Use CommmandUtil to validate the privilege hierarchy
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/99f03c35 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/99f03c35 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/99f03c35 Branch: refs/heads/master Commit: 99f03c35dc53bb5076b015faa27375829b2f2c38 Parents: 36fb263 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Oct 23 10:30:43 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Oct 23 10:30:43 2017 +0100 ---------------------------------------------------------------------- .../db/tools/command/hive/CommandUtil.java | 2 +- .../java/org/apache/sentry/shell/ShellUtil.java | 113 ++++--------------- 2 files changed, 21 insertions(+), 94 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/99f03c35/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java index b6f4140..5c228bf 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java @@ -31,7 +31,7 @@ public final class CommandUtil { // check the privilege value for the specific privilege scope // eg, for the table scope, server and database can't be empty - public static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception { + public static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) { String serverName = tSentryPrivilege.getServerName(); String dbName = tSentryPrivilege.getDbName(); String tableName = tSentryPrivilege.getTableName(); http://git-wip-us.apache.org/repos/asf/sentry/blob/99f03c35/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java ---------------------------------------------------------------------- diff --git a/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java b/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java index 4904fac..bea53c8 100644 --- a/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java +++ b/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java @@ -22,7 +22,7 @@ import com.google.common.collect.Sets; import org.apache.commons.lang.StringUtils; import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.provider.db.service.thrift.*; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.provider.db.tools.command.hive.CommandUtil; import java.util.*; @@ -43,18 +43,17 @@ class ShellUtil { } List<String> listRoles() { - try { - return getRoles(); - } catch (SentryUserException e) { - System.out.println("Error listing roles: " + e.toString()); - } - return new LinkedList<>(); + return listRoles(null); } List<String> listRoles(String group) { Set<TSentryRole> roles = null; try { - roles = sentryClient.listRolesByGroupName(authUser, group); + if (StringUtils.isEmpty(group)) { + roles = sentryClient.listRoles(authUser); + } else { + roles = sentryClient.listRolesByGroupName(authUser, group); + } } catch (SentryUserException e) { System.out.println("Error listing roles: " + e.toString()); } @@ -63,7 +62,7 @@ class ShellUtil { return result; } - for(TSentryRole role: roles) { + for (TSentryRole role : roles) { result.add(role.getRoleName()); } @@ -72,7 +71,7 @@ class ShellUtil { } void createRoles(String ...roles) { - for (String role: roles) { + for (String role : roles) { try { sentryClient.createRole(authUser, role); } catch (SentryUserException e) { @@ -83,7 +82,7 @@ class ShellUtil { } void dropRoles(String ...roles) { - for (String role: roles) { + for (String role : roles) { try { sentryClient.dropRole(authUser, role); } catch (SentryUserException e) { @@ -193,36 +192,10 @@ class ShellUtil { void grantPrivilegeToRole(String roleName, String privilege) { TSentryPrivilege tPriv = convertToTSentryPrivilege(privilege); - boolean grantOption = tPriv.getGrantOption().equals(TSentryGrantOption.TRUE); try { - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tPriv.getPrivilegeScope())) { - sentryClient.grantServerPrivilege(authUser, roleName, tPriv.getServerName(), - tPriv.getAction(), grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tPriv.getPrivilegeScope())) { - sentryClient.grantDatabasePrivilege(authUser, roleName, tPriv.getServerName(), - tPriv.getDbName(), tPriv.getAction(), grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tPriv.getPrivilegeScope())) { - sentryClient.grantTablePrivilege(authUser, roleName, tPriv.getServerName(), - tPriv.getDbName(), tPriv.getTableName(), - tPriv.getAction(), grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tPriv.getPrivilegeScope())) { - sentryClient.grantColumnPrivilege(authUser, roleName, tPriv.getServerName(), - tPriv.getDbName(), tPriv.getTableName(), - tPriv.getColumnName(), tPriv.getAction(), grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.URI.toString().equals(tPriv.getPrivilegeScope())) { - sentryClient.grantURIPrivilege(authUser, roleName, tPriv.getServerName(), - tPriv.getURI(), grantOption); - return; - } - } catch (SentryUserException e) { + CommandUtil.validatePrivilegeHierarchy(tPriv); + sentryClient.grantPrivilege(authUser, roleName, tPriv); + } catch (SentryUserException | IllegalArgumentException e) { System.out.println("Error granting privilege: " + e.toString()); } } @@ -236,13 +209,13 @@ class ShellUtil { System.out.println("Failed to list privileges: " + e.toString()); } + List<String> result = new LinkedList<>(); if (privileges == null || privileges.isEmpty()) { - return new ArrayList<>(); + return result; } - List<String> result = new LinkedList<>(); for (TSentryPrivilege privilege : privileges) { - String privilegeStr = convertTSentryPrivilegeToStr(privilege); + String privilegeStr = convertTSentryPrivilegeToStr(privilege); if (privilegeStr.isEmpty()) { continue; } @@ -256,13 +229,7 @@ class ShellUtil { * @return string with privilege info for all roles */ String listPrivileges() { - List<String> roles = null; - try { - roles = getRoles(); - } catch (SentryUserException e) { - System.out.println("failed to get role names: " + e.toString()); - } - + List<String> roles = listRoles(null); if (roles == null || roles.isEmpty()) { return ""; } @@ -282,53 +249,13 @@ class ShellUtil { void revokePrivilegeFromRole(String roleName, String privilegeStr) { TSentryPrivilege tSentryPrivilege = convertToTSentryPrivilege(privilegeStr); - boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; - try { - if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - sentryClient.revokeServerPrivilege(authUser, roleName, tSentryPrivilege.getServerName(), - grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - sentryClient.revokeDatabasePrivilege(authUser, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - sentryClient.revokeTablePrivilege(authUser, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getAction(), grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - sentryClient.revokeColumnPrivilege(authUser, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), - tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); - return; - } - if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { - sentryClient.revokeURIPrivilege(authUser, roleName, tSentryPrivilege.getServerName(), - tSentryPrivilege.getURI(), grantOption); - return; - } - } catch (SentryUserException e) { + CommandUtil.validatePrivilegeHierarchy(tSentryPrivilege); + sentryClient.revokePrivilege(authUser, roleName, tSentryPrivilege); + } catch (SentryUserException | IllegalArgumentException e) { System.out.println("failed to revoke privilege: " + e.toString()); } } - private List<String>getRoles() throws SentryUserException { - // Collect role names - Set<TSentryRole> roles = null; - roles = sentryClient.listRoles(authUser); - List<String> roleNames = new ArrayList<>(); - for(TSentryRole role: roles) { - roleNames.add(role.getRoleName()); - } - - Collections.sort(roleNames); - return roleNames; - } - }
