http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java new file mode 100644 index 0000000..befe6c3 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java @@ -0,0 +1,240 @@ +package org.apache.sentry.api.service.thrift; + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import com.codahale.metrics.servlets.AdminServlet; +import com.google.common.base.Preconditions; + +import java.io.IOException; +import java.net.URL; +import java.util.EnumSet; +import java.util.EventListener; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import com.google.common.base.Splitter; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; +import javax.servlet.DispatcherType; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authentication.server.AuthenticationFilter; +import org.apache.sentry.service.common.ServiceConstants.ServerConfig; +import org.eclipse.jetty.security.ConstraintMapping; +import org.eclipse.jetty.security.ConstraintSecurityHandler; +import org.eclipse.jetty.server.Connector; +import org.eclipse.jetty.server.Handler; +import org.eclipse.jetty.server.HttpConfiguration; +import org.eclipse.jetty.server.HttpConnectionFactory; +import org.eclipse.jetty.server.SecureRequestCustomizer; +import org.eclipse.jetty.server.ServerConnector; +import org.eclipse.jetty.server.SslConnectionFactory; +import org.eclipse.jetty.server.handler.ContextHandler; +import org.eclipse.jetty.server.handler.ContextHandlerCollection; +import org.eclipse.jetty.server.handler.ResourceHandler; +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.servlet.FilterHolder; +import org.eclipse.jetty.servlet.ServletContextHandler; +import org.eclipse.jetty.servlet.ServletHolder; +import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.util.ssl.SslContextFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class SentryWebServer { + + private static final Logger LOGGER = LoggerFactory.getLogger(SentryWebServer.class); + private static final String RESOURCE_DIR = "/webapp"; + private static final String WELCOME_PAGE = "SentryService.html"; + + private Server server; + + public SentryWebServer(List<EventListener> listeners, int port, Configuration conf) { + server = new Server(); + + // Create a channel connector for "http/https" requests + ServerConnector connector; + if (conf.getBoolean(ServerConfig.SENTRY_WEB_USE_SSL, false)) { + SslContextFactory sslContextFactory = new SslContextFactory(); + sslContextFactory.setKeyStorePath(conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, "")); + sslContextFactory.setKeyStorePassword( + conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "")); + // Exclude SSL blacklist protocols + sslContextFactory.setExcludeProtocols(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT); + Set<String> moreExcludedSSLProtocols = + Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings() + .split(Strings.nullToEmpty(conf.get(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST)))); + sslContextFactory.addExcludeProtocols(moreExcludedSSLProtocols.toArray( + new String[moreExcludedSSLProtocols.size()])); + + HttpConfiguration httpConfiguration = new HttpConfiguration(); + httpConfiguration.setSecurePort(port); + httpConfiguration.setSecureScheme("https"); + httpConfiguration.addCustomizer(new SecureRequestCustomizer()); + + connector = new ServerConnector( + server, + new SslConnectionFactory(sslContextFactory, "http/1.1"), + new HttpConnectionFactory(httpConfiguration)); + + LOGGER.info("Now using SSL mode."); + } else { + connector = new ServerConnector(server, new HttpConnectionFactory()); + } + + connector.setPort(port); + server.setConnectors(new Connector[] { connector }); + + ServletContextHandler servletContextHandler = new ServletContextHandler(); + ServletHolder servletHolder = new ServletHolder(AdminServlet.class); + servletContextHandler.addServlet(servletHolder, "/*"); + + for(EventListener listener:listeners) { + servletContextHandler.addEventListener(listener); + } + + servletContextHandler.addServlet(new ServletHolder(ConfServlet.class), "/conf"); + + if (conf.getBoolean(ServerConfig.SENTRY_WEB_ADMIN_SERVLET_ENABLED, + ServerConfig.SENTRY_WEB_ADMIN_SERVLET_ENABLED_DEFAULT)) { + servletContextHandler.addServlet( + new ServletHolder(SentryAdminServlet.class), "/admin/*"); + } + servletContextHandler.getServletContext() + .setAttribute(ConfServlet.CONF_CONTEXT_ATTRIBUTE, conf); + + servletContextHandler.addServlet(new ServletHolder(LogLevelServlet.class), "/admin/logLevel"); + + if (conf.getBoolean(ServerConfig.SENTRY_WEB_PUBSUB_SERVLET_ENABLED, + ServerConfig.SENTRY_WEB_PUBSUB_SERVLET_ENABLED_DEFAULT)) { + servletContextHandler.addServlet(new ServletHolder(PubSubServlet.class), "/admin/publishMessage"); + } + + ResourceHandler resourceHandler = new ResourceHandler(); + resourceHandler.setDirectoriesListed(true); + URL url = this.getClass().getResource(RESOURCE_DIR); + try { + resourceHandler.setBaseResource(Resource.newResource(url.toString())); + } catch (IOException e) { + LOGGER.error("Got exception while setBaseResource for Sentry Service web UI", e); + } + resourceHandler.setWelcomeFiles(new String[]{WELCOME_PAGE}); + ContextHandler contextHandler= new ContextHandler(); + contextHandler.setHandler(resourceHandler); + + ContextHandlerCollection contextHandlerCollection = new ContextHandlerCollection(); + contextHandlerCollection.setHandlers(new Handler[]{contextHandler, servletContextHandler}); + + String authMethod = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE); + if (!ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE.equalsIgnoreCase(authMethod)) { + /** + * SentryAuthFilter is a subclass of AuthenticationFilter and + * AuthenticationFilter tagged as private and unstable interface: + * While there are not guarantees that this interface will not change, + * it is fairly stable and used by other projects (ie - Oozie) + */ + FilterHolder filterHolder = servletContextHandler.addFilter(SentryAuthFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST)); + filterHolder.setInitParameters(loadWebAuthenticationConf(conf)); + } + + server.setHandler(disableTraceMethod(contextHandlerCollection)); + } + + /** + * Disables the HTTP TRACE method request which leads to Cross-Site Tracking (XST) problems. + * + * To disable it, we need to wrap the Handler (which has the HTTP TRACE enabled) with + * a constraint that denies access to the HTTP TRACE method. + * + * @param handler The Handler which has the HTTP TRACE enabled. + * @return A new Handler wrapped with the HTTP TRACE constraint and the Handler passed as parameter. + */ + private Handler disableTraceMethod(Handler handler) { + Constraint disableTraceConstraint = new Constraint(); + disableTraceConstraint.setName("Disable TRACE"); + disableTraceConstraint.setAuthenticate(true); + + ConstraintMapping mapping = new ConstraintMapping(); + mapping.setConstraint(disableTraceConstraint); + mapping.setMethod("TRACE"); + mapping.setPathSpec("/"); + + ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler(); + constraintSecurityHandler.addConstraintMapping(mapping); + constraintSecurityHandler.setHandler(handler); + + return constraintSecurityHandler; + } + + public void start() throws Exception{ + server.start(); + } + public void stop() throws Exception{ + server.stop(); + } + public boolean isAlive() { + return server != null && server.isStarted(); + } + private static Map<String, String> loadWebAuthenticationConf(Configuration conf) { + Map<String,String> prop = new HashMap<String, String>(); + prop.put(AuthenticationFilter.CONFIG_PREFIX, ServerConfig.SENTRY_WEB_SECURITY_PREFIX); + String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS); + if (allowUsers == null || allowUsers.equals("")) { + allowUsers = conf.get(ServerConfig.ALLOW_CONNECT); + conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowUsers); + } + validateConf(conf); + for (Map.Entry<String, String> entry : conf) { + String name = entry.getKey(); + if (name.startsWith(ServerConfig.SENTRY_WEB_SECURITY_PREFIX)) { + String value = conf.get(name); + prop.put(name, value); + } + } + return prop; + } + + private static void validateConf(Configuration conf) { + String authHandlerName = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE); + Preconditions.checkNotNull(authHandlerName, "Web authHandler should not be null."); + String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS); + Preconditions.checkNotNull(allowUsers, "Allow connect user(s) should not be null."); + if (ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS.equalsIgnoreCase(authHandlerName)) { + String principal = conf.get(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL); + Preconditions.checkNotNull(principal, "Kerberos principal should not be null."); + Preconditions.checkArgument(principal.length() != 0, "Kerberos principal is not right."); + String keytabFile = conf.get(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB); + Preconditions.checkNotNull(keytabFile, "Keytab File should not be null."); + Preconditions.checkArgument(keytabFile.length() != 0, "Keytab File is not right."); + try { + UserGroupInformation.setConfiguration(conf); + String hostPrincipal = SecurityUtil.getServerPrincipal(principal, ServerConfig.RPC_ADDRESS_DEFAULT); + UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytabFile); + } catch (IOException ex) { + throw new IllegalArgumentException("Can't use Kerberos authentication, principal [" + + principal + "] keytab [" + keytabFile + "]", ex); + } + LOGGER.info("Using Kerberos authentication, principal [{}] keytab [{}]", principal, keytabFile); + } + } +}
http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java index 2286c87..52f25dc 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java @@ -22,14 +22,14 @@ import org.apache.hadoop.conf.Configuration; import org.apache.sentry.core.common.exception.SentryInvalidInputException; import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; -import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; -import org.apache.sentry.provider.db.service.thrift.TDropPrivilegesRequest; -import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest; -import org.apache.sentry.provider.db.service.thrift.TRenamePrivilegesRequest; -import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; +import org.apache.sentry.api.service.thrift.TAlterSentryRoleAddGroupsRequest; +import org.apache.sentry.api.service.thrift.TAlterSentryRoleDeleteGroupsRequest; +import org.apache.sentry.api.service.thrift.TAlterSentryRoleGrantPrivilegeRequest; +import org.apache.sentry.api.service.thrift.TAlterSentryRoleRevokePrivilegeRequest; +import org.apache.sentry.api.service.thrift.TDropPrivilegesRequest; +import org.apache.sentry.api.service.thrift.TDropSentryRoleRequest; +import org.apache.sentry.api.service.thrift.TRenamePrivilegesRequest; +import org.apache.sentry.api.service.thrift.TSentryPrivilege; import java.util.Map; import java.util.Set; http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java index 480991d..277f6b3 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java @@ -24,9 +24,9 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.exception.SentryConfigurationException; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.service.thrift.SentryServiceClientFactory; -import org.apache.sentry.service.thrift.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -48,8 +48,8 @@ public class SimpleDBProviderBackend implements ProviderBackend { public SimpleDBProviderBackend(Configuration conf) throws Exception { this.conf = conf; - this.retryCount = conf.getInt(ServiceConstants.ClientConfig.RETRY_COUNT_CONF, ServiceConstants.ClientConfig.RETRY_COUNT_DEFAULT); - this.retryIntervalSec = conf.getInt(ServiceConstants.ClientConfig.RETRY_INTERVAL_SEC_CONF, ServiceConstants.ClientConfig.RETRY_INTERVAL_SEC_DEFAULT); + this.retryCount = conf.getInt(ApiConstants.ClientConfig.RETRY_COUNT_CONF, ApiConstants.ClientConfig.RETRY_COUNT_DEFAULT); + this.retryIntervalSec = conf.getInt(ApiConstants.ClientConfig.RETRY_INTERVAL_SEC_CONF, ApiConstants.ClientConfig.RETRY_INTERVAL_SEC_DEFAULT); } /** * {@inheritDoc} http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java index fe0eb07..f8dc211 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java @@ -32,11 +32,11 @@ import org.apache.sentry.core.common.exception.SentryConfigurationException; import org.apache.sentry.provider.common.CacheProvider; import org.apache.sentry.provider.common.ProviderBackend; import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; -import org.apache.sentry.provider.db.generic.tools.TSentryPrivilegeConverter; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient; +import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory; +import org.apache.sentry.api.generic.thrift.TSentryRole; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.tools.TSentryPrivilegeConverter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -60,10 +60,10 @@ public class SentryGenericProviderBackend extends CacheProvider implements Provi public SentryGenericProviderBackend(Configuration conf, String resource) //NOPMD throws Exception { this.conf = conf; - this.enableCaching = conf.getBoolean(ServiceConstants.ClientConfig.ENABLE_CACHING, ServiceConstants.ClientConfig.ENABLE_CACHING_DEFAULT); - this.privilegeConverter = conf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER); - this.setServiceName(conf.get(ServiceConstants.ClientConfig.SERVICE_NAME)); - this.setComponentType(conf.get(ServiceConstants.ClientConfig.COMPONENT_TYPE)); + this.enableCaching = conf.getBoolean(ApiConstants.ClientConfig.ENABLE_CACHING, ApiConstants.ClientConfig.ENABLE_CACHING_DEFAULT); + this.privilegeConverter = conf.get(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER); + this.setServiceName(conf.get(ApiConstants.ClientConfig.SERVICE_NAME)); + this.setComponentType(conf.get(ApiConstants.ClientConfig.COMPONENT_TYPE)); } @Override @@ -72,12 +72,12 @@ public class SentryGenericProviderBackend extends CacheProvider implements Provi throw new IllegalStateException("SentryGenericProviderBackend has already been initialized, cannot be initialized twice"); } - Preconditions.checkNotNull(serviceName, "Service name is not defined. Use configuration parameter: " + conf.get(ServiceConstants.ClientConfig.SERVICE_NAME)); - Preconditions.checkNotNull(componentType, "Component type is not defined. Use configuration parameter: " + conf.get(ServiceConstants.ClientConfig.COMPONENT_TYPE)); + Preconditions.checkNotNull(serviceName, "Service name is not defined. Use configuration parameter: " + conf.get(ApiConstants.ClientConfig.SERVICE_NAME)); + Preconditions.checkNotNull(componentType, "Component type is not defined. Use configuration parameter: " + conf.get(ApiConstants.ClientConfig.COMPONENT_TYPE)); if (enableCaching) { if (privilegeConverter == null) { - throw new SentryConfigurationException(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER + " not configured."); + throw new SentryConfigurationException(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER + " not configured."); } Constructor<?> privilegeConverterConstructor; http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java index 31fcfc7..0dd7b4a 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java @@ -17,9 +17,9 @@ import com.google.common.collect.HashBasedTable; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.sentry.provider.common.TableCache; -import org.apache.sentry.provider.db.generic.service.thrift.*; -import org.apache.sentry.provider.db.generic.tools.TSentryPrivilegeConverter; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.api.generic.thrift.*; +import org.apache.sentry.api.common.ApiConstants; +import org.apache.sentry.api.tools.TSentryPrivilegeConverter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -81,8 +81,8 @@ public final class UpdatableCache implements TableCache, AutoCloseable { this.tSentryPrivilegeConverter = tSentryPrivilegeConverter; // check caching configuration - this.cacheTtlNs = TimeUnit.MILLISECONDS.toNanos(conf.getLong(ServiceConstants.ClientConfig.CACHE_TTL_MS, ServiceConstants.ClientConfig.CACHING_TTL_MS_DEFAULT)); - this.allowedUpdateFailuresCount = conf.getInt(ServiceConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE, ServiceConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE_DEFAULT); + this.cacheTtlNs = TimeUnit.MILLISECONDS.toNanos(conf.getLong(ApiConstants.ClientConfig.CACHE_TTL_MS, ApiConstants.ClientConfig.CACHING_TTL_MS_DEFAULT)); + this.allowedUpdateFailuresCount = conf.getInt(ApiConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE, ApiConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE_DEFAULT); } @Override http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java index bc01c12..3026a62 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java @@ -33,10 +33,10 @@ import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; import org.apache.sentry.provider.db.service.model.MSentryGroup; import org.apache.sentry.provider.db.service.model.MSentryRole; import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor; -import org.apache.sentry.provider.db.service.thrift.TSentryGroup; -import org.apache.sentry.provider.db.service.thrift.TSentryRole; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor; +import org.apache.sentry.api.service.thrift.TSentryGroup; +import org.apache.sentry.api.service.thrift.TSentryRole; +import org.apache.sentry.service.common.ServiceConstants.ServerConfig; import javax.jdo.PersistenceManager; import java.util.Arrays; http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java index 9dcfc03..876ee14 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java @@ -47,7 +47,7 @@ import com.google.common.collect.Maps; import com.google.common.collect.Sets; import org.apache.sentry.provider.db.service.persistent.QueryParamBuilder; import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.service.thrift.ServiceConstants; +import org.apache.sentry.service.common.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java deleted file mode 100644 index 23731bd..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.thrift; - -public interface NotificationHandler { - - void create_sentry_role(TCreateSentryRoleRequest request, - TCreateSentryRoleResponse response); - - void drop_sentry_role(TDropSentryRoleRequest request, - TDropSentryRoleResponse response); - - void alter_sentry_role_grant_privilege(TAlterSentryRoleGrantPrivilegeRequest request, - TAlterSentryRoleGrantPrivilegeResponse response); - - void alter_sentry_role_revoke_privilege(TAlterSentryRoleRevokePrivilegeRequest request, - TAlterSentryRoleRevokePrivilegeResponse response); - - void alter_sentry_role_add_groups(TAlterSentryRoleAddGroupsRequest request, - TAlterSentryRoleAddGroupsResponse response); - - void alter_sentry_role_delete_groups(TAlterSentryRoleDeleteGroupsRequest request, - TAlterSentryRoleDeleteGroupsResponse response); - - void drop_sentry_privilege(TDropPrivilegesRequest request, - TDropPrivilegesResponse response); - - void rename_sentry_privilege(TRenamePrivilegesRequest request, - TRenamePrivilegesResponse response); -} http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java deleted file mode 100644 index 6a8e7f3..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java +++ /dev/null @@ -1,163 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.thrift; - -import java.util.List; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.collect.Lists; - -/** - * Invokes configured instances of NotificationHandler. Importantly - * NotificationHandler's each receive a copy of the request and - * response thrift objects from each successful request. - */ -public class NotificationHandlerInvoker implements NotificationHandler { - private static final Logger LOGGER = LoggerFactory.getLogger(NotificationHandlerInvoker.class); - private List<? extends NotificationHandler> handlers = Lists.newArrayList(); - - public NotificationHandlerInvoker(List<? extends NotificationHandler> handlers) { - this.handlers = handlers; - } - @Override - public void create_sentry_role(TCreateSentryRoleRequest request, - TCreateSentryRoleResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.create_sentry_role(new TCreateSentryRoleRequest(request), - new TCreateSentryRoleResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - - @Override - public void drop_sentry_role(TDropSentryRoleRequest request, - TDropSentryRoleResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.drop_sentry_role(new TDropSentryRoleRequest(request), - new TDropSentryRoleResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - - @Override - public void alter_sentry_role_grant_privilege( - TAlterSentryRoleGrantPrivilegeRequest request, - TAlterSentryRoleGrantPrivilegeResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.alter_sentry_role_grant_privilege( - new TAlterSentryRoleGrantPrivilegeRequest(request), - new TAlterSentryRoleGrantPrivilegeResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - - @Override - public void alter_sentry_role_revoke_privilege( - TAlterSentryRoleRevokePrivilegeRequest request, - TAlterSentryRoleRevokePrivilegeResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.alter_sentry_role_revoke_privilege( - new TAlterSentryRoleRevokePrivilegeRequest(request), - new TAlterSentryRoleRevokePrivilegeResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - - @Override - public void alter_sentry_role_add_groups( - TAlterSentryRoleAddGroupsRequest request, - TAlterSentryRoleAddGroupsResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.alter_sentry_role_add_groups(new TAlterSentryRoleAddGroupsRequest(request), - new TAlterSentryRoleAddGroupsResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - - @Override - public void alter_sentry_role_delete_groups( - TAlterSentryRoleDeleteGroupsRequest request, - TAlterSentryRoleDeleteGroupsResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.alter_sentry_role_delete_groups(new TAlterSentryRoleDeleteGroupsRequest(request), - new TAlterSentryRoleDeleteGroupsResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - @Override - public void drop_sentry_privilege( - TDropPrivilegesRequest request, TDropPrivilegesResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.drop_sentry_privilege(new TDropPrivilegesRequest(request), - new TDropPrivilegesResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - @Override - public void rename_sentry_privilege(TRenamePrivilegesRequest request, - TRenamePrivilegesResponse response) { - for (NotificationHandler handler : handlers) { - try { - LOGGER.debug("Calling " + handler); - handler.rename_sentry_privilege(new TRenamePrivilegesRequest(request), - new TRenamePrivilegesResponse(response)); - } catch (Exception ex) { - LOGGER.error("Unexpected error in " + handler + ". Request: " - + request + ", Response: " + response, ex); - } - } - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java deleted file mode 100644 index 5a36433..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java +++ /dev/null @@ -1,831 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.thrift; - -import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER; -import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER; - -import java.lang.reflect.Constructor; -import java.util.Collections; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.common.utils.SentryConstants; -import org.apache.sentry.core.common.exception.SentrySiteConfigurationException; -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.core.common.utils.KeyValue; -import org.apache.sentry.provider.common.AuthorizationComponent; -import org.apache.sentry.core.common.exception.SentryAccessDeniedException; -import org.apache.sentry.core.common.exception.SentryAlreadyExistsException; -import org.apache.sentry.core.common.exception.SentryInvalidInputException; -import org.apache.sentry.core.common.exception.SentryNoSuchObjectException; -import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException; -import org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore; -import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject; -import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder; -import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer; -import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory; -import org.apache.sentry.provider.db.log.util.Constants; -import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; -import org.apache.sentry.provider.db.service.model.MSentryRole; -import org.apache.sentry.core.common.utils.PolicyStoreConstants; -import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; -import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; -import org.apache.sentry.service.thrift.ServiceConstants; -import org.apache.sentry.service.thrift.Status; -import org.apache.sentry.service.thrift.TSentryResponseStatus; -import org.apache.thrift.TException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Splitter; -import com.google.common.base.Strings; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; -import com.google.common.collect.Maps; -import com.google.common.collect.Sets; - -public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.Iface { - private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericPolicyProcessor.class); - private static final Logger AUDIT_LOGGER = LoggerFactory - .getLogger(Constants.AUDIT_LOGGER_NAME_GENERIC); - private final Configuration conf; - private final ImmutableSet<String> adminGroups; - private final SentryStoreLayer store; - private final NotificationHandlerInvoker handerInvoker; - - public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService"; - private static final String ACCESS_DENIAL_MESSAGE = "Access denied to "; - - SentryGenericPolicyProcessor(Configuration conf) throws Exception { - this.store = new DelegateSentryStore(conf); - this.handerInvoker = new NotificationHandlerInvoker(createHandlers(conf)); - this.conf = conf; - adminGroups = ImmutableSet.copyOf((Sets.newHashSet(conf.getStrings( - ServerConfig.ADMIN_GROUPS, new String[]{})))); - } - - @VisibleForTesting - SentryGenericPolicyProcessor(Configuration conf, SentryStoreLayer store) throws Exception { - this.store = store; - this.handerInvoker = new NotificationHandlerInvoker(createHandlers(conf)); - this.conf = conf; - adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings( - ServerConfig.ADMIN_GROUPS, new String[]{})))); - } - - private void authorize(String requestorUser, Set<String> requestorGroups) - throws SentryAccessDeniedException { - if (!inAdminGroups(requestorGroups)) { - String msg = "User: " + requestorUser + " is part of " + requestorGroups + - " which does not, intersect admin groups " + adminGroups; - LOGGER.warn(msg); - throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + requestorUser); - } - } - - private Set<String> toTrimmedLower(Set<String> s) { - if (s == null) { - return Collections.emptySet(); - } - Set<String> result = new HashSet<>(s.size()); - for (String v : s) { - result.add(v.trim().toLowerCase()); - } - return result; - } - - private Set<String> toTrimmed(Set<String> s) { - if (s == null) { - return Collections.emptySet(); - } - Set<String> result = new HashSet<>(s.size()); - for (String v : s) { - result.add(v.trim()); - } - return result; - } - - private String toTrimmedLower(String s) { - if (Strings.isNullOrEmpty(s)){ - return ""; - } - return s.trim().toLowerCase(); - } - - private static Set<String> getRequestorGroups(Configuration conf, String userName) throws SentryUserException { - return SentryPolicyStoreProcessor.getGroupsFromUserName(conf, userName); - } - - private boolean inAdminGroups(Set<String> requestorGroups) { - return !Sets.intersection(adminGroups, requestorGroups).isEmpty(); - } - - static List<NotificationHandler> createHandlers(Configuration conf) throws SentrySiteConfigurationException { - - List<NotificationHandler> handlers = Lists.newArrayList(); - Iterable<String> notificationHandlers = Splitter.onPattern("[\\s,]").trimResults() - .omitEmptyStrings().split(conf.get(PolicyStoreConstants.SENTRY_GENERIC_POLICY_NOTIFICATION, "")); - try { - for (String notificationHandler : notificationHandlers) { - handlers.add(createInstance(notificationHandler, conf, NotificationHandler.class)); - } - } catch (Exception e) { - throw new SentrySiteConfigurationException("Create notificationHandlers error: " + e.getMessage(), e); - } - return handlers; - } - - @SuppressWarnings("unchecked") - private static <T> T createInstance(String className, Configuration conf, Class<T> iface) throws Exception { - T result; - try { - Class<?> clazz = Class.forName(className); - if (!iface.isAssignableFrom(clazz)) { - throw new IllegalArgumentException("Class " + clazz + " is not a " + - iface.getName()); - } - Constructor<T> meth = (Constructor<T>)clazz.getDeclaredConstructor(Configuration.class); - meth.setAccessible(true); - result = meth.newInstance(new Object[]{conf}); - } catch (Exception e) { - throw new RuntimeException(e); - } - return result; - } - - private <T> Response<T> requestHandle(RequestHandler<T> handler) { - Response<T> response = new Response<T>(); - try { - response = handler.handle(); - } catch (SentryAccessDeniedException e) { - String msg = "Sentry access denied: " + e.getMessage(); - LOGGER.error(msg, e); - response.status = Status.AccessDenied(e.getMessage(), e); - } catch (SentryAlreadyExistsException e) { - String msg = "Sentry object already exists: " + e.getMessage(); - LOGGER.error(msg, e); - response.status = Status.AlreadyExists(e.getMessage(), e); - } catch (SentryNoSuchObjectException e) { - String msg = "Sentry object doesn't exist: " + e.getMessage(); - LOGGER.error(msg, e); - response.status = Status.NoSuchObject(e.getMessage(), e); - } catch (SentryInvalidInputException e) { - String msg = "Invalid input privilege object: " + e.getMessage(); - LOGGER.error(msg, e); - response.status = Status.InvalidInput(msg, e); - } catch (SentryThriftAPIMismatchException e) { - String msg = "Sentry thrift API mismatch error: " + e.getMessage(); - LOGGER.error(msg, e); - response.status = Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e); - } catch (Exception e) { - String msg = "Unknown error:" + e.getMessage(); - LOGGER.error(msg, e); - response.status = Status.RuntimeError(msg, e); - } - return response; - } - - private PrivilegeObject toPrivilegeObject(TSentryPrivilege tSentryPrivilege) { - Boolean grantOption; - if (tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE)) { - grantOption = true; - } else if (tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.FALSE)) { - grantOption = false; - } else { - grantOption = null; - } - return new Builder().setComponent(tSentryPrivilege.getComponent()) - .setService(tSentryPrivilege.getServiceName()) - .setAuthorizables(toAuthorizables(tSentryPrivilege.getAuthorizables())) - .setAction(tSentryPrivilege.getAction()) - .withGrantOption(grantOption) - .build(); - } - - private TSentryPrivilege fromPrivilegeObject(PrivilegeObject privilege) { - - TSentryPrivilege tPrivilege = new TSentryPrivilege(privilege.getComponent(), privilege.getService(), - fromAuthorizable(privilege.getAuthorizables()), - privilege.getAction()); - if (privilege.getGrantOption() == null) { - tPrivilege.setGrantOption(TSentryGrantOption.UNSET); - } else if (privilege.getGrantOption()) { - tPrivilege.setGrantOption(TSentryGrantOption.TRUE); - } else { - tPrivilege.setGrantOption(TSentryGrantOption.FALSE); - } - return tPrivilege; - } - - private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) { - List<TAuthorizable> tAuthorizables = Lists.newArrayList(); - for (Authorizable authorizable : authorizables) { - tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName())); - } - return tAuthorizables; - } - - private String fromAuthorizableToStr(List<? extends Authorizable> authorizables) { - if (authorizables != null && !authorizables.isEmpty()) { - List<String> privileges = Lists.newArrayList(); - - for (Authorizable authorizable : authorizables) { - - privileges.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(), - authorizable.getName())); - } - - return SentryConstants.AUTHORIZABLE_JOINER.join(privileges); - } else { - return ""; - } - } - - private List<? extends Authorizable> toAuthorizables(List<TAuthorizable> tAuthorizables) { - List<Authorizable> authorizables = Lists.newArrayList(); - if (tAuthorizables == null) { - return authorizables; - } - for (final TAuthorizable tAuthorizable : tAuthorizables) { - authorizables.add(new Authorizable() { - @Override - public String getTypeName() { - return tAuthorizable.getType(); - } - @Override - public String getName() { - return tAuthorizable.getName(); - } - }); - } - return authorizables; - } - - private List<? extends Authorizable> toAuthorizables(String privilegeStr) { - List<Authorizable> authorizables = Lists.newArrayList(); - if (privilegeStr == null) { - return authorizables; - } - - for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { - KeyValue tempKV = new KeyValue(authorizable); - final String key = tempKV.getKey(); - final String value = tempKV.getValue(); - - authorizables.add(new Authorizable() { - @Override - public String getTypeName() { - return key; - } - - @Override - public String getName() { - return value; - } - }); - } - - return authorizables; - } - - // Construct the role to set of privileges mapping based on the - // MSentryGMPrivilege information. - private TSentryPrivilegeMap toTSentryPrivilegeMap(Set<MSentryGMPrivilege> mPrivileges) { - - // Mapping of <Role, Set<Privilege>>. - Map<String, Set<TSentryPrivilege>> tPrivilegeMap = Maps.newTreeMap(); - - for (MSentryGMPrivilege mPrivilege : mPrivileges) { - for (MSentryRole role : mPrivilege.getRoles()) { - - TSentryPrivilege tPrivilege = toTSentryPrivilege(mPrivilege); - - if (tPrivilegeMap.containsKey(role.getRoleName())) { - tPrivilegeMap.get(role.getRoleName()).add(tPrivilege); - } else { - Set<TSentryPrivilege> tPrivilegeSet = Sets.newTreeSet(); - tPrivilegeSet.add(tPrivilege); - tPrivilegeMap.put(role.getRoleName(), tPrivilegeSet); - } - } - } - - return new TSentryPrivilegeMap(tPrivilegeMap); - } - - // Construct TSentryPrivilege based on MSentryGMPrivilege information. - private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mPrivilege) { - - TSentryPrivilege tPrivilege = new TSentryPrivilege(mPrivilege.getComponentName(), - mPrivilege.getServiceName(), fromAuthorizable(mPrivilege.getAuthorizables()), mPrivilege.getAction()); - - if (mPrivilege.getGrantOption() == null) { - tPrivilege.setGrantOption(TSentryGrantOption.UNSET); - } else if (mPrivilege.getGrantOption()) { - tPrivilege.setGrantOption(TSentryGrantOption.TRUE); - } else { - tPrivilege.setGrantOption(TSentryGrantOption.FALSE); - } - - return tPrivilege; - } - - private Set<String> buildPermissions(Set<PrivilegeObject> privileges) { - Set<String> permissions = Sets.newHashSet(); - for (PrivilegeObject privilege : privileges) { - List<String> hierarchy = Lists.newArrayList(); - if (hasComponentServerPrivilege(privilege.getComponent())) { - hierarchy.add(KV_JOINER.join("server", privilege.getService())); - } - for (Authorizable authorizable : privilege.getAuthorizables()) { - hierarchy.add(KV_JOINER.join(authorizable.getTypeName(),authorizable.getName())); - } - hierarchy.add(KV_JOINER.join("action", privilege.getAction())); - permissions.add(AUTHORIZABLE_JOINER.join(hierarchy)); - } - return permissions; - } - - private boolean hasComponentServerPrivilege(String component) { - //judge the component whether has the server privilege, for example: sqoop has the privilege on the server - return AuthorizationComponent.SQOOP.equalsIgnoreCase(component); - } - - @Override - public TCreateSentryRoleResponse create_sentry_role( - final TCreateSentryRoleRequest request) throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - authorize(request.getRequestorUserName(), - getRequestorGroups(conf, request.getRequestorUserName())); - store.createRole(request.getComponent(), request.getRoleName(), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TCreateSentryRoleResponse tResponse = new TCreateSentryRoleResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.create_sentry_role(request, tResponse); - } - - try { - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog()); - } catch (Exception e) { - // if any exception, log the exception. - String msg = "Error in creating audit log for create role: " + e.getMessage(); - LOGGER.error(msg, e); - } - return tResponse; - } - - @Override - public TDropSentryRoleResponse drop_sentry_role(final TDropSentryRoleRequest request) - throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - authorize(request.getRequestorUserName(), - getRequestorGroups(conf, request.getRequestorUserName())); - store.dropRole(request.getComponent(), request.getRoleName(), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TDropSentryRoleResponse tResponse = new TDropSentryRoleResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.drop_sentry_role(request, tResponse); - } - - try { - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog()); - } catch (Exception e) { - // if any exception, log the exception. - String msg = "Error in creating audit log for drop role: " + e.getMessage(); - LOGGER.error(msg, e); - } - return tResponse; - } - - @Override - public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege( - final TAlterSentryRoleGrantPrivilegeRequest request) throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - store.alterRoleGrantPrivilege(request.getComponent(), - request.getRoleName(), - toPrivilegeObject(request.getPrivilege()), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TAlterSentryRoleGrantPrivilegeResponse tResponse = new TAlterSentryRoleGrantPrivilegeResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.alter_sentry_role_grant_privilege(request, tResponse); - } - - try { - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog()); - } catch (Exception e) { - // if any exception, log the exception. - String msg = "Error in creating audit log for grant privilege to role: " + e.getMessage(); - LOGGER.error(msg, e); - } - return tResponse; - } - - @Override - public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege( - final TAlterSentryRoleRevokePrivilegeRequest request) throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - store.alterRoleRevokePrivilege(request.getComponent(), - request.getRoleName(), - toPrivilegeObject(request.getPrivilege()), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TAlterSentryRoleRevokePrivilegeResponse tResponse = - new TAlterSentryRoleRevokePrivilegeResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.alter_sentry_role_revoke_privilege(request, tResponse); - } - - try { - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog()); - } catch (Exception e) { - // if any exception, log the exception. - String msg = "Error in creating audit log for revoke privilege from role: " + e.getMessage(); - LOGGER.error(msg, e); - } - return tResponse; - } - - @Override - public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups( - final TAlterSentryRoleAddGroupsRequest request) throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - authorize(request.getRequestorUserName(), - getRequestorGroups(conf, request.getRequestorUserName())); - store.alterRoleAddGroups(request.getComponent(), - request.getRoleName(), - request.getGroups(), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TAlterSentryRoleAddGroupsResponse tResponse = - new TAlterSentryRoleAddGroupsResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.alter_sentry_role_add_groups(request, tResponse); - } - - try { - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog()); - } catch (Exception e) { - // if any exception, log the exception. - String msg = "Error in creating audit log for add role to group: " + e.getMessage(); - LOGGER.error(msg, e); - } - return tResponse; - } - - @Override - public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups( - final TAlterSentryRoleDeleteGroupsRequest request) throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - authorize(request.getRequestorUserName(), - getRequestorGroups(conf, request.getRequestorUserName())); - store.alterRoleDeleteGroups(request.getComponent(), - request.getRoleName(), - request.getGroups(), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TAlterSentryRoleDeleteGroupsResponse tResponse = - new TAlterSentryRoleDeleteGroupsResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.alter_sentry_role_delete_groups(request, tResponse); - } - - try { - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog()); - } catch (Exception e) { - // if any exception, log the exception. - String msg = "Error in creating audit log for delete role from group: " + - e.getMessage(); - LOGGER.error(msg, e); - } - return tResponse; - } - - @Override - public TListSentryRolesResponse list_sentry_roles_by_group( - final TListSentryRolesRequest request) throws TException { - Response<Set<TSentryRole>> respose = requestHandle(new RequestHandler<Set<TSentryRole>>() { - @Override - public Response<Set<TSentryRole>> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName()); - if (!AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) { - boolean admin = inAdminGroups(groups); - //Only admin users can list all roles in the system ( groupname = null) - //Non admin users are only allowed to list only groups which they belong to - if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) { - throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); - } - groups.clear(); - groups.add(request.getGroupName()); - } - - Set<String> roleNames = store.getRolesByGroups(request.getComponent(), groups); - Set<TSentryRole> tSentryRoles = Sets.newHashSet(); - for (String roleName : roleNames) { - Set<String> groupsForRoleName = store.getGroupsByRoles(request.getComponent(), Sets.newHashSet(roleName)); - tSentryRoles.add(new TSentryRole(roleName, groupsForRoleName)); - } - return new Response<Set<TSentryRole>>(Status.OK(), tSentryRoles); - } - }); - TListSentryRolesResponse tResponse = new TListSentryRolesResponse(); - tResponse.setStatus(respose.status); - tResponse.setRoles(respose.content); - return tResponse; - } - - @Override - public TListSentryPrivilegesResponse list_sentry_privileges_by_role( - final TListSentryPrivilegesRequest request) throws TException { - Response<Set<TSentryPrivilege>> respose = requestHandle(new RequestHandler<Set<TSentryPrivilege>>() { - @Override - public Response<Set<TSentryPrivilege>> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName()); - if (!inAdminGroups(groups)) { - Set<String> roleNamesForGroups = toTrimmedLower(store.getRolesByGroups(request.getComponent(), groups)); - if (!roleNamesForGroups.contains(toTrimmedLower(request.getRoleName()))) { - throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); - } - } - Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(), - request.getServiceName(), - Sets.newHashSet(request.getRoleName()), - null, toAuthorizables(request.getAuthorizables())); - Set<TSentryPrivilege> tSentryPrivileges = Sets.newHashSet(); - for (PrivilegeObject privilege : privileges) { - tSentryPrivileges.add(fromPrivilegeObject(privilege)); - } - return new Response<Set<TSentryPrivilege>>(Status.OK(), tSentryPrivileges); - } - }); - TListSentryPrivilegesResponse tResponse = new TListSentryPrivilegesResponse(); - tResponse.setStatus(respose.status); - tResponse.setPrivileges(respose.content); - return tResponse; - } - - @Override - public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider( - final TListSentryPrivilegesForProviderRequest request) throws TException { - Response<Set<String>> respose = requestHandle(new RequestHandler<Set<String>>() { - @Override - public Response<Set<String>> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - Set<String> activeRoleNames = toTrimmedLower(request.getRoleSet().getRoles()); - Set<String> roleNamesForGroups = store.getRolesByGroups(request.getComponent(), request.getGroups()); - Set<String> rolesToQuery = request.getRoleSet().isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups); - Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(), - request.getServiceName(), - rolesToQuery, null, - toAuthorizables(request.getAuthorizables())); - return new Response<Set<String>>(Status.OK(), buildPermissions(privileges)); - } - }); - TListSentryPrivilegesForProviderResponse tResponse = new TListSentryPrivilegesForProviderResponse(); - tResponse.setStatus(respose.status); - tResponse.setPrivileges(respose.content); - return tResponse; - } - - @Override - public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest request) throws TException { - - TListSentryPrivilegesByAuthResponse response = new TListSentryPrivilegesByAuthResponse(); - Map<String, TSentryPrivilegeMap> authRoleMap = Maps.newHashMap(); - - // Group names are case sensitive. - Set<String> requestedGroups = request.getGroups(); - String subject = request.getRequestorUserName(); - TSentryActiveRoleSet activeRoleSet = request.getRoleSet(); - Set<String> validActiveRoles = Sets.newHashSet(); - - try { - validateClientVersion(request.getProtocol_version()); - Set<String> memberGroups = getRequestorGroups(conf, subject); - - // Disallow non-admin users to lookup groups that - // they are not part of. - if(!inAdminGroups(memberGroups)) { - - if (requestedGroups != null && !requestedGroups.isEmpty()) { - for (String requestedGroup : requestedGroups) { - - // If user doesn't belong to one of the requested groups, - // then raise security exception. - if (!memberGroups.contains(requestedGroup)) { - throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + subject); - } - } - } else { - // Non-admin's search is limited to its own groups. - requestedGroups = memberGroups; - } - - Set<String> grantedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); - - // If activeRoleSet is not null, disallow non-admin to lookup roles that they are not part of. - if (activeRoleSet != null && !activeRoleSet.isAll()) { - - Set<String> activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); - for (String activeRole : activeRoleNames) { - if (!grantedRoles.contains(activeRole)) { - throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE - + subject); - } - } - - // For non-admin, valid active roles are intersection of active roles and granted roles. - validActiveRoles.addAll(activeRoleSet.isAll() ? grantedRoles : Sets.intersection(activeRoleNames, grantedRoles)); - } else { - // For non-admin, if activeRoleSet is null, valid active roles would be the granted roles. - validActiveRoles.addAll(grantedRoles); - } - } else { - // For admin, if requestedGroups are empty, requested roles will be all roles. - Set<String> requestedRoles = toTrimmedLower(store.getAllRoleNames()); - if (requestedGroups != null && !requestedGroups.isEmpty()) { - requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); - } - - // If activeRoleSet (which is optional) is not null, valid active role will be intersection - // of active roles and requested roles. Otherwise, valid active roles are the requested roles. - if (activeRoleSet != null && !activeRoleSet.isAll()) { - validActiveRoles.addAll(Sets.intersection(toTrimmedLower(activeRoleSet.getRoles()), requestedRoles)); - } else { - validActiveRoles.addAll(requestedRoles); - } - } - - // If user is not part of any group.. return empty response - if (request.getAuthorizablesSet() != null) { - for (String authorizablesStr : request.getAuthorizablesSet()) { - - List<? extends Authorizable> authorizables = toAuthorizables(authorizablesStr); - Set<MSentryGMPrivilege> sentryPrivileges = store.getPrivilegesByAuthorizable(request.getComponent(), request.getServiceName(), validActiveRoles, authorizables); - authRoleMap.put(fromAuthorizableToStr(authorizables), toTSentryPrivilegeMap(sentryPrivileges)); - } - } - - response.setPrivilegesMapByAuth(authRoleMap); - response.setStatus(Status.OK()); - } catch (SentryAccessDeniedException e) { - LOGGER.error(e.getMessage(), e); - response.setStatus(Status.AccessDenied(e.getMessage(), e)); - } catch (SentryThriftAPIMismatchException e) { - LOGGER.error(e.getMessage(), e); - response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); - } catch (Exception e) { - String msg = "Unknown error for request: " + request + ", message: " - + e.getMessage(); - LOGGER.error(msg, e); - response.setStatus(Status.RuntimeError(msg, e)); - } - - return response; - } - - @Override - public TDropPrivilegesResponse drop_sentry_privilege( - final TDropPrivilegesRequest request) throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - authorize(request.getRequestorUserName(), - getRequestorGroups(conf, request.getRequestorUserName())); - store.dropPrivilege(request.getComponent(), - toPrivilegeObject(request.getPrivilege()), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TDropPrivilegesResponse tResponse = new TDropPrivilegesResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.drop_sentry_privilege(request, tResponse); - } - return tResponse; - } - - @Override - public TRenamePrivilegesResponse rename_sentry_privilege( - final TRenamePrivilegesRequest request) throws TException { - Response<Void> respose = requestHandle(new RequestHandler<Void>() { - @Override - public Response<Void> handle() throws Exception { - validateClientVersion(request.getProtocol_version()); - authorize(request.getRequestorUserName(), - getRequestorGroups(conf, request.getRequestorUserName())); - store.renamePrivilege(request.getComponent(), request.getServiceName(), - toAuthorizables(request.getOldAuthorizables()), - toAuthorizables(request.getNewAuthorizables()), - request.getRequestorUserName()); - return new Response<Void>(Status.OK()); - } - }); - - TRenamePrivilegesResponse tResponse = new TRenamePrivilegesResponse(respose.status); - if (Status.OK.getCode() == respose.status.getValue()) { - handerInvoker.rename_sentry_privilege(request, tResponse); - } - return tResponse; - } - - private static class Response<T> { - private TSentryResponseStatus status; - private T content; - - Response() { - } - - Response(TSentryResponseStatus status) { - this(status, null); - } - - Response(TSentryResponseStatus status, T content) { - this.status = status; - this.content = content; - } - } - private interface RequestHandler <T>{ - Response<T> handle() throws Exception ; - } - - private static void validateClientVersion(int protocolVersion) throws SentryThriftAPIMismatchException { - if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocolVersion) { - String msg = "Sentry thrift API protocol version mismatch: Client thrift version " + - "is: " + protocolVersion + " , server thrift version " + - "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT; - throw new SentryThriftAPIMismatchException(msg); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java deleted file mode 100644 index 9fb1de6..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.thrift; - -import org.apache.hadoop.conf.Configuration; -import org.apache.sentry.provider.db.service.persistent.SentryStore; -import org.apache.sentry.service.thrift.ProcessorFactory; -import org.apache.thrift.TMultiplexedProcessor; -import org.apache.thrift.TProcessor; - -public class SentryGenericPolicyProcessorFactory extends ProcessorFactory { - - public SentryGenericPolicyProcessorFactory(Configuration conf) { - super(conf); - } - - @Override - public boolean register(TMultiplexedProcessor multiplexedProcessor, - SentryStore _) throws Exception { - SentryGenericPolicyProcessor processHandler = new SentryGenericPolicyProcessor(conf); - TProcessor processor = new SentryGenericPolicyProcessorWrapper<SentryGenericPolicyService.Iface>( - processHandler); - multiplexedProcessor.registerProcessor( - SentryGenericPolicyProcessor.SENTRY_GENERIC_SERVICE_NAME, processor); - return true; - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java deleted file mode 100644 index a0fc2cc..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.generic.service.thrift; - -import org.apache.sentry.core.common.utils.ThriftUtil; -import org.apache.thrift.TException; -import org.apache.thrift.protocol.TProtocol; - -public class SentryGenericPolicyProcessorWrapper<I extends SentryGenericPolicyService.Iface> - extends SentryGenericPolicyService.Processor<SentryGenericPolicyService.Iface> { - - public SentryGenericPolicyProcessorWrapper(I iface) { - super(iface); - } - - @Override - public boolean process(TProtocol in, TProtocol out) throws TException { - // set the ip and impersonator for audit log - ThriftUtil.setIpAddress(in); - ThriftUtil.setImpersonator(in); - return super.process(in, out); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java deleted file mode 100644 index dd49952..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java +++ /dev/null @@ -1,194 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.service.thrift; - -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; - -public interface SentryGenericServiceClient extends AutoCloseable { - - /** - * Create a sentry role - * @param requestorUserName: user on whose behalf the request is issued - * @param roleName: Name of the role - * @param component: The request is issued to which component - * @throws SentryUserException - */ - void createRole(String requestorUserName, String roleName, - String component) throws SentryUserException; - - void createRoleIfNotExist(String requestorUserName, - String roleName, String component) throws SentryUserException; - - /** - * Drop a sentry role - * @param requestorUserName: user on whose behalf the request is issued - * @param roleName: Name of the role - * @param component: The request is issued to which component - * @throws SentryUserException - */ - void dropRole(String requestorUserName, String roleName, - String component) throws SentryUserException; - - void dropRoleIfExists(String requestorUserName, String roleName, - String component) throws SentryUserException; - - /** - * Grant a sentry role to groups. - * @param requestorUserName: user on whose behalf the request is issued - * @param roleName: Name of the role - * @param component: The request is issued to which component - * @param groups: The name of groups - * @throws SentryUserException - */ - void grantRoleToGroups(String requestorUserName, String roleName, - String component, Set<String> groups) throws SentryUserException; - - /** - * revoke a sentry role from groups. - * @param requestorUserName: user on whose behalf the request is issued - * @param roleName: Name of the role - * @param component: The request is issued to which component - * @param groups: The name of groups - * @throws SentryUserException - */ - void revokeRoleFromGroups(String requestorUserName, String roleName, - String component, Set<String> groups) throws SentryUserException; - - /** - * grant privilege - * @param requestorUserName: user on whose behalf the request is issued - * @param roleName: Name of the role - * @param component: The request is issued to which component - * @param privilege - * @throws SentryUserException - */ - void grantPrivilege(String requestorUserName, String roleName, - String component, TSentryPrivilege privilege) throws SentryUserException; - - /** - * revoke privilege - * @param requestorUserName: user on whose behalf the request is issued - * @param roleName: Name of the role - * @param component: The request is issued to which component - * @param privilege - * @throws SentryUserException - */ - void revokePrivilege(String requestorUserName, String roleName, - String component, TSentryPrivilege privilege) throws SentryUserException; - - /** - * drop privilege - * @param requestorUserName: user on whose behalf the request is issued - * @param component: The request is issued to which component - * @param privilege - * @throws SentryUserException - */ - void dropPrivilege(String requestorUserName, String component, - TSentryPrivilege privilege) throws SentryUserException; - - /** - * rename privilege - * @param requestorUserName: user on whose behalf the request is issued - * @param component: The request is issued to which component - * @param serviceName: The Authorizable belongs to which service - * @param oldAuthorizables - * @param newAuthorizables - * @throws SentryUserException - */ - void renamePrivilege(String requestorUserName, String component, - String serviceName, List<? extends Authorizable> oldAuthorizables, - List<? extends Authorizable> newAuthorizables) throws SentryUserException; - - /** - * Gets sentry role objects for a given groupName using the Sentry service - * @param requestorUserName : user on whose behalf the request is issued - * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName) - * @param component: The request is issued to which component - * @return Set of thrift sentry role objects - * @throws SentryUserException - */ - Set<TSentryRole> listRolesByGroupName( - String requestorUserName, - String groupName, - String component) - throws SentryUserException; - - Set<TSentryRole> listUserRoles(String requestorUserName, String component) - throws SentryUserException; - - Set<TSentryRole> listAllRoles(String requestorUserName, String component) - throws SentryUserException; - - /** - * Gets sentry privileges for a given roleName and Authorizable Hierarchy using the Sentry service - * @param requestorUserName: user on whose behalf the request is issued - * @param roleName: - * @param component: The request is issued to which component - * @param serviceName - * @param authorizables - * @return - * @throws SentryUserException - */ - Set<TSentryPrivilege> listPrivilegesByRoleName( - String requestorUserName, String roleName, String component, - String serviceName, List<? extends Authorizable> authorizables) - throws SentryUserException; - - Set<TSentryPrivilege> listAllPrivilegesByRoleName( - String requestorUserName, String roleName, String component, - String serviceName) throws SentryUserException; - - /** - * get sentry permissions from provider as followings: - * @param: component: The request is issued to which component - * @param: serviceName: The privilege belongs to which service - * @param: roleSet - * @param: groupNames - * @param: the authorizables - * @returns the set of permissions - * @throws SentryUserException - */ - Set<String> listPrivilegesForProvider(String component, - String serviceName, ActiveRoleSet roleSet, Set<String> groups, - List<? extends Authorizable> authorizables) throws SentryUserException; - - /** - * Get sentry privileges based on valid active roles and the authorize objects. Note that - * it is client responsibility to ensure the requestor username, etc. is not impersonated. - * - * @param component: The request respond to which component. - * @param serviceName: The name of service. - * @param requestorUserName: The requestor user name. - * @param authorizablesSet: The set of authorize objects. One authorize object is represented - * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3. - * @param groups: The requested groups. - * @param roleSet: The active roles set. - * - * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>). - * @throws SentryUserException - */ - Map<String, TSentryPrivilegeMap> listPrivilegesbyAuthorizable(String component, - String serviceName, String requestorUserName, Set<String> authorizablesSet, - Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException; -}
