Merge branch 'master' into akolb-cli
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/8be62797 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/8be62797 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/8be62797 Branch: refs/heads/akolb-cli Commit: 8be62797b1e6e476f1d012eb6a35feb128a708c2 Parents: 99f03c3 6fa0288 Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Oct 27 10:22:15 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Oct 27 10:22:15 2017 +0100 ---------------------------------------------------------------------- .../DefaultSentryAccessController.java | 2 +- .../hive/ql/exec/SentryGrantRevokeTask.java | 2 +- .../authz/DefaultSentryAccessController.java | 2 +- .../sentry/kafka/binding/KafkaAuthBinding.java | 6 +- .../sentry/sqoop/binding/SqoopAuthBinding.java | 8 +- .../sentry/core/common/utils/PathUtils.java | 9 ++ .../org/apache/sentry/hdfs/PathsUpdate.java | 9 +- .../org/apache/sentry/hdfs/TestPathsUpdate.java | 32 ++++-- .../provider/db/generic/UpdatableCache.java | 2 +- .../thrift/SentryGenericServiceClient.java | 14 +-- .../SentryGenericServiceClientDefaultImpl.java | 12 +- .../tools/GenericPrivilegeConverter.java | 13 ++- .../db/generic/tools/SentryConfigToolSolr.java | 2 +- .../db/generic/tools/SentryShellGeneric.java | 58 +++++----- .../tools/command/AddRoleToGroupCmd.java | 46 -------- .../db/generic/tools/command/Command.java | 27 ----- .../db/generic/tools/command/CreateRoleCmd.java | 39 ------- .../tools/command/DeleteRoleFromGroupCmd.java | 46 -------- .../db/generic/tools/command/DropRoleCmd.java | 39 ------- .../tools/command/GenericShellCommand.java | 112 +++++++++++++++++++ .../tools/command/GrantPrivilegeToRoleCmd.java | 47 -------- .../tools/command/ListPrivilegesByRoleCmd.java | 54 --------- .../db/generic/tools/command/ListRolesCmd.java | 53 --------- .../command/RevokePrivilegeFromRoleCmd.java | 47 -------- .../command/TSentryPrivilegeConverter.java | 3 +- .../db/service/persistent/SentryStore.java | 3 +- .../thrift/SentryPolicyServiceClient.java | 2 +- .../SentryPolicyServiceClientDefaultImpl.java | 2 +- .../provider/db/tools/SentryShellHive.java | 42 +++---- .../sentry/provider/db/tools/ShellCommand.java | 44 ++++++++ .../provider/db/tools/command/hive/Command.java | 27 ----- .../db/tools/command/hive/CommandUtil.java | 2 +- .../db/tools/command/hive/CreateRoleCmd.java | 37 ------ .../db/tools/command/hive/DropRoleCmd.java | 37 ------ .../command/hive/GrantPrivilegeToRoleCmd.java | 43 ------- .../command/hive/GrantRoleToGroupsCmd.java | 44 -------- .../db/tools/command/hive/HiveShellCommand.java | 108 ++++++++++++++++++ .../tools/command/hive/ListPrivilegesCmd.java | 49 -------- .../db/tools/command/hive/ListRolesCmd.java | 51 --------- .../hive/RevokePrivilegeFromRoleCmd.java | 44 -------- .../command/hive/RevokeRoleFromGroupsCmd.java | 43 ------- .../service/thrift/NotificationProcessor.java | 3 +- .../TestAuditLogForSentryGenericService.java | 8 +- .../TestSentryGenericServiceIntegration.java | 48 ++++---- .../generic/tools/TestSentryConfigToolSolr.java | 4 +- .../db/generic/tools/TestSentryShellKafka.java | 2 +- .../db/generic/tools/TestSentryShellSolr.java | 2 +- .../db/generic/tools/TestSentryShellSqoop.java | 2 +- .../thrift/TestSentryPolicyServiceClient.java | 4 +- .../thrift/TestSentryServiceClientPool.java | 6 +- .../thrift/TestSentryServiceFailureCase.java | 2 +- .../thrift/TestSentryServiceIntegration.java | 8 +- .../TestSentryServiceWithInvalidMsgSize.java | 10 +- .../provider/db/tools/TestSentryShellHive.java | 2 +- .../thrift/SentryServiceIntegrationBase.java | 2 +- .../e2e/dbprovider/TestConcurrentClients.java | 2 +- .../metastore/SentryPolicyProviderForDb.java | 2 +- .../e2e/dbprovider/TestConcurrentClients.java | 2 +- .../AbstractTestWithStaticConfiguration.java | 7 +- .../metastore/SentryPolicyProviderForDb.java | 2 +- .../e2e/kafka/AbstractKafkaSentryTestBase.java | 14 ++- .../sentry/tests/e2e/kafka/TestAuthorize.java | 5 +- .../AbstractSolrSentryTestWithDbProvider.java | 4 +- .../e2e/sqoop/AbstractSqoopSentryTestBase.java | 2 +- .../java/org/apache/sentry/shell/ShellUtil.java | 6 +- 65 files changed, 472 insertions(+), 939 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/8be62797/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java ---------------------------------------------------------------------- diff --cc sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java index bea53c8,0000000..daf9b73 mode 100644,000000..100644 --- a/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java +++ b/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java @@@ -1,261 -1,0 +1,261 @@@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.shell; + +import com.google.common.collect.Sets; +import org.apache.commons.lang.StringUtils; +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.provider.db.service.thrift.*; +import org.apache.sentry.provider.db.tools.command.hive.CommandUtil; + +import java.util.*; + +import static org.apache.sentry.service.thrift.SentryServiceUtil.convertTSentryPrivilegeToStr; +import static org.apache.sentry.service.thrift.SentryServiceUtil.convertToTSentryPrivilege; + +/** + * ShellUtil implements actual commands + */ +class ShellUtil { + + private final SentryPolicyServiceClient sentryClient; + private final String authUser; + + ShellUtil(SentryPolicyServiceClient sentryClient, String authUser) { + this.sentryClient = sentryClient; + this.authUser = authUser; + } + + List<String> listRoles() { + return listRoles(null); + } + + List<String> listRoles(String group) { + Set<TSentryRole> roles = null; + try { + if (StringUtils.isEmpty(group)) { - roles = sentryClient.listRoles(authUser); ++ roles = sentryClient.listAllRoles(authUser); + } else { + roles = sentryClient.listRolesByGroupName(authUser, group); + } + } catch (SentryUserException e) { + System.out.println("Error listing roles: " + e.toString()); + } + List<String> result = new ArrayList<>(); + if (roles == null || roles.isEmpty()) { + return result; + } + + for (TSentryRole role : roles) { + result.add(role.getRoleName()); + } + + Collections.sort(result); + return result; + } + + void createRoles(String ...roles) { + for (String role : roles) { + try { + sentryClient.createRole(authUser, role); + } catch (SentryUserException e) { + System.out.printf("failed to create role %s: %s\n", + role, e.toString()); + } + } + } + + void dropRoles(String ...roles) { + for (String role : roles) { + try { + sentryClient.dropRole(authUser, role); + } catch (SentryUserException e) { + System.out.printf("failed to drop role %s: %s\n", + role, e.toString()); + } + } + } + + List<String> listGroups() { + Set<TSentryRole> roles = null; + + try { - roles = sentryClient.listRoles(authUser); ++ roles = sentryClient.listAllRoles(authUser); + } catch (SentryUserException e) { + System.out.println("Error reading roles: " + e.toString()); + } + + if (roles == null || roles.isEmpty()) { + return new ArrayList<>(); + } + + // Set of all group names + Set<String> groupNames = new HashSet<>(); + + // Get all group names + for (TSentryRole role: roles) { + for (TSentryGroup group: role.getGroups()) { + groupNames.add(group.getGroupName()); + } + } + + List<String> result = new ArrayList<>(groupNames); + + Collections.sort(result); + return result; + } + + List<String> listGroupRoles() { + Set<TSentryRole> roles = null; + + try { - roles = sentryClient.listRoles(authUser); ++ roles = sentryClient.listAllRoles(authUser); + } catch (SentryUserException e) { + System.out.println("Error reading roles: " + e.toString()); + } + + if (roles == null || roles.isEmpty()) { + return new ArrayList<>(); + } + + // Set of all group names + Set<String> groupNames = new HashSet<>(); + + // Map group to set of roles + Map<String, Set<String>> groupInfo = new HashMap<>(); + + // Get all group names + for (TSentryRole role: roles) { + for (TSentryGroup group: role.getGroups()) { + String groupName = group.getGroupName(); + groupNames.add(groupName); + Set<String> groupRoles = groupInfo.get(groupName); + if (groupRoles != null) { + // Add a new or existing role + groupRoles.add(role.getRoleName()); + continue; + } + // Never seen this group before + groupRoles = new HashSet<>(); + groupRoles.add(role.getRoleName()); + groupInfo.put(groupName, groupRoles); + } + } + + List<String> groups = new ArrayList<>(groupNames); + Collections.sort(groups); + + // Produce printable result as + // group1 = role1, role2, ... + // group2 = ... + List<String> result = new LinkedList<>(); + for(String groupName: groups) { + result.add(groupName + " = " + + StringUtils.join(groupInfo.get(groupName), ", ")); + } + return result; + } + + void grantGroupsToRole(String roleName, String ...groups) { + try { + sentryClient.grantRoleToGroups(authUser, roleName, Sets.newHashSet(groups)); + } catch (SentryUserException e) { + System.out.printf("Failed to gran role %s to groups: %s\n", + roleName, e.toString()); + } + } + + void revokeGroupsFromRole(String roleName, String ...groups) { + try { + sentryClient.revokeRoleFromGroups(authUser, roleName, Sets.newHashSet(groups)); + } catch (SentryUserException e) { + System.out.printf("Failed to revoke role %s to groups: %s\n", + roleName, e.toString()); + } + } + + void grantPrivilegeToRole(String roleName, String privilege) { + TSentryPrivilege tPriv = convertToTSentryPrivilege(privilege); + try { + CommandUtil.validatePrivilegeHierarchy(tPriv); + sentryClient.grantPrivilege(authUser, roleName, tPriv); + } catch (SentryUserException | IllegalArgumentException e) { + System.out.println("Error granting privilege: " + e.toString()); + } + } + + List<String> listPrivileges(String roleName) { + Set<TSentryPrivilege> privileges = null; + try { + privileges = sentryClient + .listAllPrivilegesByRoleName(authUser, roleName); + } catch (SentryUserException e) { + System.out.println("Failed to list privileges: " + e.toString()); + } + + List<String> result = new LinkedList<>(); + if (privileges == null || privileges.isEmpty()) { + return result; + } + + for (TSentryPrivilege privilege : privileges) { + String privilegeStr = convertTSentryPrivilegeToStr(privilege); + if (privilegeStr.isEmpty()) { + continue; + } + result.add(privilegeStr); + } + return result; + } + + /** + * List all privileges + * @return string with privilege info for all roles + */ + String listPrivileges() { + List<String> roles = listRoles(null); + if (roles == null || roles.isEmpty()) { + return ""; + } + + StringBuilder result = new StringBuilder(); + for (String role: roles) { + List<String> privs = listPrivileges(role); + if (privs.isEmpty()) { + continue; + } + result.append(role).append(" = "); + result.append(StringUtils.join(listPrivileges(role), ",\n\t")); + result.append('\n'); + } + return result.toString(); + } + + void revokePrivilegeFromRole(String roleName, String privilegeStr) { + TSentryPrivilege tSentryPrivilege = convertToTSentryPrivilege(privilegeStr); + try { + CommandUtil.validatePrivilegeHierarchy(tSentryPrivilege); + sentryClient.revokePrivilege(authUser, roleName, tSentryPrivilege); + } catch (SentryUserException | IllegalArgumentException e) { + System.out.println("failed to revoke privilege: " + e.toString()); + } + } + + +}
