SENTRY-2206: Refactor out sentry api from sentry-provider-db to own module (Steve Moist, reviewed by Sergio Pena)
Change-Id: I2057d7f6eeb1e04b7b45716997077c7c2032adde Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/af8ea0ac Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/af8ea0ac Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/af8ea0ac Branch: refs/heads/master Commit: af8ea0ac16852cd370efb5d76f881c81e327fa6c Parents: b231468 Author: Sergio Pena <[email protected]> Authored: Wed May 9 17:11:14 2018 -0700 Committer: Sergio Pena <[email protected]> Committed: Wed May 9 17:11:14 2018 -0700 ---------------------------------------------------------------------- pom.xml | 5 +- .../authz/HBaseIndexerAuthzBinding.java | 4 +- .../binding/hive/authz/HiveAuthzBinding.java | 2 +- .../binding/hive/authz/SentryConfigTool.java | 2 +- .../DefaultSentryAccessController.java | 6 +- .../SentryMetastorePostEventListenerBaseV2.java | 2 +- .../hive/v2/util/SentryAuthorizerUtil.java | 6 +- .../hive/ql/exec/SentryGrantRevokeTask.java | 741 + .../authz/DefaultSentryAccessController.java | 6 +- .../binding/hive/authz/SentryConfigTool.java | 2 +- ...rySyncHMSNotificationsPostEventListener.java | 2 +- .../binding/util/SentryAuthorizerUtil.java | 12 +- ...rySyncHMSNotificationsPostEventListener.java | 2 +- .../sentry/kafka/binding/KafkaAuthBinding.java | 25 +- .../binding/solr/authz/SolrAuthzBinding.java | 12 +- .../sentry/sqoop/binding/SqoopAuthBinding.java | 20 +- .../apache/sentry/api/common/ApiConstants.java | 90 + .../sentry/service/common/ServiceConstants.java | 251 + sentry-dist/src/license/THIRD-PARTY.properties | 3 +- .../sentry/hdfs/SentryHdfsMetricsUtil.java | 2 +- .../org/apache/sentry/hdfs/SentryPlugin.java | 22 +- sentry-provider/sentry-provider-db/pom.xml | 100 +- .../thrift/SentryGenericPolicyService.java | 10416 ----------- .../TAlterSentryRoleAddGroupsRequest.java | 842 - .../TAlterSentryRoleAddGroupsResponse.java | 391 - .../TAlterSentryRoleDeleteGroupsRequest.java | 842 - .../TAlterSentryRoleDeleteGroupsResponse.java | 391 - .../TAlterSentryRoleGrantPrivilegeRequest.java | 798 - .../TAlterSentryRoleGrantPrivilegeResponse.java | 391 - .../TAlterSentryRoleRevokePrivilegeRequest.java | 798 - ...TAlterSentryRoleRevokePrivilegeResponse.java | 391 - .../generic/service/thrift/TAuthorizable.java | 490 - .../thrift/TCreateSentryRoleRequest.java | 692 - .../thrift/TCreateSentryRoleResponse.java | 391 - .../service/thrift/TDropPrivilegesRequest.java | 697 - .../service/thrift/TDropPrivilegesResponse.java | 391 - .../service/thrift/TDropSentryRoleRequest.java | 692 - .../service/thrift/TDropSentryRoleResponse.java | 391 - .../TListSentryPrivilegesByAuthRequest.java | 1112 -- .../TListSentryPrivilegesByAuthResponse.java | 569 - ...TListSentryPrivilegesForProviderRequest.java | 1011 - ...ListSentryPrivilegesForProviderResponse.java | 541 - .../thrift/TListSentryPrivilegesRequest.java | 957 - .../thrift/TListSentryPrivilegesResponse.java | 555 - .../service/thrift/TListSentryRolesRequest.java | 701 - .../thrift/TListSentryRolesResponse.java | 555 - .../thrift/TRenamePrivilegesRequest.java | 1002 - .../thrift/TRenamePrivilegesResponse.java | 391 - .../service/thrift/TSentryActiveRoleSet.java | 537 - .../service/thrift/TSentryGrantOption.java | 48 - .../service/thrift/TSentryPrivilege.java | 1080 -- .../service/thrift/TSentryPrivilegeMap.java | 490 - .../db/generic/service/thrift/TSentryRole.java | 539 - .../db/service/thrift/SentryPolicyService.java | 16422 ----------------- .../TAlterSentryRoleAddGroupsRequest.java | 746 - .../TAlterSentryRoleAddGroupsResponse.java | 394 - .../thrift/TAlterSentryRoleAddUsersRequest.java | 741 - .../TAlterSentryRoleAddUsersResponse.java | 394 - .../TAlterSentryRoleDeleteGroupsRequest.java | 746 - .../TAlterSentryRoleDeleteGroupsResponse.java | 394 - .../TAlterSentryRoleDeleteUsersRequest.java | 741 - .../TAlterSentryRoleDeleteUsersResponse.java | 394 - .../TAlterSentryRoleGrantPrivilegeRequest.java | 866 - .../TAlterSentryRoleGrantPrivilegeResponse.java | 669 - .../TAlterSentryRoleRevokePrivilegeRequest.java | 866 - ...TAlterSentryRoleRevokePrivilegeResponse.java | 394 - .../thrift/TCreateSentryRoleRequest.java | 591 - .../thrift/TCreateSentryRoleResponse.java | 394 - .../service/thrift/TDropPrivilegesRequest.java | 596 - .../service/thrift/TDropPrivilegesResponse.java | 394 - .../service/thrift/TDropSentryRoleRequest.java | 591 - .../service/thrift/TDropSentryRoleResponse.java | 394 - .../TListSentryPrivilegesByAuthRequest.java | 915 - .../TListSentryPrivilegesByAuthResponse.java | 571 - ...TListSentryPrivilegesForProviderRequest.java | 915 - ...ListSentryPrivilegesForProviderResponse.java | 544 - .../thrift/TListSentryPrivilegesRequest.java | 706 - .../thrift/TListSentryPrivilegesResponse.java | 558 - .../thrift/TListSentryRolesForUserRequest.java | 591 - .../service/thrift/TListSentryRolesRequest.java | 600 - .../thrift/TListSentryRolesResponse.java | 558 - .../thrift/TRenamePrivilegesRequest.java | 702 - .../thrift/TRenamePrivilegesResponse.java | 394 - .../db/service/thrift/TSentryActiveRoleSet.java | 537 - .../db/service/thrift/TSentryAuthorizable.java | 817 - .../thrift/TSentryConfigValueRequest.java | 600 - .../thrift/TSentryConfigValueResponse.java | 504 - .../thrift/TSentryExportMappingDataRequest.java | 600 - .../TSentryExportMappingDataResponse.java | 500 - .../db/service/thrift/TSentryGrantOption.java | 48 - .../db/service/thrift/TSentryGroup.java | 389 - .../thrift/TSentryImportMappingDataRequest.java | 693 - .../TSentryImportMappingDataResponse.java | 394 - .../db/service/thrift/TSentryMappingData.java | 898 - .../db/service/thrift/TSentryPrivilege.java | 1258 -- .../db/service/thrift/TSentryPrivilegeMap.java | 490 - .../provider/db/service/thrift/TSentryRole.java | 645 - .../db/service/thrift/TSentrySyncIDRequest.java | 484 - .../service/thrift/TSentrySyncIDResponse.java | 493 - .../service/thrift/TSentryResponseStatus.java | 598 - .../thrift/sentry_common_serviceConstants.java | 57 - .../thrift/SentryGenericPolicyProcessor.java | 829 + .../SentryGenericPolicyProcessorFactory.java | 44 + .../sentry/api/service/thrift/ConfServlet.java | 71 + .../api/service/thrift/LogLevelServlet.java | 122 + .../api/service/thrift/PubSubServlet.java | 128 + .../api/service/thrift/SentryAdminServlet.java | 132 + .../api/service/thrift/SentryAuthFilter.java | 89 + ...SentryHealthCheckServletContextListener.java | 35 + .../api/service/thrift/SentryMetrics.java | 413 + .../SentryMetricsServletContextListener.java | 32 + .../thrift/SentryPolicyStoreProcessor.java | 1236 ++ .../SentryPolicyStoreProcessorFactory.java | 43 + .../api/service/thrift/SentryWebServer.java | 240 + .../provider/db/SentryPolicyStorePlugin.java | 16 +- .../provider/db/SimpleDBProviderBackend.java | 8 +- .../generic/SentryGenericProviderBackend.java | 24 +- .../provider/db/generic/UpdatableCache.java | 10 +- .../service/persistent/DelegateSentryStore.java | 8 +- .../persistent/PrivilegeOperatePersistence.java | 2 +- .../service/thrift/NotificationHandler.java | 45 - .../thrift/NotificationHandlerInvoker.java | 163 - .../thrift/SentryGenericPolicyProcessor.java | 831 - .../SentryGenericPolicyProcessorFactory.java | 43 - .../SentryGenericPolicyProcessorWrapper.java | 39 - .../thrift/SentryGenericServiceClient.java | 194 - .../SentryGenericServiceClientDefaultImpl.java | 559 - .../SentryGenericServiceClientFactory.java | 123 - .../tools/GenericPrivilegeConverter.java | 6 +- .../tools/TSentryPrivilegeConverter.java | 2 +- .../db/log/entity/JsonLogEntityFactory.java | 66 +- .../provider/db/log/util/CommandUtil.java | 20 +- .../sentry/provider/db/log/util/Constants.java | 26 +- .../db/service/persistent/HAContext.java | 2 +- .../db/service/persistent/HMSFollower.java | 2 +- .../service/persistent/LeaderStatusMonitor.java | 2 +- .../persistent/NotificationProcessor.java | 6 +- .../db/service/persistent/SentryStore.java | 22 +- .../service/persistent/TransactionManager.java | 4 +- .../provider/db/service/thrift/ConfServlet.java | 71 - .../db/service/thrift/LogLevelServlet.java | 122 - .../db/service/thrift/NotificationHandler.java | 73 - .../thrift/NotificationHandlerInvoker.java | 164 - .../db/service/thrift/PubSubServlet.java | 128 - .../db/service/thrift/SentryAdminServlet.java | 132 - .../db/service/thrift/SentryAuthFilter.java | 89 - ...SentryHealthCheckServletContextListener.java | 35 - .../db/service/thrift/SentryMetrics.java | 413 - .../SentryMetricsServletContextListener.java | 32 - .../thrift/SentryPolicyServiceClient.java | 227 - .../SentryPolicyServiceClientDefaultImpl.java | 1081 -- .../thrift/SentryPolicyStoreProcessor.java | 1238 -- .../SentryPolicyStoreProcessorFactory.java | 42 - .../service/thrift/SentryProcessorWrapper.java | 38 - .../db/service/thrift/SentryWebServer.java | 240 - .../GrantPrivilegeRequestValidator.java | 91 - .../RevokePrivilegeRequestValidator.java | 46 - .../service/thrift/FullUpdateInitializer.java | 2 +- .../sentry/service/thrift/GSSCallback.java | 2 +- .../thrift/HiveSimpleConnectionFactory.java | 2 +- .../sentry/service/thrift/SentryHMSClient.java | 2 +- .../sentry/service/thrift/SentryService.java | 14 +- .../thrift/SentryServiceClientFactory.java | 4 +- .../service/thrift/SentryServiceUtil.java | 316 - .../sentry/service/thrift/ServiceConstants.java | 316 - .../apache/sentry/service/thrift/Status.java | 132 - .../main/resources/sentry_common_service.thrift | 44 - .../sentry_generic_policy_service.thrift | 278 - .../main/resources/sentry_policy_service.thrift | 364 - .../SentryGenericServiceIntegrationBase.java | 73 + .../TestAuditLogForSentryGenericService.java | 296 + .../TestSentryGenericPolicyProcessor.java | 364 + .../thrift/TestSentryGenericServiceClient.java | 61 + .../TestSentryGenericServiceIntegration.java | 503 + .../service/thrift/SentryMiniKdcTestcase.java | 68 + .../TestAuthorizingDDLAuditLogWithKerberos.java | 295 + .../thrift/TestConnectionWithTicketTimeout.java | 57 + .../thrift/TestNotificationHandlerInvoker.java | 102 + .../thrift/TestSentryPolicyServiceClient.java | 64 + .../thrift/TestSentryPolicyStoreProcessor.java | 81 + .../TestSentryServerForPoolWithoutKerberos.java | 35 + .../thrift/TestSentryServerLogLevel.java | 100 + .../service/thrift/TestSentryServerPubSub.java | 181 + .../thrift/TestSentryServerWithoutKerberos.java | 214 + .../thrift/TestSentryServiceClientPool.java | 111 + .../thrift/TestSentryServiceFailureCase.java | 75 + .../TestSentryServiceForPoolWithKerberos.java | 35 + .../thrift/TestSentryServiceImportExport.java | 751 + .../thrift/TestSentryServiceIntegration.java | 1102 ++ .../thrift/TestSentryServiceMetrics.java | 86 + .../TestSentryServiceWithInvalidMsgSize.java | 122 + .../thrift/TestSentryServiceWithKerberos.java | 58 + .../thrift/TestSentryWebServerWithKerberos.java | 175 + .../thrift/TestSentryWebServerWithSSL.java | 64 + .../TestSentryWebServerWithoutSecurity.java | 95 + .../TestSentryGenericProviderBackend.java | 8 +- .../persistent/SentryStoreIntegrationBase.java | 2 +- .../TestPrivilegeOperatePersistence.java | 2 +- .../service/persistent/TestSentryRole.java | 2 +- .../SentryGenericServiceIntegrationBase.java | 73 - .../TestAuditLogForSentryGenericService.java | 296 - .../TestSentryGenericPolicyProcessor.java | 364 - .../thrift/TestSentryGenericServiceClient.java | 61 - .../TestSentryGenericServiceIntegration.java | 503 - .../db/log/entity/TestJsonLogEntityFactory.java | 34 +- .../log/entity/TestJsonLogEntityFactoryGM.java | 32 +- .../provider/db/log/util/TestCommandUtil.java | 38 +- .../db/service/persistent/TestHMSFollower.java | 4 +- .../TestHMSFollowerSentryStoreIntegration.java | 4 +- .../persistent/TestLeaderStatusMonitor.java | 2 +- .../persistent/TestNotificationProcessor.java | 4 +- .../db/service/persistent/TestSentryStore.java | 18 +- .../persistent/TestSentryStoreImportExport.java | 12 +- .../service/persistent/TestSentryVersion.java | 4 +- .../service/thrift/SentryMiniKdcTestcase.java | 68 - .../TestAuthorizingDDLAuditLogWithKerberos.java | 295 - .../thrift/TestConnectionWithTicketTimeout.java | 57 - .../thrift/TestNotificationHandlerInvoker.java | 102 - .../thrift/TestSentryPolicyServiceClient.java | 64 - .../thrift/TestSentryPolicyStoreProcessor.java | 81 - .../TestSentryServerForPoolWithoutKerberos.java | 35 - .../thrift/TestSentryServerLogLevel.java | 100 - .../service/thrift/TestSentryServerPubSub.java | 181 - .../thrift/TestSentryServerWithoutKerberos.java | 214 - .../thrift/TestSentryServiceClientPool.java | 111 - .../thrift/TestSentryServiceFailureCase.java | 75 - .../TestSentryServiceForPoolWithKerberos.java | 35 - .../thrift/TestSentryServiceImportExport.java | 751 - .../thrift/TestSentryServiceIntegration.java | 1102 -- .../thrift/TestSentryServiceMetrics.java | 86 - .../TestSentryServiceWithInvalidMsgSize.java | 121 - .../thrift/TestSentryServiceWithKerberos.java | 58 - .../thrift/TestSentryWebServerWithKerberos.java | 175 - .../thrift/TestSentryWebServerWithSSL.java | 64 - .../TestSentryWebServerWithoutSecurity.java | 95 - .../thrift/SentryServiceIntegrationBase.java | 17 +- sentry-service/pom.xml | 36 + sentry-service/sentry-service-api/pom.xml | 200 + .../thrift/SentryGenericPolicyService.java | 10416 +++++++++++ .../TAlterSentryRoleAddGroupsRequest.java | 842 + .../TAlterSentryRoleAddGroupsResponse.java | 391 + .../TAlterSentryRoleDeleteGroupsRequest.java | 842 + .../TAlterSentryRoleDeleteGroupsResponse.java | 391 + .../TAlterSentryRoleGrantPrivilegeRequest.java | 798 + .../TAlterSentryRoleGrantPrivilegeResponse.java | 391 + .../TAlterSentryRoleRevokePrivilegeRequest.java | 798 + ...TAlterSentryRoleRevokePrivilegeResponse.java | 391 + .../api/generic/thrift/TAuthorizable.java | 490 + .../thrift/TCreateSentryRoleRequest.java | 692 + .../thrift/TCreateSentryRoleResponse.java | 391 + .../generic/thrift/TDropPrivilegesRequest.java | 697 + .../generic/thrift/TDropPrivilegesResponse.java | 391 + .../generic/thrift/TDropSentryRoleRequest.java | 692 + .../generic/thrift/TDropSentryRoleResponse.java | 391 + .../TListSentryPrivilegesByAuthRequest.java | 1112 ++ .../TListSentryPrivilegesByAuthResponse.java | 569 + ...TListSentryPrivilegesForProviderRequest.java | 1011 + ...ListSentryPrivilegesForProviderResponse.java | 541 + .../thrift/TListSentryPrivilegesRequest.java | 957 + .../thrift/TListSentryPrivilegesResponse.java | 555 + .../generic/thrift/TListSentryRolesRequest.java | 701 + .../thrift/TListSentryRolesResponse.java | 555 + .../thrift/TRenamePrivilegesRequest.java | 1002 + .../thrift/TRenamePrivilegesResponse.java | 391 + .../generic/thrift/TSentryActiveRoleSet.java | 537 + .../api/generic/thrift/TSentryGrantOption.java | 48 + .../api/generic/thrift/TSentryPrivilege.java | 1080 ++ .../api/generic/thrift/TSentryPrivilegeMap.java | 490 + .../sentry/api/generic/thrift/TSentryRole.java | 539 + .../api/service/thrift/SentryPolicyService.java | 16422 +++++++++++++++++ .../TAlterSentryRoleAddGroupsRequest.java | 746 + .../TAlterSentryRoleAddGroupsResponse.java | 394 + .../thrift/TAlterSentryRoleAddUsersRequest.java | 741 + .../TAlterSentryRoleAddUsersResponse.java | 394 + .../TAlterSentryRoleDeleteGroupsRequest.java | 746 + .../TAlterSentryRoleDeleteGroupsResponse.java | 394 + .../TAlterSentryRoleDeleteUsersRequest.java | 741 + .../TAlterSentryRoleDeleteUsersResponse.java | 394 + .../TAlterSentryRoleGrantPrivilegeRequest.java | 866 + .../TAlterSentryRoleGrantPrivilegeResponse.java | 669 + .../TAlterSentryRoleRevokePrivilegeRequest.java | 866 + ...TAlterSentryRoleRevokePrivilegeResponse.java | 394 + .../thrift/TCreateSentryRoleRequest.java | 591 + .../thrift/TCreateSentryRoleResponse.java | 394 + .../service/thrift/TDropPrivilegesRequest.java | 596 + .../service/thrift/TDropPrivilegesResponse.java | 394 + .../service/thrift/TDropSentryRoleRequest.java | 591 + .../service/thrift/TDropSentryRoleResponse.java | 394 + .../TListSentryPrivilegesByAuthRequest.java | 915 + .../TListSentryPrivilegesByAuthResponse.java | 571 + ...TListSentryPrivilegesForProviderRequest.java | 915 + ...ListSentryPrivilegesForProviderResponse.java | 544 + .../thrift/TListSentryPrivilegesRequest.java | 706 + .../thrift/TListSentryPrivilegesResponse.java | 558 + .../thrift/TListSentryRolesForUserRequest.java | 591 + .../service/thrift/TListSentryRolesRequest.java | 600 + .../thrift/TListSentryRolesResponse.java | 558 + .../thrift/TRenamePrivilegesRequest.java | 702 + .../thrift/TRenamePrivilegesResponse.java | 394 + .../service/thrift/TSentryActiveRoleSet.java | 537 + .../api/service/thrift/TSentryAuthorizable.java | 817 + .../thrift/TSentryConfigValueRequest.java | 600 + .../thrift/TSentryConfigValueResponse.java | 504 + .../thrift/TSentryExportMappingDataRequest.java | 600 + .../TSentryExportMappingDataResponse.java | 500 + .../api/service/thrift/TSentryGrantOption.java | 48 + .../sentry/api/service/thrift/TSentryGroup.java | 389 + .../thrift/TSentryImportMappingDataRequest.java | 693 + .../TSentryImportMappingDataResponse.java | 394 + .../api/service/thrift/TSentryMappingData.java | 898 + .../api/service/thrift/TSentryPrivilege.java | 1258 ++ .../api/service/thrift/TSentryPrivilegeMap.java | 490 + .../sentry/api/service/thrift/TSentryRole.java | 645 + .../service/thrift/TSentrySyncIDRequest.java | 484 + .../service/thrift/TSentrySyncIDResponse.java | 493 + .../service/thrift/TSentryResponseStatus.java | 598 + .../thrift/sentry_common_serviceConstants.java | 57 + .../sentry/api/common/SentryServiceUtil.java | 322 + .../org/apache/sentry/api/common/Status.java | 133 + .../sentry/api/common/ThriftConstants.java | 30 + .../api/generic/thrift/NotificationHandler.java | 45 + .../thrift/NotificationHandlerInvoker.java | 163 + .../SentryGenericPolicyProcessorWrapper.java | 39 + .../thrift/SentryGenericServiceClient.java | 194 + .../SentryGenericServiceClientDefaultImpl.java | 560 + .../SentryGenericServiceClientFactory.java | 123 + .../api/service/thrift/NotificationHandler.java | 73 + .../thrift/NotificationHandlerInvoker.java | 164 + .../thrift/SentryPolicyServiceClient.java | 227 + .../SentryPolicyServiceClientDefaultImpl.java | 1082 ++ .../service/thrift/SentryProcessorWrapper.java | 38 + .../GrantPrivilegeRequestValidator.java | 91 + .../RevokePrivilegeRequestValidator.java | 46 + .../api/tools/GenericPrivilegeConverter.java | 190 + .../api/tools/TSentryPrivilegeConverter.java | 34 + .../main/resources/sentry_common_service.thrift | 44 + .../sentry_generic_policy_service.thrift | 278 + .../main/resources/sentry_policy_service.thrift | 364 + .../TestSentryWebServiceForAuthTypeNone.java | 2 +- .../e2e/dbprovider/TestConcurrentClients.java | 2 +- .../tests/e2e/hdfs/TestHDFSIntegration.java | 2 +- .../AbstractTestWithStaticConfiguration.java | 2 +- .../metastore/SentryPolicyProviderForDb.java | 4 +- .../dbprovider/AbstractTestWithDbProvider.java | 4 +- .../e2e/dbprovider/TestConcurrentClients.java | 6 +- .../tests/e2e/hdfs/TestHDFSIntegrationBase.java | 4 +- .../hdfs/TestHDFSIntegrationTogglingConf.java | 2 +- .../AbstractTestWithStaticConfiguration.java | 6 +- .../metastore/SentryPolicyProviderForDb.java | 4 +- .../tests/e2e/minisentry/InternalSentrySrv.java | 2 +- .../e2e/kafka/AbstractKafkaSentryTestBase.java | 12 +- .../sentry/tests/e2e/kafka/TestAuthorize.java | 8 +- .../e2e/solr/SolrSentryServiceTestBase.java | 8 +- .../sentry/tests/e2e/solr/TestSentryServer.java | 12 +- .../e2e/sqoop/AbstractSqoopSentryTestBase.java | 16 +- .../tools/PermissionsMigrationToolCommon.java | 10 +- .../cli/tools/SentryConfigToolIndexer.java | 10 +- .../sentry/cli/tools/SentryConfigToolSolr.java | 6 +- .../sentry/cli/tools/SentrySchemaTool.java | 2 +- .../sentry/cli/tools/SentryShellGeneric.java | 8 +- .../sentry/cli/tools/SentryShellHive.java | 2 +- .../sentry/cli/tools/SentryShellIndexer.java | 4 +- .../cli/tools/command/GenericShellCommand.java | 8 +- .../cli/tools/command/hive/CommandUtil.java | 14 +- .../tools/command/hive/HiveShellCommand.java | 10 +- .../java/org/apache/sentry/shell/SentryCli.java | 14 +- .../org/apache/sentry/shell/TopLevelShell.java | 8 +- .../tools/TestPermissionsMigrationToolSolr.java | 11 +- .../cli/tools/TestSentryConfigToolIndexer.java | 12 +- .../cli/tools/TestSentryConfigToolSolr.java | 9 +- .../sentry/cli/tools/TestSentrySchemaTool.java | 2 +- .../sentry/cli/tools/TestSentryShellHive.java | 4 +- .../cli/tools/TestSentryShellIndexer.java | 10 +- .../sentry/cli/tools/TestSentryShellKafka.java | 6 +- .../sentry/cli/tools/TestSentryShellSolr.java | 6 +- .../sentry/cli/tools/TestSentryShellSqoop.java | 6 +- 376 files changed, 87440 insertions(+), 86260 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 262a9d8..3b80e03 100644 --- a/pom.xml +++ b/pom.xml @@ -756,6 +756,7 @@ limitations under the License. <module>sentry-tests</module> <module>sentry-hdfs</module> <module>sentry-tools</module> + <module>sentry-service</module> <module>sentry-dist</module> </modules> @@ -1045,9 +1046,9 @@ limitations under the License. <excludes combine.children="append"> <exclude>%regex[org.apache.sentry.tests.e2e.*.class]</exclude> <exclude>%regex[org.apache.sentry.binding.hive.TestURI.class]</exclude> - <exclude>%regex[org.apache.sentry.provider.db.service.thrift.*.class]</exclude> + <exclude>%regex[org.apache.sentry.api.service.thrift.*.class]</exclude> <exclude>%regex[org.apache.solr.handler.admin.*.class]</exclude> - <exclude>%regex[org.apache.sentry.provider.db.generic.service.thrift.*.class]</exclude> + <exclude>%regex[org.apache.sentry.api.generic.thrift.*.class]</exclude> <exclude>%regex[org.apache.sentry.cli.tools.*.class]</exclude> </excludes> </configuration> http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java b/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java index 71d1225..3e57cd4 100644 --- a/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java +++ b/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java @@ -33,7 +33,7 @@ import org.apache.sentry.policy.common.PolicyEngine; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.api.common.ApiConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -107,7 +107,7 @@ public class HBaseIndexerAuthzBinding { } // For SentryGenericProviderBackend - authzConf.set(ServiceConstants.ClientConfig.COMPONENT_TYPE, HBASE_INDEXER); + authzConf.set(ApiConstants.ClientConfig.COMPONENT_TYPE, HBASE_INDEXER); providerBackend = (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {authzConf, resourceName}); http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java index 7565a34..f1cbbb6 100644 --- a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java @@ -48,7 +48,7 @@ import org.apache.sentry.provider.cache.SimpleCacheProviderBackend; import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.api.service.thrift.TSentryRole; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java index 1dc8f01..f6b4518 100644 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java @@ -53,7 +53,7 @@ import org.apache.sentry.core.common.exception.SentryConfigurationException; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.provider.common.AuthorizationProvider; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.service.thrift.SentryServiceClientFactory; /** http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java index 13ee2cf..f21f920 100644 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java @@ -49,9 +49,9 @@ import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.TSentryPrivilege; +import org.apache.sentry.api.service.thrift.TSentryRole; import org.apache.sentry.service.thrift.SentryServiceClientFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java index 567e9fa..642e873 100644 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java @@ -44,7 +44,7 @@ import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; import org.apache.sentry.provider.db.SentryMetastoreListenerPlugin; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.service.thrift.SentryServiceClientFactory; import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java index 35bd68c..32479d8 100644 --- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java +++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java @@ -49,9 +49,9 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.api.service.thrift.TSentryGrantOption; +import org.apache.sentry.api.service.thrift.TSentryPrivilege; +import org.apache.sentry.api.service.thrift.TSentryRole; import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java new file mode 100644 index 0000000..203632d --- /dev/null +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -0,0 +1,741 @@ +package org.apache.hadoop.hive.ql.exec; +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.OutputStreamWriter; +import java.io.Serializable; +import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.apache.hadoop.fs.FSDataOutputStream; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.hive.SentryHiveConstants; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.api.PrincipalType; +import org.apache.hadoop.hive.ql.CompilationOpContext; +import org.apache.hadoop.hive.ql.DriverContext; +import org.apache.hadoop.hive.ql.QueryPlan; +import org.apache.hadoop.hive.ql.QueryState; +import org.apache.hadoop.hive.ql.hooks.ReadEntity; +import org.apache.hadoop.hive.ql.hooks.WriteEntity; +import org.apache.hadoop.hive.ql.metadata.AuthorizationException; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.parse.SemanticException; +import org.apache.hadoop.hive.ql.plan.DDLWork; +import org.apache.hadoop.hive.ql.plan.GrantDesc; +import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL; +import org.apache.hadoop.hive.ql.plan.HiveOperation; +import org.apache.hadoop.hive.ql.plan.PrincipalDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; +import org.apache.hadoop.hive.ql.plan.RevokeDesc; +import org.apache.hadoop.hive.ql.plan.RoleDDLDesc; +import org.apache.hadoop.hive.ql.plan.ShowGrantDesc; +import org.apache.hadoop.hive.ql.plan.api.StageType; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.ql.session.SessionState.LogHelper; +import org.apache.sentry.core.common.exception.SentryUserException; +import org.apache.sentry.binding.hive.authz.HiveAuthzBindingHookBase; +import org.apache.sentry.binding.hive.SentryOnFailureHookContext; +import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl; +import org.apache.sentry.binding.hive.authz.HiveAuthzBinding; +import org.apache.sentry.binding.hive.conf.HiveAuthzConf; +import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars; +import org.apache.sentry.core.common.ActiveRoleSet; +import org.apache.sentry.core.common.Authorizable; +import org.apache.sentry.core.common.Subject; +import org.apache.sentry.core.common.utils.PathUtils; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.Column; +import org.apache.sentry.core.model.db.Database; +import org.apache.sentry.core.model.db.Server; +import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.core.common.exception.SentryAccessDeniedException; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.TSentryGrantOption; +import org.apache.sentry.api.service.thrift.TSentryPrivilege; +import org.apache.sentry.api.service.thrift.TSentryRole; +import org.apache.sentry.service.thrift.SentryServiceClientFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.base.Preconditions; +import com.google.common.base.Splitter; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Iterables; +import com.google.common.collect.Sets; + +public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable { + private static final Logger LOG = LoggerFactory + .getLogger(SentryGrantRevokeTask.class); + private static final int RETURN_CODE_SUCCESS = 0; + private static final int RETURN_CODE_FAILURE = 1; + private static final Splitter DB_TBL_SPLITTER = Splitter.on(".").omitEmptyStrings().trimResults(); + private static final int separator = Utilities.tabCode; + private static final int terminator = Utilities.newLineCode; + private static final long serialVersionUID = -7625118066790571999L; + + private HiveConf conf; + private HiveAuthzBinding hiveAuthzBinding; + private HiveAuthzConf authzConf; + private String server; + private Subject subject; + private Set<String> subjectGroups; + private String ipAddress; + private HiveOperation stmtOperation; + + @Override + public void initialize(QueryState queryState, QueryPlan queryPlan, DriverContext ctx, + CompilationOpContext opContext) { + // CompilationOpContext is an unused parameter on the initialize() method. + super.initialize(queryState, queryPlan, driverContext, null); + this.conf = queryState.getConf(); + } + + @Override + public int execute(DriverContext driverContext) { + try (SentryPolicyServiceClient sentryClient = + SentryServiceClientFactory.create(authzConf)) { + Preconditions.checkNotNull(hiveAuthzBinding, "HiveAuthzBinding cannot be null"); + Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null"); + Preconditions.checkNotNull(subject, "Subject cannot be null"); + server = Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()), + "Config " + AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required"); + try { + if (work.getRoleDDLDesc() != null) { + return processRoleDDL(console, sentryClient, subject.getName(), + hiveAuthzBinding, work.getRoleDDLDesc()); + } + if (work.getGrantDesc() != null) { + return processGrantDDL(console, sentryClient, + subject.getName(), server, work.getGrantDesc()); + } + if (work.getRevokeDesc() != null) { + return processRevokeDDL(console, sentryClient, + subject.getName(), server, work.getRevokeDesc()); + } + if (work.getShowGrantDesc() != null) { + return processShowGrantDDL(console, sentryClient, subject.getName(), + work.getShowGrantDesc()); + } + if (work.getGrantRevokeRoleDDL() != null) { + return processGrantRevokeRoleDDL(console, sentryClient, + subject.getName(), work.getGrantRevokeRoleDDL()); + } + throw new AssertionError( + "Unknown command passed to Sentry Grant/Revoke Task"); + } catch (SentryAccessDeniedException e) { + String csHooks = authzConf.get( + HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "") + .trim(); + SentryOnFailureHookContext hookContext = new SentryOnFailureHookContextImpl( + queryPlan.getQueryString(), new HashSet<ReadEntity>(), + new HashSet<WriteEntity>(), stmtOperation, + null, null, null, null, subject.getName(), ipAddress, + new AuthorizationException(e), conf); + HiveAuthzBindingHookBase.runFailureHook(hookContext, csHooks); + throw e; // rethrow the exception for logging + } + } catch(SentryUserException e) { + setException(new Exception(e.getClass().getSimpleName() + ": " + e.getReason(), e)); + String msg = "Error processing Sentry command: " + e.getReason() + "."; + if (e instanceof SentryAccessDeniedException) { + msg += "Please grant admin privilege to " + subject.getName() + "."; + } + LOG.error(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } catch(Throwable e) { + setException(e); + String msg = "Error processing Sentry command: " + e.getMessage(); + LOG.error(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } finally { + if (hiveAuthzBinding != null) { + hiveAuthzBinding.close(); + } + } + } + + public void setAuthzConf(HiveAuthzConf authzConf) { + Preconditions.checkState(this.authzConf == null, + "setAuthzConf should only be called once: " + this.authzConf); + this.authzConf = authzConf; + } + public void setHiveAuthzBinding(HiveAuthzBinding hiveAuthzBinding) { + Preconditions.checkState(this.hiveAuthzBinding == null, + "setHiveAuthzBinding should only be called once: " + this.hiveAuthzBinding); + this.hiveAuthzBinding = hiveAuthzBinding; + } + public void setSubject(Subject subject) { + Preconditions.checkState(this.subject == null, + "setSubject should only be called once: " + this.subject); + this.subject = subject; + } + public void setSubjectGroups(Set<String> subjectGroups) { + Preconditions.checkState(this.subjectGroups == null, + "setSubjectGroups should only be called once: " + this.subjectGroups); + this.subjectGroups = subjectGroups; + } + + public void setIpAddress(String ipAddress) { + this.ipAddress = ipAddress; + } + + public void setOperation(HiveOperation stmtOperation) { + this.stmtOperation = stmtOperation; + } + + private int processRoleDDL(LogHelper console, + SentryPolicyServiceClient sentryClient, String subject, + HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc desc) + throws SentryUserException { + RoleDDLDesc.RoleOperation operation = desc.getOperation(); + DataOutputStream outStream = null; + String name = desc.getName(); + try { + if (operation.equals(RoleDDLDesc.RoleOperation.SET_ROLE)) { + hiveAuthzBinding.setActiveRoleSet(name, sentryClient.listUserRoles(subject)); + return RETURN_CODE_SUCCESS; + } else if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) { + sentryClient.createRole(subject, name); + return RETURN_CODE_SUCCESS; + } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) { + sentryClient.dropRole(subject, name); + return RETURN_CODE_SUCCESS; + } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) { + Set<TSentryRole> roles; + PrincipalType principalType = desc.getPrincipalType(); + if (principalType == PrincipalType.GROUP) { + roles = sentryClient.listRolesByGroupName(subject, name); + } else if (principalType == PrincipalType.USER) { + roles = sentryClient.listRolesByUserName(subject, name); + } else { + String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType; + throw new HiveException(msg); + } + writeToFile(writeRoleGrantsInfo(roles), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) { + Set<TSentryRole> roles = sentryClient.listAllRoles(subject); + writeToFile(writeRolesInfo(roles), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_CURRENT_ROLE)) { + ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet(); + if( roleSet.isAll()) { + Set<TSentryRole> roles = sentryClient.listUserRoles(subject); + writeToFile(writeRolesInfo(roles), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } else { + Set<String> roles = roleSet.getRoles(); + writeToFile(writeActiveRolesInfo(roles), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } + } else { + throw new HiveException("Unknown role operation " + + operation.getOperationName()); + } + } catch (HiveException e) { + String msg = "Error in role operation " + + operation.getOperationName() + " on role name " + + name + ", error message " + e.getMessage(); + LOG.warn(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } catch (IOException e) { + String msg = "IO Error in role operation " + e.getMessage(); + LOG.info(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } finally { + closeQuiet(outStream); + } + } + + private int processGrantDDL(LogHelper console, + SentryPolicyServiceClient sentryClient, String subject, + String server, GrantDesc desc) throws SentryUserException { + return processGrantRevokeDDL(console, sentryClient, subject, + server, true, desc.getPrincipals(), desc.getPrivileges(), + desc.getPrivilegeSubjectDesc(), desc.isGrantOption()); + } + + // For grant option, we use null to stand for revoke the privilege ignore the grant option + private int processRevokeDDL(LogHelper console, + SentryPolicyServiceClient sentryClient, String subject, + String server, RevokeDesc desc) throws SentryUserException { + return processGrantRevokeDDL(console, sentryClient, subject, + server, false, desc.getPrincipals(), desc.getPrivileges(), + desc.getPrivilegeSubjectDesc(), null); + } + + private int processShowGrantDDL(LogHelper console, SentryPolicyServiceClient sentryClient, + String subject, ShowGrantDesc desc) throws SentryUserException{ + PrincipalDesc principalDesc = desc.getPrincipalDesc(); + PrivilegeObjectDesc hiveObjectDesc = desc.getHiveObj(); + String principalName = principalDesc.getName(); + Set<TSentryPrivilege> privileges; + + try { + if (principalDesc.getType() != PrincipalType.ROLE) { + String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalDesc.getType(); + throw new HiveException(msg); + } + + if (hiveObjectDesc == null) { + privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, null); + } else { + SentryHivePrivilegeObjectDesc privSubjectDesc = toSentryHivePrivilegeObjectDesc(hiveObjectDesc); + List<Authorizable> authorizableHeirarchy = toAuthorizable(privSubjectDesc); + if (privSubjectDesc.getColumns() != null && !privSubjectDesc.getColumns().isEmpty()) { + List<List<Authorizable>> ps = parseColumnToAuthorizable(authorizableHeirarchy, privSubjectDesc); + ImmutableSet.Builder<TSentryPrivilege> pbuilder = new ImmutableSet.Builder<TSentryPrivilege>(); + for (List<Authorizable> p : ps) { + pbuilder.addAll(sentryClient.listPrivilegesByRoleName(subject, principalName, p)); + } + privileges = pbuilder.build(); + } else { + privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, authorizableHeirarchy); + } + } + writeToFile(writeGrantInfo(privileges, principalName), desc.getResFile()); + return RETURN_CODE_SUCCESS; + } catch (IOException e) { + String msg = "IO Error in show grant " + e.getMessage(); + LOG.info(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } catch (HiveException e) { + String msg = "Error in show grant operation, error message " + e.getMessage(); + LOG.warn(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } + } + + private List<Authorizable> toAuthorizable(SentryHivePrivilegeObjectDesc privSubjectDesc) throws HiveException{ + List<Authorizable> authorizableHeirarchy = new ArrayList<Authorizable>(); + authorizableHeirarchy.add(new Server(server)); + String dbName = null; + if (privSubjectDesc.getTable()) { + DatabaseTable dbTable = parseDBTable(privSubjectDesc.getObject()); + dbName = dbTable.getDatabase(); + String tableName = dbTable.getTable(); + authorizableHeirarchy.add(new Table(tableName)); + authorizableHeirarchy.add(new Database(dbName)); + } else if (privSubjectDesc.getUri()) { + String uriPath = privSubjectDesc.getObject(); + String warehouseDir = conf.getVar(HiveConf.ConfVars.METASTOREWAREHOUSE); + try { + authorizableHeirarchy.add(new AccessURI(PathUtils.parseDFSURI(warehouseDir, uriPath))); + } catch(URISyntaxException e) { + throw new HiveException(e.getMessage(), e); + } + } else { + dbName = privSubjectDesc.getObject(); + authorizableHeirarchy.add(new Database(dbName)); + } + return authorizableHeirarchy; + } + + private List<List<Authorizable>> parseColumnToAuthorizable(List<Authorizable> authorizableHeirarchy, + SentryHivePrivilegeObjectDesc privSubjectDesc) { + ImmutableList.Builder<List<Authorizable>> listsBuilder = ImmutableList.builder(); + List<String> cols = privSubjectDesc.getColumns(); + if ( cols != null && !cols.isEmpty() ) { + for ( String col : cols ) { + ImmutableList.Builder<Authorizable> listBuilder = ImmutableList.builder(); + listBuilder.addAll(authorizableHeirarchy); + listBuilder.add(new Column(col)); + listsBuilder.add(listBuilder.build()); + } + } + return listsBuilder.build(); + } + + private void writeToFile(String data, String file) throws IOException { + Path resFile = new Path(file); + FileSystem fs = resFile.getFileSystem(conf); + FSDataOutputStream out = fs.create(resFile); + try { + if (data != null && !data.isEmpty()) { + try (OutputStreamWriter writer = new OutputStreamWriter(out, "UTF-8")) { + writer.write(data); + writer.write((char) terminator); + writer.flush(); + } + } + } finally { + closeQuiet(out); + } + } + + private int processGrantRevokeRoleDDL(LogHelper console, + SentryPolicyServiceClient sentryClient, String subject, + GrantRevokeRoleDDL desc) throws SentryUserException { + try { + boolean grantRole = desc.getGrant(); + List<PrincipalDesc> principals = desc.getPrincipalDesc(); + List<String> roles = desc.getRoles(); + // get principals + Set<String> groups = Sets.newHashSet(); + Set<String> users = Sets.newHashSet(); + for (PrincipalDesc principal : principals) { + if (principal.getType() == PrincipalType.GROUP) { + groups.add(principal.getName()); + } else if (principal.getType() == PrincipalType.USER) { + users.add(principal.getName()); + } else { + String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + + principal.getType(); + throw new HiveException(msg); + } + } + + // grant/revoke role to/from principals + for (String roleName : roles) { + if (grantRole) { + if (groups.size() > 0) { + sentryClient.grantRoleToGroups(subject, roleName, groups); + } + if (users.size() > 0) { + sentryClient.grantRoleToUsers(subject, roleName, users); + } + } else { + if (groups.size() > 0) { + sentryClient.revokeRoleFromGroups(subject, roleName, groups); + } + if (users.size() > 0) { + sentryClient.revokeRoleFromUsers(subject, roleName, users); + } + } + } + + } catch (HiveException e) { + String msg = "Error in grant/revoke operation, error message " + e.getMessage(); + LOG.warn(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } + return RETURN_CODE_SUCCESS; + } + + static String writeGrantInfo(Set<TSentryPrivilege> privileges, String roleName) { + if (privileges == null || privileges.isEmpty()) { + return ""; + } + StringBuilder builder = new StringBuilder(); + + for (TSentryPrivilege privilege : privileges) { + + if (ApiConstants.PrivilegeScope.URI.name().equalsIgnoreCase( + privilege.getPrivilegeScope())) { + appendNonNull(builder, privilege.getURI(), true); + } else if(ApiConstants.PrivilegeScope.SERVER.name().equalsIgnoreCase( + privilege.getPrivilegeScope())) { + appendNonNull(builder, "*", true);//Db column would show * if it is a server level privilege + } else { + appendNonNull(builder, privilege.getDbName(), true); + } + appendNonNull(builder, privilege.getTableName()); + appendNonNull(builder, null);//getPartValues() + appendNonNull(builder, privilege.getColumnName());//getColumnName() + appendNonNull(builder, roleName);//getPrincipalName() + appendNonNull(builder, "ROLE");//getPrincipalType() + appendNonNull(builder, privilege.getAction()); + appendNonNull(builder, + TSentryGrantOption.TRUE.equals(privilege.getGrantOption())); + appendNonNull(builder, privilege.getCreateTime() * 1000L); + appendNonNull(builder, "--"); + } + LOG.info("builder.toString(): " + builder.toString()); + return builder.toString(); + } + + static String writeRoleGrantsInfo(Set<TSentryRole> roleGrants) { + if (roleGrants == null || roleGrants.isEmpty()) { + return ""; + } + StringBuilder builder = new StringBuilder(); + for (TSentryRole roleGrant : roleGrants) { + appendNonNull(builder, roleGrant.getRoleName(), true); + appendNonNull(builder, false);//isGrantOption() + appendNonNull(builder, null);//roleGrant.getGrantTime() * 1000L + appendNonNull(builder, "--"); + } + return builder.toString(); + } + + static String writeRolesInfo(Set<TSentryRole> roles) { + if (roles == null || roles.isEmpty()) { + return ""; + } + StringBuilder builder = new StringBuilder(); + for (TSentryRole roleGrant : roles) { + appendNonNull(builder, roleGrant.getRoleName(), true); + } + return builder.toString(); + } + + static String writeActiveRolesInfo(Set<String> roles) { + if (roles == null || roles.isEmpty()) { + return ""; + } + StringBuilder builder = new StringBuilder(); + for (String role : roles) { + appendNonNull(builder, role, true); + } + return builder.toString(); + } + + static StringBuilder appendNonNull(StringBuilder builder, Object value) { + return appendNonNull(builder, value, false); + } + + static StringBuilder appendNonNull(StringBuilder builder, Object value, boolean firstColumn) { + if (!firstColumn) { + builder.append((char)separator); + } else if (builder.length() > 0) { + builder.append((char)terminator); + } + if (value != null) { + builder.append(value); + } + return builder; + } + + private static int processGrantRevokeDDL(LogHelper console, + SentryPolicyServiceClient sentryClient, String subject, String server, + boolean isGrant, List<PrincipalDesc> principals, + List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectObjDesc, + Boolean grantOption) throws SentryUserException { + if (privileges == null || privileges.size() == 0) { + console.printError("No privilege found."); + return RETURN_CODE_FAILURE; + } + + String dbName = null; + String tableName = null; + List<String> columnNames = null; + String uriPath = null; + String serverName = null; + try { + SentryHivePrivilegeObjectDesc privSubjectDesc = toSentryHivePrivilegeObjectDesc(privSubjectObjDesc); + + if (privSubjectDesc == null) { + throw new HiveException("Privilege subject cannot be null"); + } + if (privSubjectDesc.getPartSpec() != null) { + throw new HiveException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED); + } + String obj = privSubjectDesc.getObject(); + if (privSubjectDesc.getTable()) { + DatabaseTable dbTable = parseDBTable(obj); + dbName = dbTable.getDatabase(); + tableName = dbTable.getTable(); + } else if (privSubjectDesc.getUri()) { + uriPath = privSubjectDesc.getObject(); + } else if (privSubjectDesc.getServer()) { + serverName = privSubjectDesc.getObject(); + } else { + dbName = privSubjectDesc.getObject(); + } + for (PrivilegeDesc privDesc : privileges) { + List<String> columns = privDesc.getColumns(); + if (columns != null && !columns.isEmpty()) { + columnNames = columns; + } + if (!SentryHiveConstants.ALLOWED_PRIVS.contains(privDesc.getPrivilege().getPriv())) { + String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privDesc.getPrivilege().getPriv(); + throw new HiveException(msg); + } + if (columnNames != null && (privDesc.getPrivilege().getPriv().equals(PrivilegeType.INSERT) + || privDesc.getPrivilege().getPriv().equals(PrivilegeType.ALL))) { + String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + + privDesc.getPrivilege().getPriv() + " on Column"; + throw new SemanticException(msg); + } + } + for (PrincipalDesc princ : principals) { + if (princ.getType() != PrincipalType.ROLE) { + String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + princ.getType(); + throw new HiveException(msg); + } + for (PrivilegeDesc privDesc : privileges) { + if (isGrant) { + if (serverName != null) { + sentryClient.grantServerPrivilege(subject, princ.getName(), serverName, + toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else if (uriPath != null) { + sentryClient.grantURIPrivilege(subject, princ.getName(), server, uriPath, grantOption); + } else if (tableName == null) { + sentryClient.grantDatabasePrivilege(subject, princ.getName(), server, dbName, + toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else if (columnNames == null) { + sentryClient.grantTablePrivilege(subject, princ.getName(), server, dbName, + tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else { + sentryClient.grantColumnsPrivileges(subject, princ.getName(), server, dbName, + tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } + } else { + if (serverName != null) { + sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName, + toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else if (uriPath != null) { + sentryClient.revokeURIPrivilege(subject, princ.getName(), server, uriPath, grantOption); + } else if (tableName == null) { + sentryClient.revokeDatabasePrivilege(subject, princ.getName(), server, dbName, + toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else if (columnNames == null) { + sentryClient.revokeTablePrivilege(subject, princ.getName(), server, dbName, + tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else { + sentryClient.revokeColumnsPrivilege(subject, princ.getName(), server, dbName, + tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } + } + } + } + return RETURN_CODE_SUCCESS; + } catch (HiveException e) { + String msg = "Error in grant/revoke operation, error message " + e.getMessage(); + LOG.warn(msg, e); + console.printError(msg); + return RETURN_CODE_FAILURE; + } + } + + private static String toDbSentryAction(PrivilegeType privilegeType) throws SentryUserException{ + switch(privilegeType) { + case ALL: + return AccessConstants.ALL; + case SELECT: + return AccessConstants.SELECT; + case INSERT: + return AccessConstants.INSERT; + case CREATE: + return AccessConstants.CREATE; + case DROP: + return AccessConstants.DROP; + case ALTER_METADATA: + return AccessConstants.ALTER; + case INDEX: + return AccessConstants.INDEX; + case LOCK: + return AccessConstants.LOCK; + default: + throw new SentryUserException("Unknown privilege type: " + privilegeType); + //Exception is thrown here only for development purposes. + } + } + + private static SentryHivePrivilegeObjectDesc toSentryHivePrivilegeObjectDesc(PrivilegeObjectDesc privSubjectObjDesc) + throws HiveException{ + if (!(privSubjectObjDesc instanceof SentryHivePrivilegeObjectDesc)) { + throw new HiveException( + "Privilege subject not parsed correctly by Sentry"); + } + return (SentryHivePrivilegeObjectDesc) privSubjectObjDesc; + } + + private static String toSentryAction(PrivilegeType privilegeType) { + if (PrivilegeType.ALL.equals(privilegeType)) { + return AccessConstants.ALL; + } else { + return privilegeType.toString(); + } + } + + private static DatabaseTable parseDBTable(String obj) throws HiveException { + String[] dbTab = Iterables.toArray(DB_TBL_SPLITTER.split(obj), String.class); + if (dbTab.length == 2) { + return new DatabaseTable(dbTab[0], dbTab[1]); + } else if (dbTab.length == 1){ + return new DatabaseTable(SessionState.get().getCurrentDatabase(), obj); + } else { + String msg = "Malformed database.table '" + obj + "'"; + throw new HiveException(msg); + } + } + + private static class DatabaseTable { + private final String database; + private final String table; + public DatabaseTable(String database, String table) { + this.database = database; + this.table = table; + } + public String getDatabase() { + return database; + } + public String getTable() { + return table; + } + } + + /** + * Close to be used in the try block of a try-catch-finally + * statement. Returns null so the close/set to null idiom can be + * completed in a single line. + */ + private static DataOutputStream close(DataOutputStream out) + throws IOException { + if (out != null) { + out.close(); + } + return null; + } + /** + * Close to be used in the finally block of a try-catch-finally + * statement. + */ + private static void closeQuiet(DataOutputStream out) { + try { + close(out); + } catch (IOException e) { + LOG.warn("Error closing output stream", e); + } + } + + @Override + public boolean requireLock() { + return false; + } + + @Override + public StageType getType() { + return StageType.DDL; + } + + @Override + public String getName() { + return "SENTRY"; + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java index 2abe37e..fc2427c 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java @@ -50,9 +50,9 @@ import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.Server; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.TSentryPrivilege; +import org.apache.sentry.api.service.thrift.TSentryRole; import org.apache.sentry.service.thrift.SentryServiceClientFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java index c23547a..5f1e3e9 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java @@ -43,7 +43,7 @@ import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.common.exception.SentryConfigurationException; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.provider.common.AuthorizationProvider; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.service.thrift.SentryServiceClientFactory; import java.security.CodeSource; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java index 24d7763..7b2d8be 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java @@ -33,7 +33,7 @@ import org.apache.hadoop.hive.metastore.events.DropPartitionEvent; import org.apache.hadoop.hive.metastore.events.DropTableEvent; import org.apache.hadoop.hive.metastore.events.ListenerEvent; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.service.thrift.SentryServiceClientFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java index 1c41639..dd6936c 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java @@ -50,10 +50,10 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; -import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.service.thrift.TSentryGrantOption; +import org.apache.sentry.api.service.thrift.TSentryPrivilege; +import org.apache.sentry.api.service.thrift.TSentryRole; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -239,7 +239,7 @@ public class SentryAuthorizerUtil { */ public static HivePrivilegeObject convert2HivePrivilegeObject(TSentryPrivilege tSentryPrivilege) { HivePrivilegeObject privilege = null; - switch (PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())) { + switch (ApiConstants.PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())) { case SERVER: privilege = new HivePrivilegeObject(HivePrivilegeObjectType.GLOBAL, "*", null); break; @@ -271,7 +271,7 @@ public class SentryAuthorizerUtil { } default: LOG.warn("Unknown PrivilegeScope: " - + PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())); + + ApiConstants.PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())); break; } return privilege; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java index cca326b..fc1c3d5 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java @@ -27,7 +27,7 @@ import org.apache.hadoop.hive.metastore.events.DropTableEvent; import org.apache.hadoop.hive.metastore.events.ListenerEvent; import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; import org.junit.Before; import org.junit.Rule; import org.junit.Test; http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java index e4abdc7..07b21b9 100644 --- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java +++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java @@ -56,13 +56,14 @@ import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory; +import org.apache.sentry.api.generic.thrift.TAuthorizable; +import org.apache.sentry.api.generic.thrift.TSentryPrivilege; +import org.apache.sentry.api.generic.thrift.TSentryRole; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.tools.GenericPrivilegeConverter; +import org.apache.sentry.service.common.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import scala.Option; @@ -159,23 +160,23 @@ public class KafkaAuthBinding { if (enableCachingConfig != null) { String enableCaching = enableCachingConfig.toString(); if (Boolean.parseBoolean(enableCaching)) { - authConf.set(ServiceConstants.ClientConfig.ENABLE_CACHING, enableCaching); + authConf.set(ApiConstants.ClientConfig.ENABLE_CACHING, enableCaching); final Object cacheTtlMsConfig = kafkaConfigs .get(AuthzConfVars.AUTHZ_CACHING_TTL_MS_NAME.getVar()); if (cacheTtlMsConfig != null) { - authConf.set(ServiceConstants.ClientConfig.CACHE_TTL_MS, cacheTtlMsConfig.toString()); + authConf.set(ApiConstants.ClientConfig.CACHE_TTL_MS, cacheTtlMsConfig.toString()); } final Object cacheUpdateFailuresCountConfig = kafkaConfigs .get(AuthzConfVars.AUTHZ_CACHING_UPDATE_FAILURES_COUNT_NAME.getVar()); if (cacheUpdateFailuresCountConfig != null) { - authConf.set(ServiceConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE, + authConf.set(ApiConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE, cacheUpdateFailuresCountConfig.toString()); } - if (authConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { - authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, + if (authConf.get(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { + authConf.set(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName()); } } http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java index 5c2a301..32a1fc1 100644 --- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java +++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java @@ -48,10 +48,10 @@ import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; import org.apache.sentry.provider.common.GroupMappingService; import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.tools.GenericPrivilegeConverter; import org.apache.solr.security.AuthorizationResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -110,8 +110,8 @@ public class SolrAuthzBinding implements Closeable { + policyEngineName + ", provider backend " + providerBackendName); // for convenience, set the PrivilegeConverter. - if (authzConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { - authzConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, + if (authzConf.get(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { + authzConf.set(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName()); } http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java index b7cbd32..539ccc1 100644 --- a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java +++ b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java @@ -37,14 +37,14 @@ import org.apache.sentry.provider.common.AuthorizationProvider; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory; +import org.apache.sentry.api.generic.thrift.TAuthorizable; +import org.apache.sentry.api.generic.thrift.TSentryGrantOption; +import org.apache.sentry.api.generic.thrift.TSentryPrivilege; +import org.apache.sentry.api.generic.thrift.TSentryRole; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.tools.GenericPrivilegeConverter; import org.apache.sentry.sqoop.conf.SqoopAuthConf.AuthzConfVars; import org.apache.sqoop.common.SqoopException; import org.apache.sqoop.model.MPrivilege; @@ -112,8 +112,8 @@ public class SqoopAuthBinding { } // for convenience, set the PrivilegeConverter. - if (authConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { - authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName()); + if (authConf.get(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) { + authConf.set(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName()); } //Instantiate the configured providerBackend http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java new file mode 100644 index 0000000..6fcf8ab --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java @@ -0,0 +1,90 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.api.common; + + +import org.apache.sentry.service.common.ServiceConstants; + +public class ApiConstants { + + public static class SentryPolicyServiceConstants { + //from SentryPolicyStoreProcessor and SentryGenericPolicyProcessor + public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService"; + public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService"; + } + + public static class ClientConfig { + public static final String SERVER_RPC_PORT = "sentry.service.client.server.rpc-port"; + public static final int SERVER_RPC_PORT_DEFAULT = ServiceConstants.ServerConfig.RPC_PORT_DEFAULT; + public static final String SERVER_RPC_ADDRESS = "sentry.service.client.server.rpc-addresses"; + public static final String SERVER_RPC_CONN_TIMEOUT = "sentry.service.client.server.rpc-connection-timeout"; + + // HA configuration + public static final String SENTRY_HA_ZOOKEEPER_QUORUM = ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM; + public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE = ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE; + public static final String SERVER_HA_ZOOKEEPER_NAMESPACE_DEFAULT = ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE_DEFAULT; + + // connection pool configuration + public static final String SENTRY_POOL_ENABLED = "sentry.service.client.connection.pool.enabled"; + public static final boolean SENTRY_POOL_ENABLED_DEFAULT = false; + + // commons-pool configuration for pool size + public static final String SENTRY_POOL_MAX_TOTAL = "sentry.service.client.connection.pool.max-total"; + public static final int SENTRY_POOL_MAX_TOTAL_DEFAULT = 8; + public static final String SENTRY_POOL_MAX_IDLE = "sentry.service.client.connection.pool.max-idle"; + public static final int SENTRY_POOL_MAX_IDLE_DEFAULT = 8; + public static final String SENTRY_POOL_MIN_IDLE = "sentry.service.client.connection.pool.min-idle"; + public static final int SENTRY_POOL_MIN_IDLE_DEFAULT = 0; + + // retry num for getting the connection from connection pool + public static final String SENTRY_POOL_RETRY_TOTAL = "sentry.service.client.connection.pool.retry-total"; + public static final int SENTRY_POOL_RETRY_TOTAL_DEFAULT = 3; + + // max message size for thrift messages + public static final String SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE = "sentry.policy.client.thrift.max.message.size"; + public static final long SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT = 100 * 1024 * 1024; + + // client retry settings + public static final String RETRY_COUNT_CONF = "sentry.provider.backend.db.retry.count"; + public static final int RETRY_COUNT_DEFAULT = 3; + public static final String RETRY_INTERVAL_SEC_CONF = "sentry.provider.backend.db.retry.interval.seconds"; + public static final int RETRY_INTERVAL_SEC_DEFAULT = 30; + + // provider backend cache settings + public static final String ENABLE_CACHING = "sentry.provider.backend.generic.cache.enabled"; + public static final boolean ENABLE_CACHING_DEFAULT = false; + public static final String CACHE_TTL_MS = "sentry.provider.backend.generic.cache.ttl.ms"; + public static final long CACHING_TTL_MS_DEFAULT = 30000; + public static final String CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE = "sentry.provider.backend.generic.cache.update.failures.count"; + public static final int CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE_DEFAULT = 3; + public static final String PRIVILEGE_CONVERTER = "sentry.provider.backend.generic.privilege.converter"; + + public static final String COMPONENT_TYPE = "sentry.provider.backend.generic.component-type"; + public static final String SERVICE_NAME = "sentry.provider.backend.generic.service-name"; + } + + /* Privilege operation scope */ + public enum PrivilegeScope { + SERVER, + URI, + DATABASE, + TABLE, + COLUMN + } +} \ No newline at end of file
