorizables.from(keyValue); - if (authz != null) { - if (authz instanceof Collection) { - Collection coll = (Collection)authz; - authorizables.add(new TAuthorizable(coll.getTypeName(), coll.getName())); - } else { - throw new IllegalArgumentException("Unknown authorizable type: " + authz.getTypeName()); - } - } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setAction(value); - // Limitation: don't support grant at this time, since the existing solr use cases don't need it. - } else { - throw new IllegalArgumentException("Unknown key: " + key); - } - } - - if (tSentryPrivilege.getAction() == null) { - throw new IllegalArgumentException("Privilege is invalid: action required but not specified."); - } - tSentryPrivilege.setComponent(component); - tSentryPrivilege.setServiceName(service); - tSentryPrivilege.setAuthorizables(authorizables); - return tSentryPrivilege; - } - - public String toString(TSentryPrivilege tSentryPrivilege) { - List<String> privileges = Lists.newArrayList(); - if (tSentryPrivilege != null) { - List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables(); - String action = tSentryPrivilege.getAction(); - String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" - : "false"); - - Iterator<TAuthorizable> it = authorizables.iterator(); - if (it != null) { - while (it.hasNext()) { - TAuthorizable tAuthorizable = it.next(); - privileges.add(SentryConstants.KV_JOINER.join( - tAuthorizable.getType(), tAuthorizable.getName())); - } - } - - if (!authorizables.isEmpty()) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); - } - - // only append the grant option to privilege string if it's true - if ("true".equals(grantOption)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); - } - } - return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); - } - - private static void validatePrivilegeHierarchy(String privilegeStr) { - List<PrivilegeValidator> validators = SearchPrivilegeModel.getInstance().getPrivilegeValidators(); - PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr); - for (PrivilegeValidator validator : validators) { - try { - validator.validate(context); - } catch (ConfigurationException e) { - throw new IllegalArgumentException(e); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java index d199d20..4b274fd 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java @@ -133,7 +133,7 @@ public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBas } // check privileges - SolrTSentryPrivilegeConverter convert = new SolrTSentryPrivilegeConverter(SOLR, service); + GenericPrivilegeConverter convert = new GenericPrivilegeConverter(SOLR, service); for (String role : roles) { Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName( requestorName, role, SOLR, service);
