http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java deleted file mode 100644 index 3488e11..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java +++ /dev/null @@ -1,316 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.service.thrift; - -import java.util.Arrays; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.concurrent.ExecutorService; -import java.util.concurrent.TimeUnit; - -import com.google.common.base.Preconditions; -import org.apache.commons.lang.StringUtils; -import org.apache.hadoop.conf.Configuration; -import static org.apache.hadoop.hive.conf.HiveConf.ConfVars.METASTOREURIS; -import static org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars.AUTHZ_SYNC_ALTER_WITH_POLICY_STORE; -import static org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars.AUTHZ_SYNC_CREATE_WITH_POLICY_STORE; -import static org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars.AUTHZ_SYNC_DROP_WITH_POLICY_STORE; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.sentry.core.common.exception.SentryInvalidInputException; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable; -import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; -import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; - -import com.google.common.collect.Lists; -import org.slf4j.Logger; - -public final class SentryServiceUtil { - - private static boolean firstCallHDFSSyncEnabled = true; - private static boolean hdfsSyncEnabled = false; - - // parse the privilege in String and get the TSentryPrivilege as result - public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) { - TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { - KeyValue tempKV = new KeyValue(authorizable); - String key = tempKV.getKey(); - String value = tempKV.getValue(); - - if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setServerName(value); - } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setDbName(value); - } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setTableName(value); - } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setColumnName(value); - } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setURI(value); - } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { - tSentryPrivilege.setAction(value); - } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) { - TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE - : TSentryGrantOption.FALSE; - tSentryPrivilege.setGrantOption(grantOption); - } - } - tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege)); - return tSentryPrivilege; - } - - /** - * Parse the object path from string to map. - * @param objectPath the string format as db=db1->table=tbl1 - * @return Map - */ - public static Map<String, String> parseObjectPath(String objectPath) { - Map<String, String> objectMap = new HashMap<String, String>(); - if (StringUtils.isEmpty(objectPath)) { - return objectMap; - } - for (String kvStr : SentryConstants.AUTHORIZABLE_SPLITTER.split(objectPath)) { - KeyValue kv = new KeyValue(kvStr); - String key = kv.getKey(); - String value = kv.getValue(); - - if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) { - objectMap.put(PolicyFileConstants.PRIVILEGE_DATABASE_NAME, value); - } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) { - objectMap.put(PolicyFileConstants.PRIVILEGE_TABLE_NAME, value); - } - } - return objectMap; - } - - // for the different hierarchy for hive: - // 1: server->url - // 2: server->database->table->column - // if both of them are found in the privilege string, the privilege scope will be set as - // PrivilegeScope.URI - public static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) { - PrivilegeScope privilegeScope = PrivilegeScope.SERVER; - if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) { - privilegeScope = PrivilegeScope.URI; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) { - privilegeScope = PrivilegeScope.COLUMN; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) { - privilegeScope = PrivilegeScope.TABLE; - } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) { - privilegeScope = PrivilegeScope.DATABASE; - } - return privilegeScope.toString(); - } - - // convert TSentryPrivilege to privilege in string - public static String convertTSentryPrivilegeToStr(TSentryPrivilege tSentryPrivilege) { - List<String> privileges = Lists.newArrayList(); - if (tSentryPrivilege != null) { - String serverName = tSentryPrivilege.getServerName(); - String dbName = tSentryPrivilege.getDbName(); - String tableName = tSentryPrivilege.getTableName(); - String columnName = tSentryPrivilege.getColumnName(); - String uri = tSentryPrivilege.getURI(); - String action = tSentryPrivilege.getAction(); - String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" - : "false"); - if (!StringUtils.isEmpty(serverName)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME, - serverName)); - if (!StringUtils.isEmpty(uri)) { - privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME, - uri)); - } else if (!StringUtils.isEmpty(dbName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName)); - if (!StringUtils.isEmpty(tableName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName)); - if (!StringUtils.isEmpty(columnName)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName)); - } - } - } - if (!StringUtils.isEmpty(action)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); - } - } - // only append the grant option to privilege string if it's true - if ("true".equals(grantOption)) { - privileges.add(SentryConstants.KV_JOINER.join( - PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); - } - } - return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); - } - - /** - * Gracefully shut down an Executor service. - * <p> - * This code is based on the Javadoc example for the Executor service. - * <p> - * First call shutdown to reject incoming tasks, and then call - * shutdownNow, if necessary, to cancel any lingering tasks. - * - * @param pool the executor service to shut down - * @param poolName the name of the executor service to shut down to make it easy for debugging - * @param timeout the timeout interval to wait for its termination - * @param unit the unit of the timeout - * @param logger the logger to log the error message if it cannot terminate. It could be null - */ - public static void shutdownAndAwaitTermination(ExecutorService pool, String poolName, - long timeout, TimeUnit unit, Logger logger) { - Preconditions.checkNotNull(pool); - - pool.shutdown(); // Disable new tasks from being submitted - try { - // Wait a while for existing tasks to terminate - if (!pool.awaitTermination(timeout, unit)) { - pool.shutdownNow(); // Cancel currently executing tasks - // Wait a while for tasks to respond to being cancelled - if ((!pool.awaitTermination(timeout, unit)) && (logger != null)) { - logger.error("Executor service {} did not terminate", - StringUtils.defaultIfBlank(poolName, "null")); - } - } - } catch (InterruptedException ignored) { - // (Re-)Cancel if current thread also interrupted - pool.shutdownNow(); - // Preserve interrupt status - Thread.currentThread().interrupt(); - } - } - - /** - * Check if Sentry is configured with HDFS sync enabled. Cache the result - * - * @param conf The Configuration object where HDFS sync configurations are set. - * @return True if enabled; False otherwise. - */ - public static boolean isHDFSSyncEnabled(Configuration conf) { - if (firstCallHDFSSyncEnabled) { - List<String> processorFactories = - Arrays.asList(conf.get(ServiceConstants.ServerConfig.PROCESSOR_FACTORIES, "").split(",")); - - List<String> policyStorePlugins = - Arrays.asList( - conf.get(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "").split(",")); - - hdfsSyncEnabled = - processorFactories.contains("org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory") - && policyStorePlugins.contains("org.apache.sentry.hdfs.SentryPlugin"); - firstCallHDFSSyncEnabled = false; - } - - return hdfsSyncEnabled; - } - - /** - * Check if Sentry is configured with HDFS sync enabled without caching the result - * - * @param conf The Configuration object where HDFS sync configurations are set. - * @return True if enabled; False otherwise. - */ - public static boolean isHDFSSyncEnabledNoCache(Configuration conf) { - - List<String> processorFactories = - Arrays.asList(conf.get(ServiceConstants.ServerConfig.PROCESSOR_FACTORIES, "").split(",")); - - List<String> policyStorePlugins = - Arrays.asList( - conf.get(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "").split(",")); - - hdfsSyncEnabled = - processorFactories.contains("org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory") - && policyStorePlugins.contains("org.apache.sentry.hdfs.SentryPlugin"); - - - return hdfsSyncEnabled; - } - - /** - * Check if Sentry is configured with policy store sync enabled - * @param conf - * @return True if enabled; False otherwise - */ - public static boolean isSyncPolicyStoreEnabled(Configuration conf) { - boolean syncStoreOnCreate; - boolean syncStoreOnDrop; - boolean syncStoreOnAlter; - - syncStoreOnCreate = Boolean - .parseBoolean(conf.get(AUTHZ_SYNC_CREATE_WITH_POLICY_STORE.getVar(), - AUTHZ_SYNC_CREATE_WITH_POLICY_STORE.getDefault())); - syncStoreOnDrop = Boolean.parseBoolean(conf.get(AUTHZ_SYNC_DROP_WITH_POLICY_STORE.getVar(), - AUTHZ_SYNC_DROP_WITH_POLICY_STORE.getDefault())); - syncStoreOnAlter = Boolean.parseBoolean(conf.get(AUTHZ_SYNC_ALTER_WITH_POLICY_STORE.getVar(), - AUTHZ_SYNC_ALTER_WITH_POLICY_STORE.getDefault())); - - return syncStoreOnCreate || syncStoreOnDrop || syncStoreOnAlter; - } - - static String getHiveMetastoreURI() { - HiveConf hiveConf = new HiveConf(); - return hiveConf.get(METASTOREURIS.varname); - } - - /** - * Derives object name from database and table names by concatenating them - * - * @param authorizable for which is name is to be derived - * @return authorizable name - * @throws SentryInvalidInputException if argument provided does not have all the - * required fields set. - */ - public static String getAuthzObj(TSentryAuthorizable authorizable) - throws SentryInvalidInputException { - return getAuthzObj(authorizable.getDb(), authorizable.getTable()); - } - - /** - * Derives object name from database and table names by concatenating them - * - * @param dbName - * @param tblName - * @return authorizable name - * @throws SentryInvalidInputException if argument provided does not have all the - * required fields set. - */ - public static String getAuthzObj(String dbName, String tblName) - throws SentryInvalidInputException { - if (SentryStore.isNULL(dbName)) { - throw new SentryInvalidInputException("Invalif input, DB name is missing"); - } - return SentryStore.isNULL(tblName) ? dbName.toLowerCase() : - (dbName + "." + tblName).toLowerCase(); - } - - private SentryServiceUtil() { - // Make constructor private to avoid instantiation - } -}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java deleted file mode 100644 index a66d91e..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ /dev/null @@ -1,316 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.util.HashMap; -import java.util.Map; - -import javax.security.sasl.Sasl; - -import com.google.common.base.Splitter; -import com.google.common.collect.ImmutableMap; -import org.apache.sentry.provider.db.service.thrift.SentryMetrics; - -public class ServiceConstants { - - private static final ImmutableMap<String, String> SASL_PROPERTIES; - - static { - Map<String, String> saslProps = new HashMap<String, String>(); - saslProps.put(Sasl.SERVER_AUTH, "true"); - saslProps.put(Sasl.QOP, "auth-conf"); - SASL_PROPERTIES = ImmutableMap.copyOf(saslProps); - } - - public static class ConfUtilties { - public static final Splitter CLASS_SPLITTER = Splitter.onPattern("[\\s,]") - .trimResults().omitEmptyStrings(); - } - public static class ServiceArgs { - public static final String CONFIG_FILE_SHORT = "c"; - public static final String CONFIG_FILE_LONG = "conffile"; - } - - public static class ServerConfig { - public static final ImmutableMap<String, String> SASL_PROPERTIES = ServiceConstants.SASL_PROPERTIES; - /** - * This configuration parameter is only meant to be used for testing purposes. - */ - public static final String SECURITY_MODE = "sentry.service.security.mode"; - public static final String SECURITY_MODE_KERBEROS = "kerberos"; - public static final String SECURITY_MODE_NONE = "none"; - public static final String SECURITY_USE_UGI_TRANSPORT = "sentry.service.security.use.ugi"; - public static final String ADMIN_GROUPS = "sentry.service.admin.group"; - public static final String PRINCIPAL = "sentry.service.server.principal"; - public static final String KEY_TAB = "sentry.service.server.keytab"; - public static final String RPC_PORT = "sentry.service.server.rpc-port"; - public static final int RPC_PORT_DEFAULT = 8038; - public static final String RPC_ADDRESS = "sentry.service.server.rpc-address"; - public static final String RPC_ADDRESS_DEFAULT = "0.0.0.0"; //NOPMD - public static final String RPC_MAX_THREADS = "sentry.service.server-max-threads"; - public static final int RPC_MAX_THREADS_DEFAULT = 500; - public static final String RPC_MIN_THREADS = "sentry.service.server-min-threads"; - public static final int RPC_MIN_THREADS_DEFAULT = 10; - public static final String ALLOW_CONNECT = "sentry.service.allow.connect"; - - public static final String SENTRY_POLICY_STORE_PLUGINS = "sentry.policy.store.plugins"; - public static final String SENTRY_POLICY_STORE_PLUGINS_DEFAULT = ""; - - public static final String SENTRY_METASTORE_PLUGINS = "sentry.metastore.plugins"; - public static final String SENTRY_METASTORE_PLUGINS_DEFAULT = ""; - - public static final String PROCESSOR_FACTORIES = "sentry.service.processor.factories"; - public static final String PROCESSOR_FACTORIES_DEFAULT = - "org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessorFactory" + - ",org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorFactory"; - public static final String SENTRY_STORE_JDBC_URL = "sentry.store.jdbc.url"; - public static final String SENTRY_STORE_JDBC_USER = "sentry.store.jdbc.user"; - public static final String SENTRY_STORE_JDBC_USER_DEFAULT = "Sentry"; - public static final String SENTRY_STORE_JDBC_PASS = "sentry.store.jdbc.password"; - public static final String SENTRY_STORE_JDBC_DRIVER = "sentry.store.jdbc.driver"; - public static final String SENTRY_STORE_JDBC_DRIVER_DEFAULT = "org.apache.derby.jdbc.EmbeddedDriver"; - // The configuration for the maximum number of retries per db transaction, - // the default value is 3 times - public static final String SENTRY_STORE_TRANSACTION_RETRY = "sentry.store.transaction.retry"; - public static final int SENTRY_STORE_TRANSACTION_RETRY_DEFAULT = 10; - // The configuration for the delay (in milliseconds) between retries, - // the default value is 500 ms - public static final String SENTRY_STORE_TRANSACTION_RETRY_WAIT_TIME_MILLIS = - "sentry.store.transaction.retry.wait.time.millis"; - public static final int SENTRY_STORE_TRANSACTION_RETRY_WAIT_TIME_MILLIS_DEFAULT = 250; - - public static final String JAVAX_JDO_URL = "javax.jdo.option.ConnectionURL"; - public static final String JAVAX_JDO_USER = "javax.jdo.option.ConnectionUserName"; - public static final String JAVAX_JDO_PASS = "javax.jdo.option.ConnectionPassword"; - public static final String JAVAX_JDO_DRIVER_NAME = "javax.jdo.option.ConnectionDriverName"; - - public static final String DATANUCLEUS_ISOLATION_LEVEL = "datanucleus.transactionIsolation"; - public static final String DATANUCLEUS_REPEATABLE_READ = "repeatable-read"; - - public static final String SENTRY_DB_PROPERTY_PREFIX = "sentry."; - public static final String SENTRY_JAVAX_JDO_PROPERTY_PREFIX = SENTRY_DB_PROPERTY_PREFIX + "javax.jdo"; - public static final String SENTRY_DATANUCLEUS_PROPERTY_PREFIX = SENTRY_DB_PROPERTY_PREFIX + "datanucleus"; - - public static final String SENTRY_VERIFY_SCHEM_VERSION = "sentry.verify.schema.version"; - public static final String SENTRY_VERIFY_SCHEM_VERSION_DEFAULT = "true"; - - public static final String SENTRY_SERVICE_NAME = "sentry.service.name"; - public static final String SENTRY_SERVICE_NAME_DEFAULT = "Sentry-Service"; - - public static final String SENTRY_STORE_GROUP_MAPPING = "sentry.store.group.mapping"; - public static final String SENTRY_STORE_GROUP_MAPPING_RESOURCE = "sentry.store.group.mapping.resource"; - public static final String SENTRY_STORE_HADOOP_GROUP_MAPPING = "org.apache.sentry.provider.common.HadoopGroupMappingService"; - public static final String SENTRY_STORE_LOCAL_GROUP_MAPPING = "org.apache.sentry.provider.file.LocalGroupMappingService"; - public static final String SENTRY_STORE_GROUP_MAPPING_DEFAULT = SENTRY_STORE_HADOOP_GROUP_MAPPING; - - public static final String SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL = "sentry.store.orphaned.privilege.removal"; - public static final String SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL_DEFAULT = "false"; - public static final String SENTRY_STORE_CLEAN_PERIOD_SECONDS = - "sentry.store.clean.period.seconds"; - public static final long SENTRY_STORE_CLEAN_PERIOD_SECONDS_DEFAULT = 43200; // 12 hours. - public static final String SENTRY_HA_ZK_PROPERTY_PREFIX = "sentry.ha.zookeeper."; - public static final String SENTRY_HA_ZOOKEEPER_SECURITY = SENTRY_HA_ZK_PROPERTY_PREFIX + "security"; - public static final boolean SENTRY_HA_ZOOKEEPER_SECURITY_DEFAULT = false; - public static final String SENTRY_HA_ZOOKEEPER_QUORUM = SENTRY_HA_ZK_PROPERTY_PREFIX + "quorum"; - public static final String SENTRY_HA_ZOOKEEPER_RETRIES_MAX_COUNT = SENTRY_HA_ZK_PROPERTY_PREFIX + "session.retries.max.count"; - public static final int SENTRY_HA_ZOOKEEPER_RETRIES_MAX_COUNT_DEFAULT = 3; - public static final String SENTRY_HA_ZOOKEEPER_SLEEP_BETWEEN_RETRIES_MS = SENTRY_HA_ZK_PROPERTY_PREFIX + "session.sleep.between.retries.ms"; - public static final int SENTRY_HA_ZOOKEEPER_SLEEP_BETWEEN_RETRIES_MS_DEFAULT = 100; - public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE = SENTRY_HA_ZK_PROPERTY_PREFIX + "namespace"; - public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE_DEFAULT = "sentry"; - // principal and keytab for client to be able to connect to secure ZK. Needed for Sentry HA with secure ZK - public static final String SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL = "sentry.zookeeper.client.principal"; - public static final String SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB = "sentry.zookeeper.client.keytab"; - public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE = "sentry.zookeeper.client.ticketcache"; - public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT = "false"; - public static final String SERVER_HA_STANDBY_SIG = "sentry.ha.standby.signal"; - - // Timeout value in seconds for HMS notificationID synchronization - // Should match the value for RPC timeout in HMS client config - public static final String SENTRY_NOTIFICATION_SYNC_TIMEOUT_MS = "sentry.notification.sync.timeout.ms"; - public static final int SENTRY_NOTIFICATION_SYNC_TIMEOUT_DEFAULT = 200000; - - public static final ImmutableMap<String, String> SENTRY_STORE_DEFAULTS = - ImmutableMap.<String, String>builder() - .put("datanucleus.connectionPoolingType", "BoneCP") - .put("datanucleus.schema.validateTables", "false") - .put("datanucleus.schema.validateColumns", "false") - .put("datanucleus.schema.validateConstraints", "false") - .put("datanucleus.storeManagerType", "rdbms") - .put("datanucleus.schema.autoCreateAll", "false") - .put("datanucleus.autoStartMechanismMode", "checked") - .put(DATANUCLEUS_ISOLATION_LEVEL, DATANUCLEUS_REPEATABLE_READ) - .put("datanucleus.cache.level2", "false") - .put("datanucleus.cache.level2.type", "none") - .put("datanucleus.query.sql.allowAll", "true") - .put("datanucleus.identifierFactory", "datanucleus1") - .put("datanucleus.rdbms.useLegacyNativeValueStrategy", "true") - .put("datanucleus.plugin.pluginRegistryBundleCheck", "LOG") - .put("javax.jdo.PersistenceManagerFactoryClass", - "org.datanucleus.api.jdo.JDOPersistenceManagerFactory") - .put("javax.jdo.option.DetachAllOnCommit", "true") - .put("javax.jdo.option.NonTransactionalRead", "false") - .put("javax.jdo.option.NonTransactionalWrite", "false") - .put("javax.jdo.option.Multithreaded", "true") - .build(); - - // InitialDelay and period time for HMSFollower thread. - public static final String SENTRY_HMSFOLLOWER_INIT_DELAY_MILLS = "sentry.hmsfollower.init.delay.mills"; - public static final long SENTRY_HMSFOLLOWER_INIT_DELAY_MILLS_DEFAULT = 0; - public static final String SENTRY_HMSFOLLOWER_INTERVAL_MILLS = "sentry.hmsfollower.interval.mills"; - public static final long SENTRY_HMSFOLLOWER_INTERVAL_MILLS_DEFAULT = 500; - - public static final String SENTRY_WEB_ENABLE = "sentry.service.web.enable"; - public static final Boolean SENTRY_WEB_ENABLE_DEFAULT = false; - public static final String SENTRY_WEB_PORT = "sentry.service.web.port"; - public static final int SENTRY_WEB_PORT_DEFAULT = 29000; - // Reporter is either "console", "log" or "jmx" - public static final String SENTRY_REPORTER = "sentry.service.reporter"; - public static final String SENTRY_REPORTER_JMX = SentryMetrics.Reporting.JMX.name(); //case insensitive - public static final String SENTRY_REPORTER_CONSOLE = SentryMetrics.Reporting.CONSOLE.name();//case insensitive - - // for console reporter, reporting interval in seconds - public static final String SENTRY_REPORTER_INTERVAL_SEC = - "sentry.service.reporter.interval.sec"; - public static final String SENTRY_JSON_REPORTER_FILE = "sentry.service.reporter.file"; - public static final String SENTRY_JSON_REPORTER_FILE_DEFAULT = "/tmp/sentry-metrics.json"; - - // Report every 5 minutes by default - public static final int SENTRY_REPORTER_INTERVAL_DEFAULT = 300; - - // Web SSL - public static final String SENTRY_WEB_USE_SSL = "sentry.web.use.ssl"; - public static final String SENTRY_WEB_SSL_KEYSTORE_PATH = "sentry.web.ssl.keystore.path"; - public static final String SENTRY_WEB_SSL_KEYSTORE_PASSWORD = "sentry.web.ssl.keystore.password"; - public static final String SENTRY_SSL_PROTOCOL_BLACKLIST = "sentry.ssl.protocol.blacklist"; - // Blacklist SSL protocols that are not secure (e.g., POODLE vulnerability) - public static final String[] SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT = {"SSLv2", "SSLv2Hello", "SSLv3"}; - - // Web Security - public static final String SENTRY_WEB_SECURITY_PREFIX = "sentry.service.web.authentication"; - public static final String SENTRY_WEB_SECURITY_TYPE = SENTRY_WEB_SECURITY_PREFIX + ".type"; - public static final String SENTRY_WEB_SECURITY_TYPE_NONE = "NONE"; - public static final String SENTRY_WEB_SECURITY_TYPE_KERBEROS = "KERBEROS"; - public static final String SENTRY_WEB_SECURITY_PRINCIPAL = SENTRY_WEB_SECURITY_PREFIX + ".kerberos.principal"; - public static final String SENTRY_WEB_SECURITY_KEYTAB = SENTRY_WEB_SECURITY_PREFIX + ".kerberos.keytab"; - public static final String SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS = SENTRY_WEB_SECURITY_PREFIX + ".allow.connect.users"; - - // Flag to enable admin servlet - public static final String SENTRY_WEB_ADMIN_SERVLET_ENABLED = "sentry.web.admin.servlet.enabled"; - public static final boolean SENTRY_WEB_ADMIN_SERVLET_ENABLED_DEFAULT = false; - - public static final String SENTRY_WEB_PUBSUB_SERVLET_ENABLED = "sentry.web.pubsub.servlet.enabled"; - public static final boolean SENTRY_WEB_PUBSUB_SERVLET_ENABLED_DEFAULT = false; - - // max message size for thrift messages - public static final String SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE = "sentry.policy.server.thrift.max.message.size"; - public static final long SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE_DEFAULT = 100 * 1024 * 1024; - - // action factories for external components - public static final String SENTRY_COMPONENT_ACTION_FACTORY_FORMAT = "sentry.%s.action.factory"; - - // Sentry is never a client to other Kerberos Services, it should not be required to renew the TGT - @Deprecated - public static final String SENTRY_KERBEROS_TGT_AUTORENEW = "sentry.service.kerberos.tgt.autorenew"; - @Deprecated - public static final Boolean SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT = false; - - /** - * Number of path/priv deltas to keep around during cleaning - * The value which is too small may cause unnecessary full snapshots sent to the Name Node - * A value which is too large may cause slowdown due to too many deltas lying around in the DB. - */ - public static final String SENTRY_DELTA_KEEP_COUNT = "sentry.server.delta.keep.count"; - public static final int SENTRY_DELTA_KEEP_COUNT_DEFAULT = 200; - - /** - * Number of notification id's to keep around during cleaning - */ - public static final String SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT = "sentry.server.delta.keep.count"; - public static final int SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT = 100; - } - - public static class ClientConfig { - public static final String SERVER_RPC_PORT = "sentry.service.client.server.rpc-port"; - public static final int SERVER_RPC_PORT_DEFAULT = ServerConfig.RPC_PORT_DEFAULT; - public static final String SERVER_RPC_ADDRESS = "sentry.service.client.server.rpc-addresses"; - public static final String SERVER_RPC_CONN_TIMEOUT = "sentry.service.client.server.rpc-connection-timeout"; - - // HA configuration - public static final String SENTRY_HA_ZOOKEEPER_QUORUM = ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM; - public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE = ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE; - public static final String SERVER_HA_ZOOKEEPER_NAMESPACE_DEFAULT = ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE_DEFAULT; - - // connection pool configuration - public static final String SENTRY_POOL_ENABLED = "sentry.service.client.connection.pool.enabled"; - public static final boolean SENTRY_POOL_ENABLED_DEFAULT = false; - - // commons-pool configuration for pool size - public static final String SENTRY_POOL_MAX_TOTAL = "sentry.service.client.connection.pool.max-total"; - public static final int SENTRY_POOL_MAX_TOTAL_DEFAULT = 8; - public static final String SENTRY_POOL_MAX_IDLE = "sentry.service.client.connection.pool.max-idle"; - public static final int SENTRY_POOL_MAX_IDLE_DEFAULT = 8; - public static final String SENTRY_POOL_MIN_IDLE = "sentry.service.client.connection.pool.min-idle"; - public static final int SENTRY_POOL_MIN_IDLE_DEFAULT = 0; - - // retry num for getting the connection from connection pool - public static final String SENTRY_POOL_RETRY_TOTAL = "sentry.service.client.connection.pool.retry-total"; - public static final int SENTRY_POOL_RETRY_TOTAL_DEFAULT = 3; - - // max message size for thrift messages - public static final String SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE = "sentry.policy.client.thrift.max.message.size"; - public static final long SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT = 100 * 1024 * 1024; - - // client retry settings - public static final String RETRY_COUNT_CONF = "sentry.provider.backend.db.retry.count"; - public static final int RETRY_COUNT_DEFAULT = 3; - public static final String RETRY_INTERVAL_SEC_CONF = "sentry.provider.backend.db.retry.interval.seconds"; - public static final int RETRY_INTERVAL_SEC_DEFAULT = 30; - - // provider backend cache settings - public static final String ENABLE_CACHING = "sentry.provider.backend.generic.cache.enabled"; - public static final boolean ENABLE_CACHING_DEFAULT = false; - public static final String CACHE_TTL_MS = "sentry.provider.backend.generic.cache.ttl.ms"; - public static final long CACHING_TTL_MS_DEFAULT = 30000; - public static final String CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE = "sentry.provider.backend.generic.cache.update.failures.count"; - public static final int CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE_DEFAULT = 3; - public static final String PRIVILEGE_CONVERTER = "sentry.provider.backend.generic.privilege.converter"; - - public static final String COMPONENT_TYPE = "sentry.provider.backend.generic.component-type"; - public static final String SERVICE_NAME = "sentry.provider.backend.generic.service-name"; - } - - /** - * Thrift generates terrible constant class names - */ - public static class ThriftConstants extends org.apache.sentry.service.thrift.sentry_common_serviceConstants { - public static final int TSENTRY_SERVICE_VERSION_CURRENT = TSENTRY_SERVICE_V2; - } - - /* Privilege operation scope */ - public enum PrivilegeScope { - SERVER, - URI, - DATABASE, - TABLE, - COLUMN - } - - public static final String SENTRY_ZK_JAAS_NAME = "Sentry"; - public static final String CURRENT_INCARNATION_ID_KEY = "current.incarnation.key"; -} http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java deleted file mode 100644 index e9cc411..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java +++ /dev/null @@ -1,132 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.service.thrift; - -import java.io.PrintWriter; -import java.io.StringWriter; - -import javax.annotation.Nullable; - -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.common.exception.SentryAccessDeniedException; -import org.apache.sentry.core.common.exception.SentryAlreadyExistsException; -import org.apache.sentry.core.common.exception.SentryInvalidInputException; -import org.apache.sentry.core.common.exception.SentryNoSuchObjectException; -import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException; -import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; - -/** - * Simple factory to make returning TSentryStatus objects easy - */ -public enum Status { - OK(ThriftConstants.TSENTRY_STATUS_OK), - ALREADY_EXISTS(ThriftConstants.TSENTRY_STATUS_ALREADY_EXISTS), - NO_SUCH_OBJECT(ThriftConstants.TSENTRY_STATUS_NO_SUCH_OBJECT), - RUNTIME_ERROR(ThriftConstants.TSENTRY_STATUS_RUNTIME_ERROR), - INVALID_INPUT(ThriftConstants.TSENTRY_STATUS_INVALID_INPUT), - ACCESS_DENIED(ThriftConstants.TSENTRY_STATUS_ACCESS_DENIED), - THRIFT_VERSION_MISMATCH(ThriftConstants.TSENTRY_STATUS_THRIFT_VERSION_MISMATCH), - UNKNOWN(-1) - ; - private int code; - private Status(int code) { - this.code = code; - } - public int getCode() { - return code; - } - public static Status fromCode(int code) { - for (Status status : Status.values()) { - if (status.getCode() == code) { - return status; - } - } - return Status.UNKNOWN; - } - public static TSentryResponseStatus OK() { - return Create(Status.OK, ""); - } - public static TSentryResponseStatus AccessDenied(String message, Throwable t) { - return Create(Status.ACCESS_DENIED, message, t); - } - public static TSentryResponseStatus AlreadyExists(String message, Throwable t) { - return Create(Status.ALREADY_EXISTS, message, t); - } - public static TSentryResponseStatus NoSuchObject(String message, Throwable t) { - return Create(Status.NO_SUCH_OBJECT, message, t); - } - public static TSentryResponseStatus RuntimeError(String message, Throwable t) { - return Create(Status.RUNTIME_ERROR, message, t); - } - public static TSentryResponseStatus Create(Status value, String message) { - return Create(value, message, null); - } - public static TSentryResponseStatus InvalidInput(String message, Throwable t) { - return Create(Status.INVALID_INPUT, message, t); - } - public static TSentryResponseStatus THRIFT_VERSION_MISMATCH(String message, Throwable t) { - return Create(Status.THRIFT_VERSION_MISMATCH, message, t); - } - public static TSentryResponseStatus Create(Status value, String message, @Nullable Throwable t) { - TSentryResponseStatus status = new TSentryResponseStatus(); - status.setValue(value.getCode()); - status.setMessage(message); - if (t != null) { - StringWriter stringWriter = new StringWriter(); - PrintWriter printWriter = new PrintWriter(stringWriter); - t.printStackTrace(printWriter); - printWriter.close(); - status.setStack(stringWriter.toString()); - } - return status; - } - public static void throwIfNotOk(TSentryResponseStatus thriftStatus) - throws SentryUserException { - Status status = Status.fromCode(thriftStatus.getValue()); - switch(status) { - case OK: - break; - case ALREADY_EXISTS: - throw new SentryAlreadyExistsException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); - case NO_SUCH_OBJECT: - throw new SentryNoSuchObjectException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); - case RUNTIME_ERROR: - throw new RuntimeException(serverErrorToString(thriftStatus)); - case INVALID_INPUT: - throw new SentryInvalidInputException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); - case ACCESS_DENIED: - throw new SentryAccessDeniedException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); - case THRIFT_VERSION_MISMATCH: - throw new SentryThriftAPIMismatchException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); - case UNKNOWN: - throw new AssertionError(serverErrorToString(thriftStatus)); - default: - throw new AssertionError("Unknown status code: " + status + ". Msg: " + - serverErrorToString(thriftStatus)); - } - } - - private static String serverErrorToString(TSentryResponseStatus thriftStatus) { - String msg = thriftStatus.getMessage(); - String stack = thriftStatus.getStack(); - if (stack == null) { - return msg; - } - return msg + ". Server Stacktrace: " + stack; - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift deleted file mode 100644 index 2a92c97..0000000 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/local/bin/thrift -java - -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -namespace java org.apache.sentry.service.thrift -namespace php sentry.service.thrift -namespace cpp Apache.Sentry.Service.Thrift - -const i32 TSENTRY_SERVICE_V1 = 1; -// Made a backward incompatible change when adding column level privileges. -// We also added generalized model in this version -const i32 TSENTRY_SERVICE_V2 = 2; - -const i32 TSENTRY_STATUS_OK = 0; -const i32 TSENTRY_STATUS_ALREADY_EXISTS = 1; -const i32 TSENTRY_STATUS_NO_SUCH_OBJECT = 2; -const i32 TSENTRY_STATUS_RUNTIME_ERROR = 3; -const i32 TSENTRY_STATUS_INVALID_INPUT = 4; -const i32 TSENTRY_STATUS_ACCESS_DENIED = 5; -const i32 TSENTRY_STATUS_THRIFT_VERSION_MISMATCH = 6; - -struct TSentryResponseStatus { -1: required i32 value, -// message will be set to empty string when status is OK -2: required string message -3: optional string stack -} - http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift deleted file mode 100644 index c56522f..0000000 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift +++ /dev/null @@ -1,278 +0,0 @@ -#!/usr/local/bin/thrift -java - -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# -# Thrift Service that the MetaStore is built on -# - -include "sentry_common_service.thrift" -include "sentry_policy_service.thrift" - -namespace java org.apache.sentry.provider.db.generic.service.thrift -namespace php sentry.provider.db.service.db.generic.serivce.thrift -namespace cpp Apache.Sentry.Provider.Db.Generic.Service.Thrift - -typedef sentry_common_service.TSentryResponseStatus TSentryResponseStatus - -# Represents a new generic model privilege for solr or other component in transport -# from the client to the server -enum TSentryGrantOption { - TRUE = 1, - FALSE = 0, - UNSET = -1 -} - -# Represents a authorizable resource in the privilege -# like DATABASE=db1 in the hive, COLLECTION=collection1 in the solr -struct TAuthorizable { -1: required string type, -2: required string name -} - -struct TSentryPrivilege { -1: required string component, -2: required string serviceName, -3: required list<TAuthorizable> authorizables, -4: required string action, -5: optional i64 createTime, # Set on server side -6: optional string grantorPrincipal, # Set on server side -7: optional TSentryGrantOption grantOption = sentry_policy_service.TSentryGrantOption.FALSE -} - -# CREATE ROLE r1 -struct TCreateSentryRoleRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required string component # The request is issued to which component -} - -struct TCreateSentryRoleResponse { -1: required TSentryResponseStatus status -} - -# DROP ROLE r1 -struct TDropSentryRoleRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required string component # The request is issued to which component -} - -struct TDropSentryRoleResponse { -1: required TSentryResponseStatus status -} - -# GRANT ROLE r1 TO GROUP g1 -struct TAlterSentryRoleAddGroupsRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required string component, # The request is issued to which component -5: required set<string> groups -} -struct TAlterSentryRoleAddGroupsResponse { -1: required TSentryResponseStatus status -} - -# REVOLE ROLE r1 FROM GROUP g1 -struct TAlterSentryRoleDeleteGroupsRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required string component, # The request is issued to which component -5: required set<string> groups -} -struct TAlterSentryRoleDeleteGroupsResponse { -1: required TSentryResponseStatus status -} - -# GRANT ... ON ... TO ROLE ... -struct TAlterSentryRoleGrantPrivilegeRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required string component, # The request is issued to which component -5: required TSentryPrivilege privilege -} -struct TAlterSentryRoleGrantPrivilegeResponse { -1: required TSentryResponseStatus status -} - -# REVOKE ... ON ... FROM ROLE ... -struct TAlterSentryRoleRevokePrivilegeRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required string component, # The request is issued to which component -5: required TSentryPrivilege privilege -} -struct TAlterSentryRoleRevokePrivilegeResponse { -1: required TSentryResponseStatus status -} - -# SHOW ROLE GRANT -struct TListSentryRolesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: optional string groupName, # for this group, or all roles for all groups if null -4: required string component # The request is issued to which component -} -# used only for TListSentryRolesResponse -struct TSentryRole { -1: required string roleName, -2: required set<string> groups -} - -struct TListSentryRolesResponse { -1: required TSentryResponseStatus status -2: optional set<TSentryRole> roles -} -# SHOW GRANT -struct TListSentryPrivilegesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, # get privileges assigned for this role -4: required string component, # The request is issued to which component -5: required string serviceName, # The privilege belongs to which service -6: optional list<TAuthorizable> authorizables # get privileges assigned for this authorizable hierarchys -} - -struct TListSentryPrivilegesResponse { -1: required TSentryResponseStatus status -2: optional set<TSentryPrivilege> privileges -} - -# Drop privilege -struct TDropPrivilegesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required TSentryPrivilege privilege -4: required string component, # The request is issued to which component -} - -struct TDropPrivilegesResponse { -1: required TSentryResponseStatus status -} - -# Rename privilege -struct TRenamePrivilegesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string component, # The request is issued to which component -4: required string serviceName, # The privilege belongs to which service -5: required list<TAuthorizable> oldAuthorizables, # get old privileges assigned for this authorizable hierarchys -6: required list<TAuthorizable> newAuthorizables # change to new authorizable hierarchys -} - -struct TRenamePrivilegesResponse { -1: required TSentryResponseStatus status -} - -# This API was created specifically for ProviderBackend.getPrivileges -# and is not mean for general purpose privilege retrieval. -# This request/response pair are created specifically so we can -# efficiently obtain the specific privilges for a user query -struct TSentryActiveRoleSet { -1: required bool all, -2: required set<string> roles, -} - -struct TListSentryPrivilegesForProviderRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string component, # The request is issued to which component -3: required string serviceName, # The privilege belongs to which service -4: required set<string> groups, -5: required TSentryActiveRoleSet roleSet, -6: optional list<TAuthorizable> authorizables # authorizable hierarchys -} - -struct TListSentryPrivilegesForProviderResponse { -1: required TSentryResponseStatus status -2: required set<string> privileges -} - -# Map of role:set<privileges> for the given authorizable -# Optionally use the set of groups to filter the roles -struct TSentryPrivilegeMap { -1: required map<string, set<TSentryPrivilege>> privilegeMap -} - -struct TListSentryPrivilegesByAuthRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, - -# User on whose behalf the request is issued -2: required string requestorUserName, - -# The request is issued to which component -3: required string component, - -# The privilege belongs to which service -4: required string serviceName, - -# The authorizable hierarchys, it is represented as a string. e.g -# resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3 -5: required set<string> authorizablesSet, - -# The requested groups. For admin, the requested groups can be empty, if so it is -# treated as a wildcard query. Otherwise, it is a query on this specifc groups. -# For non-admin user, the requested groups must be the groups they are part of. -6: optional set<string> groups, - -# The active role set. -7: optional TSentryActiveRoleSet roleSet -} - -struct TListSentryPrivilegesByAuthResponse { -1: required sentry_common_service.TSentryResponseStatus status, - -# Will not be set in case of an error. Otherwise it will be a -# <Authorizables, <Role, Set<Privileges>>> mapping. For non-admin -# requestor, the roles are intersection of active roles and granted roles. -# For admin requestor, the roles are filtered based on the active roles -# and requested group from TListSentryPrivilegesByAuthRequest. -# The authorizable hierarchys is represented as a string in the form -# of the request. -2: optional map<string, TSentryPrivilegeMap> privilegesMapByAuth -} - -service SentryGenericPolicyService -{ - TCreateSentryRoleResponse create_sentry_role(1:TCreateSentryRoleRequest request) - TDropSentryRoleResponse drop_sentry_role(1:TDropSentryRoleRequest request) - - TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(1:TAlterSentryRoleGrantPrivilegeRequest request) - TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(1:TAlterSentryRoleRevokePrivilegeRequest request) - - TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(1:TAlterSentryRoleAddGroupsRequest request) - TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request) - - TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request) - - TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request) - - TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request) - - TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(1:TListSentryPrivilegesByAuthRequest request); - - TDropPrivilegesResponse drop_sentry_privilege(1:TDropPrivilegesRequest request); - - TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request); -} http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift deleted file mode 100644 index 98fefab..0000000 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ /dev/null @@ -1,364 +0,0 @@ -#!/usr/local/bin/thrift -java - -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# -# Thrift Service that the MetaStore is built on -# - -include "sentry_common_service.thrift" - -namespace java org.apache.sentry.provider.db.service.thrift -namespace php sentry.provider.db.service.thrift -namespace cpp Apache.Sentry.Provider.Db.Service.Thrift - -enum TSentryGrantOption { - TRUE = 1, - FALSE = 0, - # UNSET is used for revoke privilege, the component like 'hive' - # didn't support getting grant option, so use UNSET is stand - # for revoke both privileges with grant option and without grant - # option. - UNSET = -1 -} - -# Represents a Privilege in transport from the client to the server -struct TSentryPrivilege { -1: required string privilegeScope, # Valid values are SERVER, DATABASE, TABLE, COLUMN, URI -3: required string serverName, -4: optional string dbName = "", -5: optional string tableName = "", -6: optional string URI = "", -7: required string action = "", -8: optional i64 createTime, # Set on server side -9: optional TSentryGrantOption grantOption = TSentryGrantOption.FALSE -10: optional string columnName = "", -} - -# TODO can this be deleted? it's not adding value to TAlterSentryRoleAddGroupsRequest -struct TSentryGroup { -1: required string groupName -} - -# CREATE ROLE r1 -struct TCreateSentryRoleRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, # TSentryRole is not required for this request -} -struct TCreateSentryRoleResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# DROP ROLE r1 -struct TDropSentryRoleRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName # role to drop -} -struct TDropSentryRoleResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# GRANT ROLE r1 TO GROUP g1 -struct TAlterSentryRoleAddGroupsRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -5: required set<TSentryGroup> groups -} - -struct TAlterSentryRoleAddGroupsResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# GRANT ROLE r1 TO USER u1 -struct TAlterSentryRoleAddUsersRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required set<string> users -} - -struct TAlterSentryRoleAddUsersResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# REVOKE ROLE r1 FROM GROUP g1 -struct TAlterSentryRoleDeleteGroupsRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -5: required set<TSentryGroup> groups -} -struct TAlterSentryRoleDeleteGroupsResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# REVOKE ROLE r1 FROM USER u1 -struct TAlterSentryRoleDeleteUsersRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -4: required set<string> users -} -struct TAlterSentryRoleDeleteUsersResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# GRANT ... ON ... TO ROLE ... -struct TAlterSentryRoleGrantPrivilegeRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -5: optional TSentryPrivilege privilege, -6: optional set<TSentryPrivilege> privileges -} -struct TAlterSentryRoleGrantPrivilegeResponse { -1: required sentry_common_service.TSentryResponseStatus status -2: optional TSentryPrivilege privilege -3: optional set<TSentryPrivilege> privileges -} - -# REVOKE ... ON ... FROM ROLE ... -struct TAlterSentryRoleRevokePrivilegeRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string roleName, -5: optional TSentryPrivilege privilege, -6: optional set<TSentryPrivilege> privileges -} -struct TAlterSentryRoleRevokePrivilegeResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# SHOW ROLE GRANT -struct TListSentryRolesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: optional string groupName # for this group, or all roles for all groups if null -} - -struct TListSentryRolesForUserRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required string userName -} - -# used only for TListSentryRolesResponse -struct TSentryRole { -1: required string roleName, -2: required set<TSentryGroup> groups, -3: required string grantorPrincipal #Deprecated -} -struct TListSentryRolesResponse { -1: required sentry_common_service.TSentryResponseStatus status -2: optional set<TSentryRole> roles -} - -struct TSentryAuthorizable { -1: required string server, -2: optional string uri, -3: optional string db, -4: optional string table, -5: optional string column, -} - -# SHOW GRANT -struct TListSentryPrivilegesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -4: required string roleName, # get privileges assigned for this role -5: optional TSentryAuthorizable authorizableHierarchy # get privileges assigned for this role -} -struct TListSentryPrivilegesResponse { -1: required sentry_common_service.TSentryResponseStatus status -2: optional set<TSentryPrivilege> privileges -} - -# Drop privilege -struct TDropPrivilegesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required TSentryAuthorizable authorizable -} - -struct TDropPrivilegesResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -struct TRenamePrivilegesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required TSentryAuthorizable oldAuthorizable -4: required TSentryAuthorizable newAuthorizable -} - -struct TRenamePrivilegesResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -# This API was created specifically for ProviderBackend.getPrivileges -# and is not mean for general purpose privilege retrieval. -# This request/response pair are created specifically so we can -# efficiently obtain the specific privilges for a user query -struct TSentryActiveRoleSet { -1: required bool all, -2: required set<string> roles, -} -struct TListSentryPrivilegesForProviderRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required set<string> groups, -3: required TSentryActiveRoleSet roleSet, -4: optional TSentryAuthorizable authorizableHierarchy, -5: optional set<string> users -} -struct TListSentryPrivilegesForProviderResponse { -1: required sentry_common_service.TSentryResponseStatus status -2: required set<string> privileges -} - -# List role:set<privileges> for the given authorizable -# Optionally use the set of groups to filter the roles -struct TSentryPrivilegeMap { -1: required map<string, set<TSentryPrivilege>> privilegeMap -} -struct TListSentryPrivilegesByAuthRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required set<TSentryAuthorizable> authorizableSet, -4: optional set<string> groups, -5: optional TSentryActiveRoleSet roleSet -} -struct TListSentryPrivilegesByAuthResponse { -1: required sentry_common_service.TSentryResponseStatus status, -2: optional map<TSentryAuthorizable, TSentryPrivilegeMap> privilegesMapByAuth # will not be set in case of an error -} - -# Obtain a config value from the Sentry service -struct TSentryConfigValueRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required string propertyName, # Config attribute to obtain -3: optional string defaultValue # Value if propertyName not found -} -struct TSentryConfigValueResponse { -1: required sentry_common_service.TSentryResponseStatus status -2: optional string value -} - -# struct for the mapping data like group to role, role to privilege -struct TSentryMappingData { -1: optional map<string, set<string>> groupRolesMap, # for the groupName -> role mapping -2: optional map<string, set<TSentryPrivilege>> rolePrivilegesMap, # for the roleName -> privilege mapping -3: optional map<string, set<string>> userRolesMap # for the userName -> role mapping -} - -struct TSentryExportMappingDataRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, -2: required string requestorUserName, # user on whose behalf the request is issued -3: optional string objectPath # for specific auth object -} - -struct TSentryExportMappingDataResponse { -1: required sentry_common_service.TSentryResponseStatus status, -2: required TSentryMappingData mappingData -} - -struct TSentryImportMappingDataRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, -2: required string requestorUserName, # user on whose behalf the request is issued -3: required bool overwriteRole = false, # if overwrite the exist role with the imported privileges, default is false -4: required TSentryMappingData mappingData -} - -struct TSentryImportMappingDataResponse { -1: required sentry_common_service.TSentryResponseStatus status -} - -/* - * API for synchronizing between HMS notification events and Sentry. - * - * When Sentry gets updates from HMS using HMS Notifications, HMS should - * should wait after each notification event is generated until the notification - * is handled by Sentry This preserves the synchronous semantics of DDL statements. - * - * The notification synchronization API is private between HMS and Sentry and should - * not be used by anything else. - * - * The API should be used in the following way: - * - * 1) HMS creates a notification and stores its ID in the persistent storage - * 2) HMS sends ID to Sentry - * 3) Sentry blocks the response until the specified ID is processed by Sentry - * 4) Sentry responds with the most recent processed ID. - * - * Note that the important part is blocking in Sentry until the specified ID - * is processed. The returned most recent processed ID is intended for debugging - * purposes only, but may be used in HMS for performance optimizations. - */ - -struct TSentrySyncIDRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, -2: required i64 id // Requested ID -} - -struct TSentrySyncIDResponse { -1: required sentry_common_service.TSentryResponseStatus status -2: required i64 id // Most recent processed ID -} - -service SentryPolicyService -{ - TCreateSentryRoleResponse create_sentry_role(1:TCreateSentryRoleRequest request) - TDropSentryRoleResponse drop_sentry_role(1:TDropSentryRoleRequest request) - - TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(1:TAlterSentryRoleGrantPrivilegeRequest request) - TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(1:TAlterSentryRoleRevokePrivilegeRequest request) - - TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(1:TAlterSentryRoleAddGroupsRequest request) - TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request) - - TAlterSentryRoleAddUsersResponse alter_sentry_role_add_users(1:TAlterSentryRoleAddUsersRequest request) - TAlterSentryRoleDeleteUsersResponse alter_sentry_role_delete_users(1:TAlterSentryRoleDeleteUsersRequest request) - - TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request) - TListSentryRolesResponse list_sentry_roles_by_user(1:TListSentryRolesForUserRequest request) - - TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request) - - # For use with ProviderBackend.getPrivileges only - TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request) - - TDropPrivilegesResponse drop_sentry_privilege(1:TDropPrivilegesRequest request); - - TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request); - - TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(1:TListSentryPrivilegesByAuthRequest request); - - TSentryConfigValueResponse get_sentry_config_value(1:TSentryConfigValueRequest request); - - # export the mapping data in sentry - TSentryExportMappingDataResponse export_sentry_mapping_data(1:TSentryExportMappingDataRequest request); - - # import the mapping data in sentry - TSentryImportMappingDataResponse import_sentry_mapping_data(1:TSentryImportMappingDataRequest request); - - # Synchronize between HMS notifications and Sentry - TSentrySyncIDResponse sentry_sync_notifications(1:TSentrySyncIDRequest request); -} http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java new file mode 100644 index 0000000..a26f4f7 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java @@ -0,0 +1,73 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.api.generic.thrift; + +import java.security.PrivilegedExceptionAction; +import java.util.Set; + +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.junit.After; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class SentryGenericServiceIntegrationBase extends SentryServiceIntegrationBase { + private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericServiceIntegrationBase.class); + protected static final String SOLR = "SOLR"; + protected SentryGenericServiceClient client; + + /** + * use the generic client to connect sentry service + */ + @Override + public void connectToSentryService() throws Exception { + // The client should already be logged in when running in solr + // therefore we must manually login in the integration tests + if (kerberos) { + this.client = clientUgi.doAs( new PrivilegedExceptionAction<SentryGenericServiceClient>() { + @Override + public SentryGenericServiceClient run() throws Exception { + return SentryGenericServiceClientFactory.create(conf); + } + }); + } else { + this.client = SentryGenericServiceClientFactory.create(conf); + } + } + + @After + public void after() { + try { + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + Set<TSentryRole> tRoles = client.listAllRoles(ADMIN_USER, SOLR); + for (TSentryRole tRole : tRoles) { + client.dropRole(ADMIN_USER, tRole.getRoleName(), SOLR); + } + if(client != null) { + client.close(); + } + } + }); + } catch (Exception e) { + LOGGER.error(e.getMessage(), e); + } finally { + policyFilePath.delete(); + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java new file mode 100644 index 0000000..dea6152 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java @@ -0,0 +1,296 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.api.generic.thrift; + +import static org.hamcrest.core.Is.is; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.security.PrivilegedExceptionAction; +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + +import org.apache.log4j.Level; +import org.apache.log4j.Logger; +import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender; +import org.apache.sentry.provider.db.log.util.CommandUtil; +import org.apache.sentry.provider.db.log.util.Constants; +import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; +import org.codehaus.jettison.json.JSONObject; +import org.junit.After; +import org.junit.BeforeClass; +import org.junit.Test; +import org.slf4j.LoggerFactory; + +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; + +public class TestAuditLogForSentryGenericService extends SentryServiceIntegrationBase { + + private SentryGenericServiceClient client; + private static final String COMPONENT = "SQOOP"; + private static final org.slf4j.Logger LOGGER = LoggerFactory + .getLogger(TestAuditLogForSentryGenericService.class); + + @BeforeClass + public static void setup() throws Exception { + SentryServiceIntegrationBase.setup(); + Logger logger = Logger.getLogger("sentry.generic.authorization.ddl.logger"); + AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender(); + logger.addAppender(testAppender); + logger.setLevel(Level.INFO); + } + + @Override + @After + public void after() { + try { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + Set<TSentryRole> tRoles = client.listAllRoles(ADMIN_USER, COMPONENT); + for (TSentryRole tRole : tRoles) { + client.dropRole(ADMIN_USER, tRole.getRoleName(), COMPONENT); + } + if (client != null) { + client.close(); + } + } + }); + } catch (Exception e) { + // log the exception + LOGGER.warn("Exception happened after test case.", e); + } finally { + policyFilePath.delete(); + } + } + + /** + * use the generic client to connect sentry service + */ + @Override + public void connectToSentryService() throws Exception { + if (kerberos) { + this.client = clientUgi.doAs(new PrivilegedExceptionAction<SentryGenericServiceClient>() { + @Override + public SentryGenericServiceClient run() throws Exception { + return SentryGenericServiceClientFactory.create(conf); + } + }); + } else { + this.client = SentryGenericServiceClientFactory.create(conf); + } + } + + @Test + public void testAuditLogForGenericModel() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_r"; + String testGroupName = "g1"; + String action = "all"; + String service = "sentryService"; + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + // test the audit log for create role, success + client.createRole(requestorUserName, roleName, COMPONENT); + Map<String, String> fieldValueMap = new HashMap<String, String>(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + // test the audit log for create role, failed + try { + client.createRole(requestorUserName, roleName, COMPONENT); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + // test the audit log for add role to group, success + client.grantRoleToGroups(requestorUserName, roleName, COMPONENT, + Sets.newHashSet(testGroupName)); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName + + " TO GROUP " + testGroupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + // test the audit log for add role to group, failed + try { + client.grantRoleToGroups(requestorUserName, "invalidRole", COMPONENT, + Sets.newHashSet(testGroupName)); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE invalidRole TO GROUP " + + testGroupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + // test the audit log for grant privilege, success + TSentryPrivilege privilege = new TSentryPrivilege(COMPONENT, service, Lists.newArrayList( + new TAuthorizable("resourceType1", "resourceName1"), new TAuthorizable("resourceType2", + "resourceName2")), action); + client.grantPrivilege(requestorUserName, roleName, COMPONENT, privilege); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, + "GRANT ALL ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE " + + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + // for error audit log + TSentryPrivilege invalidPrivilege = new TSentryPrivilege(COMPONENT, service, + Lists.newArrayList(new TAuthorizable("resourceType1", "resourceName1")), + "invalidAction"); + // test the audit log for grant privilege, failed + try { + client.grantPrivilege(requestorUserName, roleName, COMPONENT, invalidPrivilege); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, + "GRANT INVALIDACTION ON resourceType1 resourceName1 TO ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + // test the audit log for revoke privilege, success + client.revokePrivilege(requestorUserName, roleName, COMPONENT, privilege); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, + "REVOKE ALL ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE " + + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + + // test the audit log for revoke privilege, failed + try { + client.revokePrivilege(requestorUserName, "invalidRole", COMPONENT, invalidPrivilege); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, + "REVOKE INVALIDACTION ON resourceType1 resourceName1 FROM ROLE invalidRole"); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + + // test the audit log for delete role from group, success + client.revokeRoleFromGroups(requestorUserName, roleName, COMPONENT, + Sets.newHashSet(testGroupName)); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName + + " FROM GROUP " + testGroupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + // test the audit log for delete role from group, failed + try { + client.revokeRoleFromGroups(requestorUserName, "invalidRole", COMPONENT, + Sets.newHashSet(testGroupName)); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, + "REVOKE ROLE invalidRole FROM GROUP " + testGroupName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + // test the audit log for drop role, success + client.dropRole(requestorUserName, roleName, COMPONENT); + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + // test the audit log for drop role, failed + try { + client.dropRole(requestorUserName, roleName, COMPONENT); + fail("Exception should have been thrown"); + } catch (Exception e) { + fieldValueMap.clear(); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE); + fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT); + fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName); + fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE); + fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null); + assertAuditLog(fieldValueMap); + } + } + }); + } + + private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception { + assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO)); + JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent()); + if (fieldValueMap != null) { + for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) { + String entryKey = entry.getKey(); + if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) { + assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString())); + } else { + assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString())); + } + } + } + } +}
