Repository: sentry Updated Branches: refs/heads/master f099f0abd -> 2c5723e15
SENTRY-2355: Merge the DB owner privileges configurations into one enum configuration (Sergio Pena, reviewed by Na Li) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/2c5723e1 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/2c5723e1 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/2c5723e1 Branch: refs/heads/master Commit: 2c5723e15cdee96ea3a60a1757e27828c84abe8b Parents: f099f0a Author: Sergio Pena <[email protected]> Authored: Mon Aug 20 15:18:00 2018 -0500 Committer: Sergio Pena <[email protected]> Committed: Mon Aug 20 15:29:37 2018 -0500 ---------------------------------------------------------------------- .../common/SentryOwnerPrivilegeType.java | 52 ++++++++++++++++++++ .../sentry/service/common/ServiceConstants.java | 14 +----- .../thrift/SentryPolicyStoreProcessor.java | 11 ++--- .../db/service/persistent/SentryStore.java | 5 +- .../thrift/TestSentryPolicyStoreProcessor.java | 14 +++--- .../tests/e2e/hdfs/TestHDFSIntegrationBase.java | 14 ++++-- 6 files changed, 80 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/2c5723e1/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/SentryOwnerPrivilegeType.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/SentryOwnerPrivilegeType.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/SentryOwnerPrivilegeType.java new file mode 100644 index 0000000..69309b9 --- /dev/null +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/SentryOwnerPrivilegeType.java @@ -0,0 +1,52 @@ +/** + * Autogenerated by Thrift Compiler (0.9.3) + * + * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING + * @generated + */ +package org.apache.sentry.service.common; + +import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE; +import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE_DEFAULT; + +import org.apache.hadoop.conf.Configuration; + +/** + * Controls the owner privileges feature for DB policies. + */ +public enum SentryOwnerPrivilegeType { + NONE, // New DB objects do not get owner privileges + ALL, // New DB objects will get owner privileges as 'all' + ALL_WITH_GRANT; // New DB objects will get owner privileges as 'all with grant' + + /** + * Checks if the Configuration object has the owner privilege type configuration set. + * + * @param conf The Configuration object where to check if the config is set. + * @return True if it is set; False otherwise. + */ + public boolean isConfSet(Configuration conf) { + return (this == get(conf)); + } + + /** + * Returns the owner privilege type from the Configuration object. + * + * @param conf The Configuration object where to search for the owner privilege type. + * @return The SentryOwnerPrivilegeType object. + */ + public static SentryOwnerPrivilegeType get(Configuration conf) { + return SentryOwnerPrivilegeType.valueOf(getConfigValue(conf).toUpperCase()); + } + + /** + * Returns the owner privilege string type from the Configuration object. + * + * @param conf The Configuration object where to search for the owner privilege type. + * @return The string value of the owner privilege type. + */ + private static String getConfigValue(Configuration conf) { + return conf.get(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, + SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE_DEFAULT.toString()); + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/2c5723e1/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java index 9a2091a..adc1947 100644 --- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java +++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java @@ -248,18 +248,8 @@ public class ServiceConstants { public static final String SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT = "sentry.server.delta.keep.count"; public static final int SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT = 100; - /** - * Controls the owner privileges feature. - */ - public static final String SENTRY_ENABLE_OWNER_PRIVILEGES = "sentry.enable.owner.privileges"; - public static final Boolean SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT = false; - - /** - * This value is used to decide if a owner privilege created by sentry server - * should have grant option. - */ - public static final String SENTRY_OWNER_PRIVILEGE_WITH_GRANT = "sentry.grant.owner.privileges.with.grant"; - public static final Boolean SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT = false; + public static final String SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE = "sentry.db.policy.store.owner.as.privilege"; + public static final SentryOwnerPrivilegeType SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE_DEFAULT = SentryOwnerPrivilegeType.NONE; } public static final String SENTRY_ZK_JAAS_NAME = "Sentry"; http://git-wip-us.apache.org/repos/asf/sentry/blob/2c5723e1/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java index 0ac19a7..36b635a 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java @@ -58,6 +58,7 @@ import org.apache.sentry.core.common.utils.PolicyStoreConstants.PolicyStoreServe import org.apache.sentry.api.service.thrift.validator.GrantPrivilegeRequestValidator; import org.apache.sentry.api.service.thrift.validator.RevokePrivilegeRequestValidator; import org.apache.sentry.api.common.SentryServiceUtil; +import org.apache.sentry.service.common.SentryOwnerPrivilegeType; import org.apache.sentry.service.common.ServiceConstants.ConfUtilties; import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType; import org.apache.sentry.service.common.ServiceConstants.ServerConfig; @@ -1586,17 +1587,15 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { * @return null if owner privilege can not be constructed, else instance of {@Link TSentryPrivilege} */ TSentryPrivilege constructOwnerPrivilege(TSentryAuthorizable authorizable) { - Boolean isOwnerPrivEnabled = conf.getBoolean(ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, - ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT); - if(!isOwnerPrivEnabled) { + SentryOwnerPrivilegeType ownerPrivilegeType = SentryOwnerPrivilegeType.get(conf); + if(ownerPrivilegeType == SentryOwnerPrivilegeType.NONE) { return null; } + if(Strings.isNullOrEmpty(authorizable.getDb())) { LOGGER.error("Received authorizable with out DB Name"); return null; } - Boolean privilegeWithGrantOption = conf.getBoolean(ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT, - ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT); TSentryPrivilege ownerPrivilege = new TSentryPrivilege(); ownerPrivilege.setServerName(authorizable.getServer()); @@ -1607,7 +1606,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } else { ownerPrivilege.setPrivilegeScope("DATABASE"); } - if(privilegeWithGrantOption) { + if(ownerPrivilegeType == SentryOwnerPrivilegeType.ALL_WITH_GRANT) { ownerPrivilege.setGrantOption(TSentryGrantOption.TRUE); } ownerPrivilege.setAction(AccessConstants.OWNER); http://git-wip-us.apache.org/repos/asf/sentry/blob/2c5723e1/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 6455597..0ef6a20 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -92,6 +92,7 @@ import org.apache.sentry.api.service.thrift.TSentryMappingData; import org.apache.sentry.api.service.thrift.TSentryPrivilege; import org.apache.sentry.api.service.thrift.TSentryPrivilegeMap; import org.apache.sentry.api.service.thrift.TSentryRole; +import org.apache.sentry.service.common.SentryOwnerPrivilegeType; import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType; import org.apache.sentry.service.common.ServiceConstants.ServerConfig; import org.datanucleus.store.rdbms.exceptions.MissingTableException; @@ -273,8 +274,8 @@ public class SentryStore implements SentryStoreInterface { long notificationTimeout = conf.getInt(ServerConfig.SENTRY_NOTIFICATION_SYNC_TIMEOUT_MS, ServerConfig.SENTRY_NOTIFICATION_SYNC_TIMEOUT_DEFAULT); counterWait = new CounterWait(notificationTimeout, TimeUnit.MILLISECONDS); - ownerPrivilegeWithGrant = conf.getBoolean(ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT, - ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT); + + ownerPrivilegeWithGrant = SentryOwnerPrivilegeType.ALL_WITH_GRANT.isConfSet(conf); } public void setPersistUpdateDeltas(boolean persistUpdateDeltas) { http://git-wip-us.apache.org/repos/asf/sentry/blob/2c5723e1/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java index 94dbd70..2de6253 100644 --- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java @@ -17,6 +17,7 @@ */ package org.apache.sentry.api.service.thrift; +import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; @@ -34,7 +35,7 @@ import org.apache.sentry.core.common.exception.SentryInvalidInputException; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.common.GroupMappingService; import org.apache.sentry.provider.db.service.persistent.CounterWait; -import org.apache.sentry.service.common.ServiceConstants; +import org.apache.sentry.service.common.SentryOwnerPrivilegeType; import org.apache.sentry.core.common.exception.SentrySiteConfigurationException; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType; @@ -81,7 +82,7 @@ public class TestSentryPolicyStoreProcessor { public void setup() throws Exception{ conf = new Configuration(true); //Check behaviour when DB name is not set - conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true); + conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL.toString()); conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP); conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, MockGroupMapping.class.getName()); @@ -195,7 +196,7 @@ public class TestSentryPolicyStoreProcessor { @Test public void testConstructOwnerPrivilege() throws Exception { - conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, false); + conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.NONE.toString()); SentryPolicyStoreProcessor sentryServiceHandler = new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, conf, sentryStore); @@ -209,7 +210,7 @@ public class TestSentryPolicyStoreProcessor { //Check behaviour when DB name is not set - conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true); + conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL.toString()); sentryServiceHandler = new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, conf, sentryStore); @@ -237,8 +238,7 @@ public class TestSentryPolicyStoreProcessor { Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable)); //Check the behavior when grant option is configured. - conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT, - true); + conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL_WITH_GRANT.toString()); sentryServiceHandler = new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, conf, sentryStore); @@ -421,7 +421,7 @@ public class TestSentryPolicyStoreProcessor { @Test public void testAlterTableEventProcessing() throws Exception { - conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true); + conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL.toString()); SentryPolicyStoreProcessor sentryServiceHandler = new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME, http://git-wip-us.apache.org/repos/asf/sentry/blob/2c5723e1/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java index becdc52..f0cf960 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java @@ -73,6 +73,7 @@ import org.apache.sentry.hdfs.SentryINodeAttributesProvider; import org.apache.sentry.core.common.exception.SentryAlreadyExistsException; import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider; import org.apache.sentry.provider.file.PolicyFile; +import org.apache.sentry.service.common.SentryOwnerPrivilegeType; import org.apache.sentry.service.thrift.SentryServiceClientFactory; import org.apache.sentry.tests.e2e.hive.StaticUserGroup; import org.apache.sentry.tests.e2e.hive.fs.MiniDFS; @@ -97,6 +98,7 @@ import com.google.common.io.Files; import com.google.common.io.Resources; import static org.apache.sentry.hdfs.ServiceConstants.ServerConfig.SENTRY_HDFS_INTEGRATION_PATH_PREFIXES; +import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE; import static org.junit.Assert.assertFalse; /** @@ -882,12 +884,18 @@ public abstract class TestHDFSIntegrationBase { "org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessorFactory,org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory"); sentryProperties.put("sentry.policy.store.plugins", "org.apache.sentry.hdfs.SentryPlugin"); } - if(ownerPrivilegeEnabled) { - sentryProperties.put("sentry.enable.owner.privileges", "true"); + if (ownerPrivilegeEnabled) { if(ownerPrivilegeGrantEnabled) { - sentryProperties.put("sentry.grant.owner.privileges.with.grant", "true"); + sentryProperties.put(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, + SentryOwnerPrivilegeType.ALL_WITH_GRANT.toString()); + } else { + sentryProperties.put(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, + SentryOwnerPrivilegeType.ALL.toString()); } + } else { + sentryProperties.put(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, + SentryOwnerPrivilegeType.NONE.toString()); } for (Map.Entry<String, String> entry : sentryProperties.entrySet()) {
