Repository: sentry Updated Branches: refs/heads/master 7db84b2fe -> e6703a580
SENTRY-2246: Construct owner privilege (TSentryPrivilege) (Kalyan Kumar kalvagadda, reviewed-by Na Li, Sergio Pena) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e6703a58 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e6703a58 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e6703a58 Branch: refs/heads/master Commit: e6703a5802962689ef60dd8f952cb09b988dbced Parents: 7db84b2 Author: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Authored: Thu May 31 11:20:38 2018 -0500 Committer: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Committed: Thu May 31 11:20:38 2018 -0500 ---------------------------------------------------------------------- .../sentry/service/common/ServiceConstants.java | 13 +++ .../thrift/SentryPolicyStoreProcessor.java | 34 ++++++ .../thrift/TestSentryPolicyStoreProcessor.java | 112 ++++++++++++++++++- 3 files changed, 158 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/e6703a58/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java index 53daae8..777c262 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java @@ -244,6 +244,19 @@ public class ServiceConstants { */ public static final String SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT = "sentry.server.delta.keep.count"; public static final int SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT = 100; + + /** + * Controls the owner privileges feature. + */ + public static final String SENTRY_ENABLE_OWNER_PRIVILEGES = "sentry.enable.owner.privileges"; + public static final Boolean SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT = false; + + /** + * This value is used to decide if a owner privilege created by sentry server + * should have grant option. + */ + public static final String SENTRY_OWNER_PRIVILEGE_WITH_GRANT = "sentry.grant.owner.privileges.with.grant"; + public static final Boolean SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT = false; } public static final String SENTRY_ZK_JAAS_NAME = "Sentry"; http://git-wip-us.apache.org/repos/asf/sentry/blob/e6703a58/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java index c23683f..6886f10 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java @@ -72,6 +72,8 @@ import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; import com.google.common.collect.Maps; import com.google.common.collect.Sets; +import com.google.common.base.Strings; + import static org.apache.sentry.hdfs.Updateable.Update; @@ -1236,4 +1238,36 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } return response; } + + /** + * This API constructs (@Link TSentryPrivilege} for authorizable provided + * based on the configurations. + * + * @param authorizable for which owner privilege should be constructed. + * @return null if owner privilege can not be constructed, else instance of {@Link TSentryPrivilege} + */ + TSentryPrivilege constructOwnerPrivilege(TSentryAuthorizable authorizable) { + Boolean isOwnerPrivEnabled = conf.getBoolean(ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, + ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT); + if(isOwnerPrivEnabled == false) { + return null; + } + if(Strings.isNullOrEmpty(authorizable.getDb())) { + LOGGER.error("Received authorizable with out DB Name"); + return null; + } + Boolean privilegeWithGrantOption = conf.getBoolean(ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT, + ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT); + + TSentryPrivilege ownerPrivilege = new TSentryPrivilege(); + ownerPrivilege.setDbName(authorizable.getDb()); + if(!Strings.isNullOrEmpty(authorizable.getTable())) { + ownerPrivilege.setTableName(authorizable.getTable()); + } + if(privilegeWithGrantOption) { + ownerPrivilege.setGrantOption(TSentryGrantOption.TRUE); + } + ownerPrivilege.setAction(AccessConstants.OWNER); + return ownerPrivilege; + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/e6703a58/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java index efacf19..b028303 100644 --- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java @@ -17,8 +17,13 @@ */ package org.apache.sentry.api.service.thrift; +import com.codahale.metrics.Gauge; +import org.apache.sentry.api.common.ApiConstants; import org.apache.sentry.api.common.ThriftConstants; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.service.common.ServiceConstants; import org.apache.sentry.core.common.exception.SentrySiteConfigurationException; +import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.junit.Assert; import org.apache.hadoop.conf.Configuration; @@ -26,14 +31,66 @@ import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException; import org.apache.sentry.core.common.utils.PolicyStoreConstants.PolicyStoreServerConfig; import org.junit.Before; import org.junit.Test; +import org.mockito.Mockito; public class TestSentryPolicyStoreProcessor { private Configuration conf; - + private static final SentryStore sentryStore = Mockito.mock(SentryStore.class); @Before public void setup() { conf = new Configuration(false); + + Mockito.when(sentryStore.getRoleCountGauge()).thenReturn(new Gauge< Long >() { + @Override + public Long getValue() { + return 0L; + } + }); + Mockito.when(sentryStore.getPrivilegeCountGauge()).thenReturn(new Gauge< Long >() { + @Override + public Long getValue() { + return 0L; + } + }); + Mockito.when(sentryStore.getGroupCountGauge()).thenReturn(new Gauge< Long >() { + @Override + public Long getValue() { + return 0L; + } + }); + Mockito.when(sentryStore.getHMSWaitersCountGauge()).thenReturn(new Gauge<Integer>() { + @Override + public Integer getValue() { + return 0; + } + }); + Mockito.when(sentryStore.getLastNotificationIdGauge()).thenReturn(new Gauge< Long >() { + @Override + public Long getValue() { + return 0L; + } + }); Mockito.when(sentryStore.getLastPathsSnapshotIdGauge()).thenReturn(new Gauge< Long >() { + @Override + public Long getValue() { + return 0L; + } + }); + Mockito.when(sentryStore.getPermChangeIdGauge()).thenReturn(new Gauge< Long >() { + @Override + public Long getValue() { + return 0L; + } + }); + Mockito.when(sentryStore.getPathChangeIdGauge()).thenReturn(new Gauge< Long >() { + @Override + public Long getValue() { + return 0L; + } + }); + + + } @Test(expected=SentrySiteConfigurationException.class) public void testConfigNotNotificationHandler() throws Exception { @@ -78,4 +135,57 @@ public class TestSentryPolicyStoreProcessor { public void testSentryThriftAPIMatchVersion() throws Exception { SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); } + + @Test + public void testConstructOwnerPrivilege() throws Exception { + SentryPolicyStoreProcessor sentryServiceHandler = + new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, + conf, sentryStore); + TSentryPrivilege privilege = new TSentryPrivilege(); + TSentryAuthorizable authorizable = new TSentryAuthorizable(""); + authorizable.setDb("db1"); + authorizable.setTable("tb1"); + + //Check the behaviour when owner privileges feature is not configured. + Assert.assertNull(sentryServiceHandler.constructOwnerPrivilege(authorizable)); + + + //Check behaviour when DB name is not set + conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true); + sentryServiceHandler = + new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, + conf, sentryStore); + authorizable = new TSentryAuthorizable(""); + authorizable.setTable("tb1"); + Assert.assertNull(sentryServiceHandler.constructOwnerPrivilege(authorizable)); + + //Check the behavior when DB name is set and table name is not set. + authorizable = new TSentryAuthorizable(""); + authorizable.setDb("db1"); + privilege.setDbName("db1"); + privilege.setAction(AccessConstants.OWNER); + Assert.assertNotNull(sentryServiceHandler.constructOwnerPrivilege(authorizable)); + Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable)); + + //check the behaviour when both DB name and table name are set + authorizable = new TSentryAuthorizable(""); + authorizable.setDb("db1"); + authorizable.setTable("tb1"); + privilege.setTableName("tb1"); + Assert.assertNotNull(sentryServiceHandler.constructOwnerPrivilege(authorizable)); + Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable)); + + //Check the behavior when grant option is configured. + conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT, + true); + sentryServiceHandler = + new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, + conf, sentryStore); + authorizable = new TSentryAuthorizable(""); + authorizable.setDb("db1"); + authorizable.setTable("tb1"); + privilege.setGrantOption(TSentryGrantOption.TRUE); + Assert.assertNotNull(sentryServiceHandler.constructOwnerPrivilege(authorizable)); + Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable)); + } }