Repository: sentry Updated Branches: refs/heads/master e4791a029 -> 135f764ba
SENTRY-2155: Update JDO to grant privileges to user (Na Li, Sergio Pena) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/135f764b Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/135f764b Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/135f764b Branch: refs/heads/master Commit: 135f764ba8f661776b8b4e332c79add09eb213d9 Parents: e4791a0 Author: lina.li <[email protected]> Authored: Wed May 9 13:50:48 2018 -0500 Committer: lina.li <[email protected]> Committed: Wed May 9 13:50:48 2018 -0500 ---------------------------------------------------------------------- .../db/service/model/MSentryGMPrivilege.java | 116 +++++++++---------- .../db/service/model/MSentryPrivilege.java | 19 ++- .../provider/db/service/model/MSentryUser.java | 44 ++++++- .../provider/db/service/model/package.jdo | 12 ++ 4 files changed, 131 insertions(+), 60 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/135f764b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java index 0e8fb06..24ed204 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java @@ -1,5 +1,5 @@ /** -vim * Licensed to the Apache Software Foundation (ASF) under one + * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file @@ -77,8 +77,8 @@ public class MSentryGMPrivilege { } public MSentryGMPrivilege(String componentName, String serviceName, - List<? extends Authorizable> authorizables, - String action, Boolean grantOption) { + List<? extends Authorizable> authorizables, + String action, Boolean grantOption) { this.componentName = MSentryUtil.safeIntern(componentName); this.serviceName = MSentryUtil.safeIntern(serviceName); this.action = MSentryUtil.safeIntern(action); @@ -253,68 +253,68 @@ public class MSentryGMPrivilege { @Override public boolean equals(Object obj) { - if (this == obj) { - return true; - } - if (obj == null) { - return false; - } - if (getClass() != obj.getClass()) { - return false; - } - MSentryGMPrivilege other = (MSentryGMPrivilege) obj; - if (action == null) { - if (other.action != null) { - return false; - } - } else if (!action.equalsIgnoreCase(other.action)) { - return false; + if (this == obj) { + return true; + } + if (obj == null) { + return false; + } + if (getClass() != obj.getClass()) { + return false; + } + MSentryGMPrivilege other = (MSentryGMPrivilege) obj; + if (action == null) { + if (other.action != null) { + return false; } - if (scope == null) { - if (other.scope != null) { - return false; - } - } else if (!scope.equals(other.scope)) { + } else if (!action.equalsIgnoreCase(other.action)) { + return false; + } + if (scope == null) { + if (other.scope != null) { return false; } - if (serviceName == null) { - if (other.serviceName != null) { - return false; - } - } else if (!serviceName.equals(other.serviceName)) { - return false; + } else if (!scope.equals(other.scope)) { + return false; + } + if (serviceName == null) { + if (other.serviceName != null) { + return false; } - if (componentName == null) { - if (other.componentName != null) { - return false; - } - } else if (!componentName.equals(other.componentName)) { - return false; + } else if (!serviceName.equals(other.serviceName)) { + return false; + } + if (componentName == null) { + if (other.componentName != null) { + return false; } - if (grantOption == null) { - if (other.grantOption != null) { - return false; - } - } else if (!grantOption.equals(other.grantOption)) { + } else if (!componentName.equals(other.componentName)) { + return false; + } + if (grantOption == null) { + if (other.grantOption != null) { return false; } + } else if (!grantOption.equals(other.grantOption)) { + return false; + } - List<? extends Authorizable> authorizables = getAuthorizables(); - List<? extends Authorizable> otherAuthorizables = other.getAuthorizables(); + List<? extends Authorizable> authorizables = getAuthorizables(); + List<? extends Authorizable> otherAuthorizables = other.getAuthorizables(); - if (authorizables.size() != otherAuthorizables.size()) { + if (authorizables.size() != otherAuthorizables.size()) { + return false; + } + for (int i = 0; i < authorizables.size(); i++) { + String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(), + authorizables.get(i).getName()); + String o2 = KV_JOINER.join(otherAuthorizables.get(i).getTypeName(), + otherAuthorizables.get(i).getName()); + if (!o1.equals(o2)) { return false; } - for (int i = 0; i < authorizables.size(); i++) { - String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(), - authorizables.get(i).getName()); - String o2 = KV_JOINER.join(otherAuthorizables.get(i).getTypeName(), - otherAuthorizables.get(i).getName()); - if (!o1.equals(o2)) { - return false; - } - } - return true; + } + return true; } /** @@ -350,9 +350,9 @@ public class MSentryGMPrivilege { //check authorizable name if (!existAuth.getName().equals(requestAuth.getName())) { /**The persistent authorizable isn't equal the request authorizable - * but the following situations are pass check - * The name of persistent authorizable is ALL or "*" - */ + * but the following situations are pass check + * The name of persistent authorizable is ALL or "*" + */ if (existAuth.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL) || existAuth.getName().equalsIgnoreCase(AccessConstants.ALL)) { continue; @@ -433,4 +433,4 @@ public class MSentryGMPrivilege { } } -} +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/135f764b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java index 73fa4ff..85477b6 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java @@ -47,10 +47,13 @@ public class MSentryPrivilege { private Boolean grantOption = false; // roles this privilege is a part of private Set<MSentryRole> roles; + // users this privilege is a part of + private Set<MSentryUser> users; private long createTime; public MSentryPrivilege() { this.roles = new HashSet<>(); + this.users = new HashSet<>(); } public MSentryPrivilege(String privilegeScope, @@ -65,6 +68,7 @@ public class MSentryPrivilege { this.action = SentryStore.toNULLCol(action).intern(); this.grantOption = grantOption; this.roles = new HashSet<>(); + this.users = new HashSet<>(); } public MSentryPrivilege(String privilegeScope, @@ -85,6 +89,8 @@ public class MSentryPrivilege { this.grantOption = other.grantOption; this.roles = new HashSet<>(); roles.addAll(other.roles); + this.users = new HashSet<>(); + users.addAll(other.users); } public String getServerName() { @@ -163,21 +169,32 @@ public class MSentryPrivilege { roles.add(role); } + public void appendUser(MSentryUser user) { + users.add(user); + } + public Set<MSentryRole> getRoles() { return roles; } + public Set<MSentryUser> getUsers() { return users; } + public void removeRole(MSentryRole role) { roles.remove(role); role.removePrivilege(this); } + public void removeUser(MSentryUser user) { + users.remove(user); + user.removePrivilege(this); + } + @Override public String toString() { return "MSentryPrivilege [privilegeScope=" + privilegeScope + ", serverName=" + serverName + ", dbName=" + dbName + ", tableName=" + tableName + ", columnName=" + columnName - + ", URI=" + URI + ", action=" + action + ", roles=[...]" + + ", URI=" + URI + ", action=" + action + ", roles=[...]" + ", users=[...]" + ", createTime=" + createTime + ", grantOption=" + grantOption +"]"; } http://git-wip-us.apache.org/repos/asf/sentry/blob/135f764b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java index f468a46..9188738 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java @@ -18,6 +18,9 @@ package org.apache.sentry.provider.db.service.model; +import com.google.common.base.Preconditions; +import com.google.common.collect.ImmutableSet; +import java.util.HashSet; import java.util.Set; import javax.jdo.annotations.PersistenceCapable; @@ -35,12 +38,15 @@ public class MSentryUser { private String userName; // set of roles granted to this user private Set<MSentryRole> roles; + // set of privileges granted to this user + private Set<MSentryPrivilege> privileges; private long createTime; public MSentryUser(String userName, long createTime, Set<MSentryRole> roles) { this.userName = MSentryUtil.safeIntern(userName); this.createTime = createTime; this.roles = roles; + this.privileges = new HashSet<>(); } public long getCreateTime() { @@ -71,9 +77,45 @@ public class MSentryUser { } } + public void setPrivileges(Set<MSentryPrivilege> privileges) { + this.privileges = privileges; + } + + public Set<MSentryPrivilege> getPrivileges() { + return privileges; + } + + public void removePrivilege(MSentryPrivilege privilege) { + if (privileges.remove(privilege)) { + privilege.removeUser(this); + } + } + + public void appendPrivileges(Set<MSentryPrivilege> privileges) { + this.privileges.addAll(privileges); + } + + public void appendPrivilege(MSentryPrivilege privilege) { + if (privileges.add(privilege)) { + privilege.appendUser(this); + } + } + + public void removePrivileges() { + // As we iterate through the loop below Method removeRole will modify the privileges set + // will be updated. + // Copy of the <code>privileges<code> is taken at the beginning of the loop to avoid using + // the actual privilege set in MSentryUser instance. + + for (MSentryPrivilege privilege : ImmutableSet.copyOf(privileges)) { + privilege.removeUser(this); + } + Preconditions.checkState(privileges.isEmpty(), "Privileges should be empty: " + privileges); + } + @Override public String toString() { - return "MSentryUser [userName=" + userName + ", roles=[...]" + ", createTime=" + createTime + return "MSentryUser [userName=" + userName + ", roles=[...]" + ", privileges=[...]" + ", createTime=" + createTime + "]"; } http://git-wip-us.apache.org/repos/asf/sentry/blob/135f764b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo index 9ce9cae..6539e33 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo @@ -61,6 +61,15 @@ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/> </field> + <field name = "privileges" table="SENTRY_USER_DB_PRIVILEGE_MAP" default-fetch-group="true"> + <collection element-type="org.apache.sentry.provider.db.service.model.MSentryPrivilege"/> + <join> + <column name="USER_ID"/> + </join> + <element> + <column name="DB_PRIVILEGE_ID"/> + </element> + </field> </class> <class name="MSentryRole" identity-type="datastore" table="SENTRY_ROLE" detachable="true"> @@ -158,6 +167,9 @@ <field name="roles" mapped-by="privileges"> <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/> </field> + <field name="users" mapped-by="privileges"> + <collection element-type="org.apache.sentry.provider.db.service.model.MSentryUser"/> + </field> </class> <class name="MSentryGMPrivilege" identity-type="datastore" table="SENTRY_GM_PRIVILEGE" detachable="true">
