Repository: sentry Updated Branches: refs/heads/master b65f5b2b4 -> 71b868b43
SENTRY-2218: Sentry-plug-in should have API's to handle grant/revoke privileges to users. (Kalyan Kumar kalvagadda, reviewed-by Na Li) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/71b868b4 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/71b868b4 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/71b868b4 Branch: refs/heads/master Commit: 71b868b4353932348b26a2aa542ac9be99d835be Parents: b65f5b2 Author: Kalyan Kumar Kalvagadda <[email protected]> Authored: Mon May 14 12:45:46 2018 -0500 Committer: Kalyan Kumar Kalvagadda <[email protected]> Committed: Mon May 14 12:45:46 2018 -0500 ---------------------------------------------------------------------- .../org/apache/sentry/hdfs/SentryPlugin.java | 77 +++++++++++++++++--- .../provider/db/SentryPolicyStorePlugin.java | 21 ++++++ 2 files changed, 88 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/71b868b4/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java index ba7be8a..b5e01e4 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java +++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java @@ -20,6 +20,7 @@ package org.apache.sentry.hdfs; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.concurrent.atomic.AtomicBoolean; import org.apache.hadoop.conf.Configuration; @@ -262,7 +263,8 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen for (TSentryPrivilege privilege : request.getPrivileges()) { if(!(PrivilegeScope.COLUMN.name().equalsIgnoreCase(privilege.getPrivilegeScope()))) { - PermissionsUpdate update = onAlterSentryRoleGrantPrivilegeCore(roleName, privilege); + PermissionsUpdate update = onAlterSentryGrantPrivilegeCore(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, + roleName), privilege); if (update != null && privilegesUpdateMap != null) { privilegesUpdateMap.put(privilege, update); } @@ -275,16 +277,43 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen } } - private PermissionsUpdate onAlterSentryRoleGrantPrivilegeCore(String roleName, TSentryPrivilege privilege) - throws SentryPluginException { + @Override + public void onAlterSentryUserGrantPrivilege(String userName, Set<TSentryPrivilege> privileges, + Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException { + Preconditions.checkNotNull(userName, "User name is NULL"); + Preconditions.checkNotNull(privilegesUpdateMap, "Privilege MAP NULL"); + Preconditions.checkNotNull(privileges, "Privilege Set provided is NULL"); + + if (LOGGER.isTraceEnabled()) { + LOGGER.trace("onAlterSentryUserGrantPrivilege: {}", userName); + } + + if (privileges.size() > 0) { + for (TSentryPrivilege privilege : privileges) { + if(!(PrivilegeScope.COLUMN.name().equalsIgnoreCase(privilege.getPrivilegeScope()))) { + PermissionsUpdate update = onAlterSentryGrantPrivilegeCore(new TPrivilegeEntity(TPrivilegeEntityType.USER, + userName), privilege); + if (update != null && privilegesUpdateMap != null) { + privilegesUpdateMap.put(privilege, update); + } + } + } + } + if (LOGGER.isTraceEnabled()) { + // TSentryPrivilege.toString() and update.toString() provides all details + LOGGER.trace("onAlterSentryUserGrantPrivilege: {}", privilegesUpdateMap); + } + } + + private PermissionsUpdate onAlterSentryGrantPrivilegeCore(TPrivilegeEntity tPrivilegeEntity, TSentryPrivilege privilege) + throws SentryPluginException { String authzObj = getAuthzObj(privilege); if (authzObj == null) { return null; } PermissionsUpdate update = new PermissionsUpdate(); - update.addPrivilegeUpdate(authzObj).putToAddPrivileges( new TPrivilegeEntity(TPrivilegeEntityType.ROLE, roleName), - privilege.getAction().toUpperCase()); + update.addPrivilegeUpdate(authzObj).putToAddPrivileges( tPrivilegeEntity, privilege.getAction().toUpperCase()); LOGGER.debug(String.format("onAlterSentryRoleGrantPrivilegeCore, Authz Perm preUpdate [ %s ]", authzObj)); @@ -333,7 +362,8 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen for (TSentryPrivilege privilege : request.getPrivileges()) { if(!("COLUMN".equalsIgnoreCase(privilege.getPrivilegeScope()))) { - PermissionsUpdate update = onAlterSentryRoleRevokePrivilegeCore(roleName, privilege); + PermissionsUpdate update = onAlterSentryRevokePrivilegeCore(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, + roleName), privilege); if (update != null && privilegesUpdateMap != null) { privilegesUpdateMap.put(privilege, update); } @@ -346,7 +376,36 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen } } - private PermissionsUpdate onAlterSentryRoleRevokePrivilegeCore(String roleName, TSentryPrivilege privilege) + @Override + public void onAlterSentryUserRevokePrivilege(String userName, Set<TSentryPrivilege> privileges, + Map<TSentryPrivilege, Update> privilegesUpdateMap) + throws SentryPluginException { + Preconditions.checkNotNull(userName, "User name is NULL"); + Preconditions.checkNotNull(privilegesUpdateMap, "Privilege MAP NULL"); + Preconditions.checkNotNull(privileges, "Privilege Set provided is NULL"); + + if (LOGGER.isTraceEnabled()) { + LOGGER.trace("onAlterSentryUserRevokePrivilege: {}", userName); // request.toString() provides all details + } + + if (privileges.size() > 0) { + for (TSentryPrivilege privilege : privileges) { + if(!("COLUMN".equalsIgnoreCase(privilege.getPrivilegeScope()))) { + PermissionsUpdate update = onAlterSentryRevokePrivilegeCore(new TPrivilegeEntity(TPrivilegeEntityType.USER, + userName), privilege); + if (update != null && privilegesUpdateMap != null) { + privilegesUpdateMap.put(privilege, update); + } + } + } + } + if (LOGGER.isTraceEnabled()) { + // TSentryPrivilege.toString() and Update.toString() provides all details + LOGGER.trace("onAlterSentryUserRevokePrivilege: {}", privilegesUpdateMap); + } + } + + private PermissionsUpdate onAlterSentryRevokePrivilegeCore(TPrivilegeEntity tPrivilegeEntity, TSentryPrivilege privilege) throws SentryPluginException { String authzObj = getAuthzObj(privilege); if (authzObj == null) { @@ -354,9 +413,7 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen } PermissionsUpdate update = new PermissionsUpdate(); - update.addPrivilegeUpdate(authzObj).putToDelPrivileges( - new TPrivilegeEntity(TPrivilegeEntityType.ROLE,roleName), - privilege.getAction().toUpperCase()); + update.addPrivilegeUpdate(authzObj).putToDelPrivileges(tPrivilegeEntity, privilege.getAction().toUpperCase()); LOGGER.debug("onAlterSentryRoleRevokePrivilegeCore, Authz Perm preUpdate [ {} ]", authzObj); return update; http://git-wip-us.apache.org/repos/asf/sentry/blob/71b868b4/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java index 8462928..52f25dc 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java @@ -32,6 +32,7 @@ import org.apache.sentry.api.service.thrift.TRenamePrivilegesRequest; import org.apache.sentry.api.service.thrift.TSentryPrivilege; import java.util.Map; +import java.util.Set; import static org.apache.sentry.hdfs.Updateable.Update; @@ -67,6 +68,26 @@ public interface SentryPolicyStorePlugin { void onAlterSentryRoleRevokePrivilege(TAlterSentryRoleRevokePrivilegeRequest tRequest, Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException; + /** + * Used to create an update when privileges are granted to user. + * @param userName + * @param privileges + * @param privilegesUpdateMap + * @throws SentryPluginException + */ + void onAlterSentryUserGrantPrivilege(String userName, Set<TSentryPrivilege> privileges, + Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException; + + /** + * Used to create an update when privileges are revoked from user. + * @param userName + * @param privileges + * @param privilegesUpdateMap + * @throws SentryPluginException + */ + void onAlterSentryUserRevokePrivilege(String userName, Set<TSentryPrivilege> privileges, + Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException; + Update onDropSentryRole(TDropSentryRoleRequest tRequest) throws SentryPluginException; Update onRenameSentryPrivilege(TRenamePrivilegesRequest request)
