SENTRY-2207 Refactor out Sentry CLI from sentry-provider-db into own module. Steve Moist, reviewed by Colm O hEigeartaigh.
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/6752f14a Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/6752f14a Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/6752f14a Branch: refs/heads/master Commit: 6752f14aafad2f9ead0198f2f840db120182b268 Parents: 0668237 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Apr 30 17:34:56 2018 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Apr 30 17:35:33 2018 +0100 ---------------------------------------------------------------------- bin/sentryShell | 10 +- pom.xml | 2 +- sentry-provider/sentry-provider-db/pom.xml | 13 + .../generic/SentryGenericProviderBackend.java | 2 +- .../provider/db/generic/UpdatableCache.java | 2 +- .../tools/GenericPrivilegeConverter.java | 6 +- .../tools/PermissionsMigrationToolCommon.java | 348 ----------- .../tools/PermissionsMigrationToolSolr.java | 109 ---- .../generic/tools/SentryConfigToolCommon.java | 152 ----- .../generic/tools/SentryConfigToolIndexer.java | 340 ---------- .../db/generic/tools/SentryConfigToolSolr.java | 264 -------- .../db/generic/tools/SentryShellGeneric.java | 158 ----- .../db/generic/tools/SentryShellIndexer.java | 124 ---- .../tools/TSentryPrivilegeConverter.java | 35 ++ .../tools/command/GenericShellCommand.java | 155 ----- .../command/TSentryPrivilegeConverter.java | 34 - .../provider/db/tools/SentrySchemaHelper.java | 315 ---------- .../provider/db/tools/SentrySchemaTool.java | 595 ------------------ .../provider/db/tools/SentryShellCommon.java | 284 --------- .../provider/db/tools/SentryShellHive.java | 118 ---- .../sentry/provider/db/tools/ShellCommand.java | 47 -- .../db/tools/command/hive/CommandUtil.java | 63 -- .../db/tools/command/hive/HiveShellCommand.java | 152 ----- .../tools/TestPermissionsMigrationToolSolr.java | 362 ----------- .../tools/TestSentryConfigToolIndexer.java | 263 -------- .../generic/tools/TestSentryConfigToolSolr.java | 261 -------- .../generic/tools/TestSentryShellIndexer.java | 526 ---------------- .../db/generic/tools/TestSentryShellKafka.java | 550 ----------------- .../db/generic/tools/TestSentryShellSolr.java | 534 ---------------- .../db/generic/tools/TestSentryShellSqoop.java | 532 ---------------- .../provider/db/tools/TestSentrySchemaTool.java | 94 --- .../provider/db/tools/TestSentryShellHive.java | 613 ------------------- .../src/test/resources/indexer_case.ini | 26 - .../resources/indexer_config_import_tool.ini | 29 - .../src/test/resources/indexer_invalid.ini | 21 - .../src/test/resources/solr_case.ini | 26 - .../test/resources/solr_config_import_tool.ini | 29 - .../src/test/resources/solr_invalid.ini | 21 - sentry-tools/pom.xml | 44 +- .../main/java/org/apache/sentry/SentryMain.java | 2 +- .../tools/PermissionsMigrationToolCommon.java | 349 +++++++++++ .../cli/tools/PermissionsMigrationToolSolr.java | 109 ++++ .../cli/tools/SentryConfigToolCommon.java | 152 +++++ .../cli/tools/SentryConfigToolIndexer.java | 341 +++++++++++ .../sentry/cli/tools/SentryConfigToolSolr.java | 265 ++++++++ .../sentry/cli/tools/SentrySchemaHelper.java | 315 ++++++++++ .../sentry/cli/tools/SentrySchemaTool.java | 595 ++++++++++++++++++ .../sentry/cli/tools/SentryShellCommon.java | 284 +++++++++ .../sentry/cli/tools/SentryShellGeneric.java | 157 +++++ .../sentry/cli/tools/SentryShellHive.java | 118 ++++ .../sentry/cli/tools/SentryShellIndexer.java | 124 ++++ .../apache/sentry/cli/tools/ShellCommand.java | 47 ++ .../cli/tools/command/GenericShellCommand.java | 156 +++++ .../cli/tools/command/hive/CommandUtil.java | 63 ++ .../tools/command/hive/HiveShellCommand.java | 152 +++++ .../org/apache/sentry/shell/GroupShell.java | 2 +- .../org/apache/sentry/shell/PrivsShell.java | 2 +- .../org/apache/sentry/shell/RolesShell.java | 2 +- .../org/apache/sentry/shell/TopLevelShell.java | 8 +- .../tools/TestPermissionsMigrationToolSolr.java | 362 +++++++++++ .../cli/tools/TestSentryConfigToolIndexer.java | 263 ++++++++ .../cli/tools/TestSentryConfigToolSolr.java | 260 ++++++++ .../sentry/cli/tools/TestSentrySchemaTool.java | 113 ++++ .../sentry/cli/tools/TestSentryShellHive.java | 613 +++++++++++++++++++ .../cli/tools/TestSentryShellIndexer.java | 525 ++++++++++++++++ .../sentry/cli/tools/TestSentryShellKafka.java | 549 +++++++++++++++++ .../sentry/cli/tools/TestSentryShellSolr.java | 533 ++++++++++++++++ .../sentry/cli/tools/TestSentryShellSqoop.java | 531 ++++++++++++++++ sentry-tools/src/test/resources/cacerts.jks | Bin 0 -> 954 bytes .../src/test/resources/indexer_case.ini | 26 + .../resources/indexer_config_import_tool.ini | 29 + .../src/test/resources/indexer_invalid.ini | 21 + sentry-tools/src/test/resources/keystore.jks | Bin 0 -> 2245 bytes .../src/test/resources/log4j.properties | 34 + sentry-tools/src/test/resources/solr_case.ini | 26 + .../test/resources/solr_config_import_tool.ini | 29 + .../src/test/resources/solr_invalid.ini | 21 + 77 files changed, 7266 insertions(+), 7171 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/bin/sentryShell ---------------------------------------------------------------------- diff --git a/bin/sentryShell b/bin/sentryShell index 17b1429..140f7ce 100755 --- a/bin/sentryShell +++ b/bin/sentryShell @@ -54,15 +54,15 @@ for f in ${SENTRY_HOME}/lib/plugins/*.jar; do done args=() -shell=org.apache.sentry.provider.db.tools.SentryShellHive +shell=org.apache.sentry.cli.tools.SentryShellHive # get the type argument for the command while [ $# -gt 0 ]; do # Until you run out of parameters . . . if [[ "$1" = "-t" || "$1" = "--type" ]]; then case $2 in - "hive") shell=org.apache.sentry.provider.db.tools.SentryShellHive ;; - "kafka") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;; - "solr") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;; - "sqoop") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;; + "hive") shell=org.apache.sentry.cli.tools.SentryShellHive ;; + "kafka") shell=org.apache.sentry.cli.tools.SentryShellGeneric ;; + "solr") shell=org.apache.sentry.cli.tools.SentryShellGeneric ;; + "sqoop") shell=org.apache.sentry.cli.tools.SentryShellGeneric ;; *) echo "Doesn't support the type $2!"; exit 1 ;; esac fi http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 16a3838..262a9d8 100644 --- a/pom.xml +++ b/pom.xml @@ -1048,7 +1048,7 @@ limitations under the License. <exclude>%regex[org.apache.sentry.provider.db.service.thrift.*.class]</exclude> <exclude>%regex[org.apache.solr.handler.admin.*.class]</exclude> <exclude>%regex[org.apache.sentry.provider.db.generic.service.thrift.*.class]</exclude> - <exclude>%regex[org.apache.sentry.provider.db.generic.tools.*.class]</exclude> + <exclude>%regex[org.apache.sentry.cli.tools.*.class]</exclude> </excludes> </configuration> </plugin> http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index b8cccfa..369e262 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -398,6 +398,19 @@ limitations under the License. </execution> </executions> </plugin> + <!--This is to export SentryGenericServiceIntegrationBase across Modules --> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-jar-plugin</artifactId> + <version>2.2</version> + <executions> + <execution> + <goals> + <goal>test-jar</goal> + </goals> + </execution> + </executions> + </plugin> </plugins> <pluginManagement> <plugins> http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java index cf552b1..fe0eb07 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java @@ -35,7 +35,7 @@ import org.apache.sentry.provider.common.ProviderBackendContext; import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; +import org.apache.sentry.provider.db.generic.tools.TSentryPrivilegeConverter; import org.apache.sentry.service.thrift.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java index edf0934..31fcfc7 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java @@ -18,7 +18,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.sentry.provider.common.TableCache; import org.apache.sentry.provider.db.generic.service.thrift.*; -import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; +import org.apache.sentry.provider.db.generic.tools.TSentryPrivilegeConverter; import org.apache.sentry.service.thrift.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java index 8de543c..82b21ef 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java @@ -1,4 +1,5 @@ -/** +/* + * * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -7,7 +8,7 @@ * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, @@ -48,7 +49,6 @@ import org.apache.sentry.provider.common.AuthorizationComponent; import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; import org.apache.shiro.config.ConfigurationException; /** http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java deleted file mode 100644 index e3d81f8..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java +++ /dev/null @@ -1,348 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools; - -import java.util.Collection; -import java.util.Collections; -import java.util.Optional; -import java.util.Set; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.GnuParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.commons.cli.Parser; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.core.common.utils.PolicyFiles; -import org.apache.sentry.core.common.utils.Version; -import org.apache.sentry.policy.common.PrivilegeUtils; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.file.SimpleFileProviderBackend; -import org.apache.shiro.config.Ini; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.collect.Sets; -import com.google.common.collect.Table; - -/** - * This class provides basic framework required to migrate permissions between different Sentry - * versions. Individual components (e.g. SOLR, KAFKA) needs to override the this class - * to provide component specific migration functionality. - */ -public abstract class PermissionsMigrationToolCommon { - private static final Logger LOGGER = LoggerFactory.getLogger(PermissionsMigrationToolCommon.class); - public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name"; - - private Version sourceVersion; - private Optional<String> confPath = Optional.empty(); - private Optional<String> policyFile = Optional.empty(); - private Optional<String> outputFile = Optional.empty(); - private boolean dryRun = false; - - /** - * @return version of Sentry for which the privileges need to be migrated. - */ - public final Version getSourceVersion() { - return sourceVersion; - } - - /** - * This method returns the name of the component for the migration purpose. - * @param conf The Sentry configuration - * @return the name of the component - */ - protected abstract String getComponent(Configuration conf); - - - /** - * This method returns the name of the service name for the migration purpose. - * - * @param conf The Sentry configuration - * @return the name of the service - */ - protected abstract String getServiceName(Configuration conf); - - /** - * Migrate the privileges specified via <code>privileges</code>. - * - * @param privileges A collection of privileges to be migrated. - * @return A collection of migrated privileges - * An empty collection if migration is not necessary for the specified privileges. - */ - protected abstract Collection<String> transformPrivileges (Collection<String> privileges); - - /** - * parse arguments - * <pre> - * -s,--source Sentry source version - * -c,--sentry_conf <filepath> sentry config file path - * -p --policy_file <filepath> sentry (source) policy file path - * -o --output <filepath> sentry (target) policy file path - * -d --dry_run provides the output the migration for inspection without - * making any configuration changes. - * -h,--help print usage - * </pre> - * @param args - */ - protected boolean parseArgs(String [] args) { - Options options = new Options(); - - Option sourceVersionOpt = new Option("s", "source", true, "Source Sentry version"); - sourceVersionOpt.setRequired(true); - options.addOption(sourceVersionOpt); - - Option sentryConfPathOpt = new Option("c", "sentry_conf", true, - "sentry-site.xml file path (only required in case of Sentry service)"); - sentryConfPathOpt.setRequired(false); - options.addOption(sentryConfPathOpt); - - Option sentryPolicyFileOpt = new Option("p", "policy_file", true, - "sentry (source) policy file path (only in case of file based Sentry configuration)"); - sentryPolicyFileOpt.setRequired(false); - options.addOption(sentryPolicyFileOpt); - - Option sentryOutputFileOpt = new Option("o", "output", true, - "sentry (target) policy file path (only in case of file based Sentry configuration)"); - sentryOutputFileOpt.setRequired(false); - options.addOption(sentryOutputFileOpt); - - Option dryRunOpt = new Option("d", "dry_run", false, - "provides the output the migration for inspection without making actual configuration changes"); - dryRunOpt.setRequired(false); - options.addOption(dryRunOpt); - - // help option - Option helpOpt = new Option("h", "help", false, "Shell usage"); - helpOpt.setRequired(false); - options.addOption(helpOpt); - - // this Option is parsed first for help option - Options helpOptions = new Options(); - helpOptions.addOption(helpOpt); - - try { - Parser parser = new GnuParser(); - - // parse help option first - CommandLine cmd = parser.parse(helpOptions, args, true); - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("h")) { - // get the help option, print the usage and exit - usage(options); - return false; - } - } - - // without help option - cmd = parser.parse(options, args); - - String sourceVersionStr = null; - - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("s")) { - sourceVersionStr = opt.getValue(); - } else if (opt.getOpt().equals("c")) { - confPath = Optional.of(opt.getValue()); - } else if (opt.getOpt().equals("p")) { - policyFile = Optional.of(opt.getValue()); - } else if (opt.getOpt().equals("o")) { - outputFile = Optional.of(opt.getValue()); - } else if (opt.getOpt().equals("d")) { - dryRun = true; - } - } - - sourceVersion = Version.parse(sourceVersionStr); - - if (!(confPath.isPresent() || policyFile.isPresent())) { - System.out.println("Please select either file-based Sentry configuration (-p and -o flags)" - + " or Sentry service (-c flag) for migration."); - usage(options); - return false; - } - - if (confPath.isPresent() && (policyFile.isPresent() || outputFile.isPresent())) { - System.out.println("In order to migrate service based Sentry configuration," - + " do not specify either -p or -o parameters"); - usage(options); - return false; - } - - if (!confPath.isPresent() && (policyFile.isPresent() ^ outputFile.isPresent())) { - System.out.println("In order to migrate file based Sentry configuration," - + " please make sure to specify both -p and -o parameters."); - usage(options); - return false; - } - - } catch (ParseException | java.text.ParseException pe) { - System.out.println(pe.getMessage()); - usage(options); - return false; - } - return true; - } - - // print usage - private void usage(Options sentryOptions) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("sentryMigrationTool", sentryOptions); - } - - public void run() throws Exception { - if (policyFile.isPresent()) { - migratePolicyFile(); - } else { - migrateSentryServiceConfig(); - } - } - - private void migrateSentryServiceConfig() throws Exception { - Configuration conf = getSentryConf(); - String component = getComponent(conf); - String serviceName = getServiceName(conf); - GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, serviceName, false); - - // instantiate a client for sentry service. This sets the ugi, so must - // be done before getting the ugi below. - try(SentryGenericServiceClient client = - SentryGenericServiceClientFactory.create(getSentryConf())) { - UserGroupInformation ugi = UserGroupInformation.getLoginUser(); - String requestorName = ugi.getShortUserName(); - - for (TSentryRole r : client.listAllRoles(requestorName, component)) { - for (TSentryPrivilege p : client.listAllPrivilegesByRoleName(requestorName, - r.getRoleName(), component, serviceName)) { - - String privilegeStr = converter.toString(p); - Collection<String> privileges = Collections.singleton(privilegeStr); - Collection<String> migrated = transformPrivileges(privileges); - if (!migrated.isEmpty()) { - LOGGER.info("{} For role {} migrating privileges from {} to {}", getDryRunMessage(), r.getRoleName(), - privileges, migrated); - - /* - * Note that it is not possible to provide transactional (all-or-nothing) behavior for these configuration - * changes since the Sentry client/server protocol does not support. e.g. under certain failure conditions - * like crash of Sentry server or network disconnect between client/server, it is possible that the migration - * can not complete but can also not be rolled back. Hence this migration tool relies on the fact that privilege - * grant/revoke operations are idempotent and hence re-execution of the migration tool will fix any inconsistency - * due to such failures. - **/ - boolean originalPermPresent = false; - for (String perm : migrated) { - if (perm.equalsIgnoreCase(privilegeStr)) { - originalPermPresent = true; - continue; - } - TSentryPrivilege x = converter.fromString(perm); - LOGGER.info("{} GRANT permission {}", getDryRunMessage(), perm); - if (!dryRun) { - client.grantPrivilege(requestorName, r.getRoleName(), component, x); - } - } - - // Revoke old permission (only if not part of migrated permissions) - if (!originalPermPresent) { - LOGGER.info("{} REVOKE permission {}", getDryRunMessage(), privilegeStr); - if (!dryRun) { - client.revokePrivilege(requestorName, r.getRoleName(), component, p); - } - } - } - } - } - } - } - - private void migratePolicyFile () throws Exception { - Configuration conf = getSentryConf(); - Path sourceFile = new Path (policyFile.get()); - SimpleFileProviderBackend policyFileBackend = new SimpleFileProviderBackend(conf, sourceFile); - ProviderBackendContext ctx = new ProviderBackendContext(); - policyFileBackend.initialize(ctx); - - Set<String> roles = Sets.newHashSet(); - Table<String, String, Set<String>> groupRolePrivilegeTable = - policyFileBackend.getGroupRolePrivilegeTable(); - - Ini output = PolicyFiles.loadFromPath(sourceFile.getFileSystem(conf), sourceFile); - Ini.Section rolesSection = output.get(PolicyFileConstants.ROLES); - - for (String groupName : groupRolePrivilegeTable.rowKeySet()) { - for (String roleName : policyFileBackend.getRoles(Collections.singleton(groupName), ActiveRoleSet.ALL)) { - if (!roles.contains(roleName)) { - // Do the actual migration - Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName); - Collection<String> migrated = transformPrivileges(privileges); - - if (!migrated.isEmpty()) { - LOGGER.info("{} For role {} migrating privileges from {} to {}", getDryRunMessage(), - roleName, privileges, migrated); - if (!dryRun) { - rolesSection.put(roleName, PrivilegeUtils.fromPrivilegeStrings(migrated)); - } - } - - roles.add(roleName); - } - } - } - - if (!dryRun) { - Path targetFile = new Path (outputFile.get()); - PolicyFiles.writeToPath(output, targetFile.getFileSystem(conf), targetFile); - LOGGER.info("Successfully saved migrated Sentry policy file at {}", outputFile.get()); - } - } - - private String getDryRunMessage() { - return dryRun ? "[Dry Run]" : ""; - } - - private Configuration getSentryConf() { - Configuration conf = new Configuration(); - if (confPath.isPresent()) { - conf.addResource(new Path(confPath.get()), true); - } - return conf; - } - - @VisibleForTesting - public boolean executeConfigTool(String [] args) throws Exception { - boolean result = true; - if (parseArgs(args)) { - run(); - } else { - result = false; - } - return result; - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java deleted file mode 100644 index 5799993..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java +++ /dev/null @@ -1,109 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.List; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.model.solr.validator.SolrPrivilegeValidator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * This class provides SOLR specific functionality required for migrating Sentry privileges. - */ -public class PermissionsMigrationToolSolr extends PermissionsMigrationToolCommon { - private static final Logger LOGGER = LoggerFactory.getLogger(PermissionsMigrationToolSolr.class); - - - @Override - protected String getComponent(Configuration conf) { - return "SOLR"; - } - - @Override - protected String getServiceName(Configuration conf) { - return conf.get(SOLR_SERVICE_NAME, "service1"); - } - - @Override - protected Collection<String> transformPrivileges(Collection<String> privileges) { - List<String> result = new ArrayList<>(); - boolean migrated = false; - - if (getSourceVersion().major == 1) { // Migrate only Sentry 1.x permissions - for (String p : privileges) { - SolrPrivilegeValidator v = new SolrPrivilegeValidator(); - v.validate(p, false); - - if ("collection".equalsIgnoreCase(v.getEntityType()) && "admin".equalsIgnoreCase(v.getEntityName())) { - result.add(getPermissionStr("admin", "collections", v.getActionName())); - result.add(getPermissionStr("admin", "cores", v.getActionName())); - migrated = true; - } else if ("collection".equalsIgnoreCase(v.getEntityType()) && "*".equals(v.getEntityName())) { - result.add(getPermissionStr("admin", "collections", v.getActionName())); - result.add(getPermissionStr("admin", "cores", v.getActionName())); - result.add(p); - migrated = true; - } else { - result.add(p); - } - } - } - - return migrated ? result : Collections.emptyList(); - } - - private String getPermissionStr (String entityType, String entityName, String action) { - StringBuilder builder = new StringBuilder(); - builder.append(entityType); - builder.append(SentryConstants.KV_SEPARATOR); - builder.append(entityName); - if (action != null) { - builder.append(SentryConstants.AUTHORIZABLE_SEPARATOR); - builder.append(SentryConstants.PRIVILEGE_NAME); - builder.append(SentryConstants.KV_SEPARATOR); - builder.append(action); - } - return builder.toString(); - } - - public static void main(String[] args) throws Exception { - PermissionsMigrationToolSolr solrTool = new PermissionsMigrationToolSolr(); - try { - solrTool.executeConfigTool(args); - } catch (Exception e) { - LOGGER.error(e.getMessage(), e); - Throwable current = e; - // find the first printable message; - while (current != null && current.getMessage() == null) { - current = current.getCause(); - } - String error = ""; - if (current != null && current.getMessage() != null) { - error = "Message: " + current.getMessage(); - } - System.out.println("The operation failed. " + error); - System.exit(1); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java deleted file mode 100644 index 013e824..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java +++ /dev/null @@ -1,152 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.annotations.VisibleForTesting; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.GnuParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.commons.cli.Parser; - -abstract public class SentryConfigToolCommon { - private String policyFile; - private boolean validate; - private boolean importPolicy; - private boolean checkCompat; - private String confPath; - - /** - * parse arguments - * <pre> - * -conf,--sentry_conf <filepath> sentry config file path - * -p,--policy_ini <arg> policy file path - * -v,--validate validate policy file - * -c,--checkcompat check compatibility with service - * -i,--import import policy file - * -h,--help print usage - * </pre> - * @param args - */ - protected boolean parseArgs(String [] args) { - Options options = new Options(); - - Option globalPolicyPath = new Option("p", "policy_ini", true, - "Policy file path"); - globalPolicyPath.setRequired(true); - options.addOption(globalPolicyPath); - - Option validateOpt = new Option("v", "validate", false, - "Validate policy file"); - validateOpt.setRequired(false); - options.addOption(validateOpt); - - Option checkCompatOpt = new Option("c","checkcompat",false, - "Check compatibility with Sentry Service"); - checkCompatOpt.setRequired(false); - options.addOption(checkCompatOpt); - - Option importOpt = new Option("i", "import", false, - "Import policy file"); - importOpt.setRequired(false); - options.addOption(importOpt); - - // file path of sentry-site - Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, "sentry-site file path"); - sentrySitePathOpt.setRequired(true); - options.addOption(sentrySitePathOpt); - - // help option - Option helpOpt = new Option("h", "help", false, "Shell usage"); - helpOpt.setRequired(false); - options.addOption(helpOpt); - - // this Options is parsed first for help option - Options helpOptions = new Options(); - helpOptions.addOption(helpOpt); - - try { - Parser parser = new GnuParser(); - - // parse help option first - CommandLine cmd = parser.parse(helpOptions, args, true); - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("h")) { - // get the help option, print the usage and exit - usage(options); - return false; - } - } - - // without help option - cmd = parser.parse(options, args); - - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("p")) { - policyFile = opt.getValue(); - } else if (opt.getOpt().equals("v")) { - validate = true; - } else if (opt.getOpt().equals("i")) { - importPolicy = true; - } else if (opt.getOpt().equals("c")) { - checkCompat = true; - } else if (opt.getOpt().equals("conf")) { - confPath = opt.getValue(); - } - } - - if (!validate && !importPolicy) { - throw new IllegalArgumentException("No action specified; at least one of action or import must be specified"); - } - } catch (ParseException pe) { - System.out.println(pe.getMessage()); - usage(options); - return false; - } - return true; - } - - // print usage - private void usage(Options sentryOptions) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("sentryConfigTool", sentryOptions); - } - - public abstract void run() throws Exception; - - @VisibleForTesting - public boolean executeConfigTool(String [] args) throws Exception { - boolean result = true; - if (parseArgs(args)) { - run(); - } else { - result = false; - } - return result; - } - - public String getPolicyFile() { return policyFile; } - public boolean getValidate() { return validate; } - public boolean getImportPolicy() { return importPolicy; } - public boolean getCheckCompat() { return checkCompat; } - public String getConfPath() { return confPath; } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java deleted file mode 100644 index a5996a7..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java +++ /dev/null @@ -1,340 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; -import com.google.common.collect.Table; -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.Options; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.exception.SentryConfigurationException; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel; -import org.apache.sentry.provider.common.ProviderBackend; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.file.SimpleFileProviderBackend; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.Locale; -import java.util.Map; -import java.util.Set; - -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER; -import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER; -import static org.apache.sentry.service.thrift.ServiceConstants.ClientConfig.SERVICE_NAME; - -/** - * SentryConfigToolIndexer is an administrative tool used to parse a HBase Indexer policy file - * and add the role, group mappings, and privileges therein to the Sentry service. - */ -public class SentryConfigToolIndexer { - - private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolIndexer.class); - - private String policyFile; - private boolean validate; - private boolean importPolicy; - private boolean checkCompat; - private String confPath; - - private String serviceName; - - - - public String getPolicyFile() { return policyFile; } - - public boolean getValidate() { return validate; } - public boolean getImportPolicy() { return importPolicy; } - public boolean getCheckCompat() { return checkCompat; } - public String getConfPath() { return confPath; } - public String getServiceName() { - return serviceName; - } - - /** - * Adds command line options for the tool to the passed Options object. Used to extend existing options. - * @param options - */ - public void setupOptions(Options options) { - Option globalPolicyPath = new Option("f", "policy_ini", true, - "Policy file path"); - globalPolicyPath.setRequired(false); - options.addOption(globalPolicyPath); - - Option validateOpt = new Option("v", "validate", false, - "Validate policy file"); - validateOpt.setRequired(false); - options.addOption(validateOpt); - - Option checkCompatOpt = new Option("c","checkcompat",false, - "Check compatibility with Sentry Service"); - checkCompatOpt.setRequired(false); - options.addOption(checkCompatOpt); - - Option importOpt = new Option("i", "import", false, - "Import policy file"); - importOpt.setRequired(false); - options.addOption(importOpt); - - } - - /** - * Parses and processes the arguments from the given command line object. - * @param cmd - */ - public void parseOptions(CommandLine cmd) { - boolean isToolActive = false; - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("mgr")) { - isToolActive = true; - } - } - if (!isToolActive) { - return; - } - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("f")) { - policyFile = opt.getValue(); - } else if (opt.getOpt().equals("v")) { - validate = true; - } else if (opt.getOpt().equals("i")) { - importPolicy = true; - } else if (opt.getOpt().equals("c")) { - checkCompat = true; - } else if (opt.getOpt().equals("conf")) { - confPath = opt.getValue(); - } else if (opt.getOpt().equals("s")) { - serviceName = opt.getValue(); - } - } - if (policyFile == null) { - throw new IllegalArgumentException("Missing required option: f"); - } - if (!validate && !importPolicy) { - throw new IllegalArgumentException("No action specified; at least one of action or import must be specified"); - } - } - - - /** - * Processes the necessary command based on the arguments parsed earlier. - * @throws Exception - */ - public void run() throws Exception { - String component = HBASE_INDEXER; - Configuration conf = getSentryConf(); - - String service = conf.get(SERVICE_NAME, getServiceName()); - - if (service == null) { - throw new IllegalArgumentException("Service was not defined. Please, use -s command option, or sentry.provider.backend.generic.service-name configuration entry."); - } - - LOGGER.info(String.format("Context: component=%s, service=%s", component, service)); - // instantiate a solr client for sentry service. This sets the ugi, so must - // be done before getting the ugi below. - try(SentryGenericServiceClient client = - SentryGenericServiceClientFactory.create(conf)) { - UserGroupInformation ugi = UserGroupInformation.getLoginUser(); - String requestorName = ugi.getShortUserName(); - - convertINIToSentryServiceCmds(component, service, requestorName, conf, client, - getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat()); - } - } - - private Configuration getSentryConf() { - Configuration conf = new Configuration(); - conf.addResource(new Path(getConfPath()), true); - return conf; - } - - private void convertINIToSentryServiceCmds(String component, - String service, String requestorName, - Configuration conf, SentryGenericServiceClient client, - String policyFile, boolean validate, boolean importPolicy, - boolean checkCompat) throws Exception { - - //instantiate a file providerBackend for parsing - LOGGER.info("Reading policy file at: " + policyFile); - SimpleFileProviderBackend policyFileBackend = - new SimpleFileProviderBackend(conf, policyFile); - ProviderBackendContext context = new ProviderBackendContext(); - context.setValidators(IndexerPrivilegeModel.getInstance().getPrivilegeValidators()); - policyFileBackend.initialize(context); - if (validate) { - validatePolicy(policyFileBackend); - } - - if (checkCompat) { - checkCompat(policyFileBackend); - } - - //import the relations about group,role and privilege into the DB store - Set<String> roles = Sets.newHashSet(); - Table<String, String, Set<String>> groupRolePrivilegeTable = - policyFileBackend.getGroupRolePrivilegeTable(); - GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false); - - for (String groupName : groupRolePrivilegeTable.rowKeySet()) { - for (String roleName : groupRolePrivilegeTable.columnKeySet()) { - if (!roles.contains(roleName)) { - LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US)); - if (importPolicy) { - client.createRoleIfNotExist(requestorName, roleName, component); - } - roles.add(roleName); - } - - Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName); - if (privileges == null) { - continue; - } - LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName); - if (importPolicy) { - client.grantRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName)); - } - - for (String permission : privileges) { - String action = null; - - for (String authorizable : AUTHORIZABLE_SPLITTER. - trimResults().split(permission)) { - KeyValue kv = new KeyValue(authorizable); - String key = kv.getKey(); - String value = kv.getValue(); - if ("action".equalsIgnoreCase(key)) { - action = value; - } - } - - // Service doesn't support not specifying action - if (action == null) { - permission += "->action=" + Action.ALL; - } - LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US)); - if (importPolicy) { - client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission)); - } - } - } - } - } - - private void validatePolicy(ProviderBackend backend) throws Exception { - try { - backend.validatePolicy(true); - } catch (SentryConfigurationException e) { - printConfigErrorsWarnings(e); - throw e; - } - } - - private void printConfigErrorsWarnings(SentryConfigurationException configException) { - System.out.println(" *** Found configuration problems *** "); - for (String errMsg : configException.getConfigErrors()) { - System.out.println("ERROR: " + errMsg); - } - for (String warnMsg : configException.getConfigWarnings()) { - System.out.println("Warning: " + warnMsg); - } - } - - private void checkCompat(SimpleFileProviderBackend backend) throws Exception { - Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>(); - Table<String, String, Set<String>> groupRolePrivilegeTable = - backend.getGroupRolePrivilegeTable(); - - for (String roleName : groupRolePrivilegeTable.columnKeySet()) { - String roleNameLower = roleName.toLowerCase(Locale.US); - if (!roleName.equals(roleNameLower)) { - if (!rolesCaseMapping.containsKey(roleNameLower)) { - rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName)); - } else { - rolesCaseMapping.get(roleNameLower).add(roleName); - } - } - } - - List<String> errors = new LinkedList<String>(); - StringBuilder warningString = new StringBuilder(); - if (!rolesCaseMapping.isEmpty()) { - warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n"); - warningString.append("This will cause document-level security to fail to match the role tokens.\n"); - warningString.append("Role names: "); - } - boolean firstWarning = true; - - for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) { - Set<String> caseMapping = entry.getValue(); - if (caseMapping.size() > 1) { - StringBuilder errorString = new StringBuilder(); - errorString.append("The following (cased) roles map to the same role in the sentry service: "); - boolean first = true; - for (String casedRole : caseMapping) { - errorString.append(first ? "" : ", "); - errorString.append(casedRole); - first = false; - } - errorString.append(". Role in service: ").append(entry.getKey()); - errors.add(errorString.toString()); - } - - for (String casedRole : caseMapping) { - warningString.append(firstWarning? "" : ", "); - warningString.append(casedRole); - firstWarning = false; - } - } - - for (String error : errors) { - System.out.println("ERROR: " + error); - } - System.out.println("\n"); - - System.out.println("Warning: " + warningString.toString()); - if (errors.size() > 0) { - SentryConfigurationException ex = - new SentryConfigurationException("Compatibility check failure"); - ex.setConfigErrors(errors); - ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0])); - throw ex; - } - } - - private String dryRunMessage(boolean importPolicy) { - if (importPolicy) { - return ""; - } else { - return "[Dry Run] "; - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java deleted file mode 100644 index 1a4692e..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java +++ /dev/null @@ -1,264 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; -import com.google.common.collect.Table; - -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.core.common.Action; -import org.apache.sentry.core.common.exception.SentryConfigurationException; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.model.solr.SolrPrivilegeModel; -import org.apache.sentry.provider.common.ProviderBackend; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.file.SimpleFileProviderBackend; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.Locale; -import java.util.Map; -import java.util.Set; - -/** - * SentryConfigToolSolr is an administrative tool used to parse a Solr policy file - * and add the role, group mappings, and privileges therein to the Sentry service. - */ -public class SentryConfigToolSolr extends SentryConfigToolCommon { - - private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolSolr.class); - public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name"; - - @Override - public void run() throws Exception { - String component = "SOLR"; - Configuration conf = getSentryConf(); - - String service = conf.get(SOLR_SERVICE_NAME, "service1"); - // instantiate a solr client for sentry service. This sets the ugi, so must - // be done before getting the ugi below. - try(SentryGenericServiceClient client = - SentryGenericServiceClientFactory.create(conf)) { - UserGroupInformation ugi = UserGroupInformation.getLoginUser(); - String requestorName = ugi.getShortUserName(); - - convertINIToSentryServiceCmds(component, service, requestorName, conf, client, - getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat()); - } - } - - private Configuration getSentryConf() { - Configuration conf = new Configuration(); - conf.addResource(new Path(getConfPath()), true); - return conf; - } - - /** - * Convert policy file to solrctl commands -- based on SENTRY-480 - */ - private void convertINIToSentryServiceCmds(String component, - String service, String requestorName, - Configuration conf, SentryGenericServiceClient client, - String policyFile, boolean validate, boolean importPolicy, - boolean checkCompat) throws Exception { - - //instantiate a file providerBackend for parsing - LOGGER.info("Reading policy file at: " + policyFile); - SimpleFileProviderBackend policyFileBackend = - new SimpleFileProviderBackend(conf, policyFile); - ProviderBackendContext context = new ProviderBackendContext(); - context.setValidators(SolrPrivilegeModel.getInstance().getPrivilegeValidators()); - policyFileBackend.initialize(context); - if (validate) { - validatePolicy(policyFileBackend); - } - - if (checkCompat) { - checkCompat(policyFileBackend); - } - - //import the relations about group,role and privilege into the DB store - Set<String> roles = Sets.newHashSet(); - Table<String, String, Set<String>> groupRolePrivilegeTable = - policyFileBackend.getGroupRolePrivilegeTable(); - GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false); - - for (String groupName : groupRolePrivilegeTable.rowKeySet()) { - for (String roleName : groupRolePrivilegeTable.columnKeySet()) { - if (!roles.contains(roleName)) { - LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US)); - if (importPolicy) { - client.createRoleIfNotExist(requestorName, roleName, component); - } - roles.add(roleName); - } - - Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName); - if (privileges == null) { - continue; - } - LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName); - if (importPolicy) { - client.grantRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName)); - } - - for (String permission : privileges) { - String action = null; - - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER. - trimResults().split(permission)) { - KeyValue kv = new KeyValue(authorizable); - String key = kv.getKey(); - String value = kv.getValue(); - if ("action".equalsIgnoreCase(key)) { - action = value; - } - } - - // Service doesn't support not specifying action - if (action == null) { - permission += "->action=" + Action.ALL; - } - LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US)); - if (importPolicy) { - client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission)); - } - } - } - } - } - - private void validatePolicy(ProviderBackend backend) throws Exception { - try { - backend.validatePolicy(true); - } catch (SentryConfigurationException e) { - printConfigErrorsWarnings(e); - throw e; - } - } - - private void printConfigErrorsWarnings(SentryConfigurationException configException) { - System.out.println(" *** Found configuration problems *** "); - for (String errMsg : configException.getConfigErrors()) { - System.out.println("ERROR: " + errMsg); - } - for (String warnMsg : configException.getConfigWarnings()) { - System.out.println("Warning: " + warnMsg); - } - } - - private void checkCompat(SimpleFileProviderBackend backend) throws Exception { - Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>(); - Table<String, String, Set<String>> groupRolePrivilegeTable = - backend.getGroupRolePrivilegeTable(); - - for (String roleName : groupRolePrivilegeTable.columnKeySet()) { - String roleNameLower = roleName.toLowerCase(Locale.US); - if (!roleName.equals(roleNameLower)) { - if (!rolesCaseMapping.containsKey(roleNameLower)) { - rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName)); - } else { - rolesCaseMapping.get(roleNameLower).add(roleName); - } - } - } - - List<String> errors = new LinkedList<String>(); - StringBuilder warningString = new StringBuilder(); - if (!rolesCaseMapping.isEmpty()) { - warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n"); - warningString.append("This will cause document-level security to fail to match the role tokens.\n"); - warningString.append("Role names: "); - } - boolean firstWarning = true; - - for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) { - Set<String> caseMapping = entry.getValue(); - if (caseMapping.size() > 1) { - StringBuilder errorString = new StringBuilder(); - errorString.append("The following (cased) roles map to the same role in the sentry service: "); - boolean first = true; - for (String casedRole : caseMapping) { - errorString.append(first ? "" : ", "); - errorString.append(casedRole); - first = false; - } - errorString.append(". Role in service: ").append(entry.getKey()); - errors.add(errorString.toString()); - } - - for (String casedRole : caseMapping) { - warningString.append(firstWarning? "" : ", "); - warningString.append(casedRole); - firstWarning = false; - } - } - - for (String error : errors) { - System.out.println("ERROR: " + error); - } - System.out.println("\n"); - - System.out.println("Warning: " + warningString.toString()); - if (errors.size() > 0) { - SentryConfigurationException ex = - new SentryConfigurationException("Compatibility check failure"); - ex.setConfigErrors(errors); - ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0])); - throw ex; - } - } - - private String dryRunMessage(boolean importPolicy) { - if (importPolicy) { - return ""; - } else { - return "[Dry Run] "; - } - } - - public static void main(String[] args) throws Exception { - SentryConfigToolSolr solrTool = new SentryConfigToolSolr(); - try { - solrTool.executeConfigTool(args); - } catch (Exception e) { - LOGGER.error(e.getMessage(), e); - Throwable current = e; - // find the first printable message; - while (current != null && current.getMessage() == null) { - current = current.getCause(); - } - String error = ""; - if (current != null && current.getMessage() != null) { - error = "Message: " + current.getMessage(); - } - System.out.println("The operation failed. " + error); - System.exit(1); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java deleted file mode 100644 index 4487685..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java +++ /dev/null @@ -1,158 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import com.google.common.collect.Sets; -import org.apache.commons.lang.StringUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.provider.common.AuthorizationComponent; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.db.generic.tools.command.GenericShellCommand; -import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter; -import org.apache.sentry.provider.db.tools.SentryShellCommon; -import org.apache.sentry.provider.db.tools.ShellCommand; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.util.List; -import java.util.Set; - -/** - * SentryShellGeneric is an admin tool, and responsible for the management of repository. - * The following commands are supported: - * create role, drop role, add group to role, grant privilege to role, - * revoke privilege from role, list roles, list privilege for role. - */ -public class SentryShellGeneric extends SentryShellCommon { - - private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellGeneric.class); - private static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name"; - private static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name"; - private static final String SQOOP_SERVICE_NAME = "sentry.service.client.sqoop.service.name"; - - @Override - public void run() throws Exception { - String component = getComponent(); - Configuration conf = getSentryConf(); - - String service = getService(conf); - try (SentryGenericServiceClient client = - SentryGenericServiceClientFactory.create(conf)) { - UserGroupInformation ugi = UserGroupInformation.getLoginUser(); - String requestorName = ugi.getShortUserName(); - TSentryPrivilegeConverter converter = getPrivilegeConverter(component, service); - ShellCommand command = new GenericShellCommand(client, component, service, converter); - - // check the requestor name - if (StringUtils.isEmpty(requestorName)) { - // The exception message will be recorded in log file. - throw new Exception("The requestor name is empty."); - } - - if (isCreateRole) { - command.createRole(requestorName, roleName); - } else if (isDropRole) { - command.dropRole(requestorName, roleName); - } else if (isAddRoleGroup) { - Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR)); - command.grantRoleToGroups(requestorName, roleName, groups); - } else if (isDeleteRoleGroup) { - Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR)); - command.revokeRoleFromGroups(requestorName, roleName, groups); - } else if (isGrantPrivilegeRole) { - command.grantPrivilegeToRole(requestorName, roleName, privilegeStr); - } else if (isRevokePrivilegeRole) { - command.revokePrivilegeFromRole(requestorName, roleName, privilegeStr); - } else if (isListRole) { - List<String> roles = command.listRoles(requestorName, groupName); - for (String role : roles) { - System.out.println(role); - } - } else if (isListPrivilege) { - List<String> privileges = command.listPrivileges(requestorName, roleName); - for (String privilege : privileges) { - System.out.println(privilege); - } - } else if (isListGroup) { - List<String> groups = command.listGroupRoles(requestorName); - for (String group : groups) { - System.out.println(group); - } - } - } - } - - protected GenericPrivilegeConverter getPrivilegeConverter(String component, String service) { - return new GenericPrivilegeConverter(component, service); - } - - protected String getComponent() throws Exception { - if (type == TYPE.kafka) { - return AuthorizationComponent.KAFKA; - } else if (type == TYPE.solr) { - return "SOLR"; - } else if (type == TYPE.sqoop) { - return AuthorizationComponent.SQOOP; - } - - throw new Exception("Invalid type specified for SentryShellGeneric: " + type); - } - - protected String getService(Configuration conf) throws Exception { - if (type == TYPE.kafka) { - return conf.get(KAFKA_SERVICE_NAME, AuthorizationComponent.KAFKA); - } else if (type == TYPE.solr) { - return conf.get(SOLR_SERVICE_NAME, "service1"); - } else if (type == TYPE.sqoop) { - return conf.get(SQOOP_SERVICE_NAME, "sqoopServer1"); - } - - throw new Exception("Invalid type specified for SentryShellGeneric: " + type); - } - - private Configuration getSentryConf() { - Configuration conf = new Configuration(); - conf.addResource(new Path(confPath), true); - return conf; - } - - public static void main(String[] args) throws Exception { - SentryShellGeneric sentryShell = new SentryShellGeneric(); - try { - sentryShell.executeShell(args); - } catch (Exception e) { - LOGGER.error(e.getMessage(), e); - Throwable current = e; - // find the first printable message; - while (current != null && current.getMessage() == null) { - current = current.getCause(); - } - String error = ""; - if (current != null && current.getMessage() != null) { - error = "Message: " + current.getMessage(); - } - System.out.println("The operation failed. " + error); - System.exit(1); - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java deleted file mode 100644 index 5bbe772..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java +++ /dev/null @@ -1,124 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * <p> - * http://www.apache.org/licenses/LICENSE-2.0 - * <p> - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.tools; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.OptionGroup; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.hadoop.conf.Configuration; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER; -import static org.apache.sentry.service.thrift.ServiceConstants.ClientConfig.SERVICE_NAME; - -/** - * SentryShellIndexer is an admin tool, and responsible for the management of repository. - * The following commands are supported: - * create role, drop role, add group to role, grant privilege to role, - * revoke privilege from role, list roles, list privilege for role. - */ -public class SentryShellIndexer extends SentryShellGeneric { - - protected boolean isMigration = false; - - private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellIndexer.class); - - private final SentryConfigToolIndexer configTool = new SentryConfigToolIndexer(); - - @Override - protected void setupOptions(Options simpleShellOptions) { - super.setupOptions(simpleShellOptions); - configTool.setupOptions(simpleShellOptions); - } - - @Override - protected void parseOptions(CommandLine cmd) throws ParseException { - super.parseOptions(cmd); - configTool.parseOptions(cmd); - for (Option opt : cmd.getOptions()) { - if (opt.getOpt().equals("mgr")) { - isMigration = true; - } - } - } - - @Override - protected OptionGroup getMainOptions() { - OptionGroup mainOptions = super.getMainOptions(); - Option mgrOpt = new Option("mgr", "migrate", false, "Migrate ini file to Sentry service"); - mgrOpt.setRequired(false); - mainOptions.addOption(mgrOpt); - return mainOptions; - } - - /** - * Processes the necessary command based on the arguments parsed earlier. - * @throws Exception - */ - @Override - public void run() throws Exception { - - if (isMigration) { - configTool.run(); - return; - } - - super.run(); - } - - @Override - protected String getComponent() throws Exception { - return HBASE_INDEXER; - } - - @Override - protected String getService(Configuration conf) throws Exception { - String service = conf.get(SERVICE_NAME, serviceName); - if (service == null) { - throw new IllegalArgumentException("Service was not defined. Please, use -s command option, or sentry.provider.backend.generic.service-name configuration entry."); - } - return service; - } - - /** - * Entry-point for Hbase indexer cli tool. - * @param args - * @throws Exception - */ - public static void main(String[] args) throws Exception { - SentryShellIndexer sentryShell = new SentryShellIndexer(); - try { - sentryShell.executeShell(args); - } catch (Exception e) { - LOGGER.error(e.getMessage(), e); - Throwable current = e; - // find the first printable message; - while (current != null && current.getMessage() == null) { - current = current.getCause(); - } - System.out.println("The operation failed." + - (current.getMessage() == null ? "" : " Message: " + current.getMessage())); - System.exit(1); - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java new file mode 100644 index 0000000..5e48483 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java @@ -0,0 +1,35 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db.generic.tools; + +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; + +public interface TSentryPrivilegeConverter { + + /** + * Convert string to privilege + */ + TSentryPrivilege fromString(String privilegeStr) throws SentryUserException; + + /** + * Convert privilege to string + */ + String toString(TSentryPrivilege tSentryPrivilege); +} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java deleted file mode 100644 index a792b5c..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java +++ /dev/null @@ -1,155 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.tools.ShellCommand; - -/** - * The ShellCommand implementation for the Generic clients - */ -public class GenericShellCommand implements ShellCommand { - - private final SentryGenericServiceClient client; - private final String component; - private final TSentryPrivilegeConverter converter; - private final String serviceName; - - public GenericShellCommand(SentryGenericServiceClient client, String component, String serviceName, - TSentryPrivilegeConverter converter) { - this.client = client; - this.component = component; - this.serviceName = serviceName; - this.converter = converter; - } - - public void createRole(String requestorName, String roleName) throws SentryUserException { - client.createRole(requestorName, roleName, component); - } - - public void dropRole(String requestorName, String roleName) throws SentryUserException { - client.dropRole(requestorName, roleName, component); - } - - public void grantPrivilegeToRole(String requestorName, String roleName, String privilege) throws SentryUserException { - TSentryPrivilege sentryPrivilege = converter.fromString(privilege); - client.grantPrivilege(requestorName, roleName, component, sentryPrivilege); - } - - public void grantRoleToGroups(String requestorName, String roleName, Set<String> groups) throws SentryUserException { - client.grantRoleToGroups(requestorName, roleName, component, groups); - } - - public void revokePrivilegeFromRole(String requestorName, String roleName, String privilege) throws SentryUserException { - TSentryPrivilege sentryPrivilege = converter.fromString(privilege); - client.revokePrivilege(requestorName, roleName, component, sentryPrivilege); - } - - public void revokeRoleFromGroups(String requestorName, String roleName, Set<String> groups) throws SentryUserException { - client.revokeRoleFromGroups(requestorName, roleName, component, groups); - } - - public List<String> listRoles(String requestorName, String group) throws SentryUserException { - Set<TSentryRole> roles; - if (StringUtils.isEmpty(group)) { - roles = client.listAllRoles(requestorName, component); - } else { - roles = client.listRolesByGroupName(requestorName, group, component); - } - - List<String> result = new ArrayList<>(); - if (roles != null) { - for (TSentryRole role : roles) { - result.add(role.getRoleName()); - } - } - - return result; - } - - public List<String> listPrivileges(String requestorName, String roleName) throws SentryUserException { - Set<TSentryPrivilege> privileges = client - .listAllPrivilegesByRoleName(requestorName, roleName, component, serviceName); - - List<String> result = new ArrayList<>(); - if (privileges != null) { - for (TSentryPrivilege privilege : privileges) { - String privilegeStr = converter.toString(privilege); - result.add(privilegeStr); - } - } - - return result; - } - - public List<String> listGroupRoles(String requestorName) throws SentryUserException { - Set<TSentryRole> roles = client.listAllRoles(requestorName, component); - if (roles == null || roles.isEmpty()) { - return Collections.emptyList(); - } - - // Set of all group names - Set<String> groupNames = new HashSet<>(); - - // Map group to set of roles - Map<String, Set<String>> groupInfo = new HashMap<>(); - - // Get all group names - for (TSentryRole role: roles) { - for (String group : role.getGroups()) { - groupNames.add(group); - Set<String> groupRoles = groupInfo.get(group); - if (groupRoles != null) { - // Add a new or existing role - groupRoles.add(role.getRoleName()); - continue; - } - // Never seen this group before - groupRoles = new HashSet<>(); - groupRoles.add(role.getRoleName()); - groupInfo.put(group, groupRoles); - } - } - - List<String> groups = new ArrayList<>(groupNames); - - // Produce printable result as - // group1 = role1, role2, ... - // group2 = ... - List<String> result = new LinkedList<>(); - for (String groupName: groups) { - result.add(groupName + " = " + StringUtils.join(groupInfo.get(groupName), ", ")); - } - - return result; - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java deleted file mode 100644 index 0bfbc44..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java +++ /dev/null @@ -1,34 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; - -public interface TSentryPrivilegeConverter { - - /** - * Convert string to privilege - */ - TSentryPrivilege fromString(String privilegeStr) throws SentryUserException; - - /** - * Convert privilege to string - */ - String toString(TSentryPrivilege tSentryPrivilege); -}
