Repository: incubator-sentry Updated Branches: refs/heads/master 63c134f36 -> 4247d21fa
SENTRY-137 - Validate privilege scope in sentry service (Prasad via Brock) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/4247d21f Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/4247d21f Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/4247d21f Branch: refs/heads/master Commit: 4247d21fa036685a098baac84262aa08693d1d82 Parents: 63c134f Author: Brock Noland <[email protected]> Authored: Tue Mar 25 21:13:15 2014 -0700 Committer: Brock Noland <[email protected]> Committed: Tue Mar 25 21:13:15 2014 -0700 ---------------------------------------------------------------------- .../thrift/SentryPolicyServiceClient.java | 38 ++++++++++---------- .../thrift/SentryPolicyStoreProcessor.java | 38 +++++++++++++++++--- .../sentry/service/thrift/ServiceConstants.java | 9 +++++ 3 files changed, 63 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4247d21f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 464569c..7e73b2c 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -30,6 +30,7 @@ import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; import org.apache.sentry.service.thrift.Status; @@ -154,33 +155,33 @@ public class SentryPolicyServiceClient { public void grantURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server, String uri) throws SentryUserException { - grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, uri, - null, null, AccessConstants.ALL); + grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, + PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL); } public void grantServerPrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server) throws SentryUserException { - grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, null, - null, null, AccessConstants.ALL); + grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, + PrivilegeScope.SERVER, server, null, null, null, AccessConstants.ALL); } public void grantDatabasePrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server, String db) throws SentryUserException { - grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "DATABASE", server, null, - db, null, AccessConstants.ALL); + grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, + PrivilegeScope.DATABASE, server, null, db, null, AccessConstants.ALL); } public void grantTablePrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server, String db, String table, String action) throws SentryUserException { - grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "TABLE", server, null, + grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, PrivilegeScope.TABLE, server, null, db, table, action); } private void grantPrivilege(String requestorUserName, Set<String> requestorUserGroupNames, - String roleName, String scope, String serverName, String uri, String db, String table, String action) + String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, String action) throws SentryUserException { TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); @@ -188,7 +189,7 @@ public class SentryPolicyServiceClient { request.setRequestorGroupNames(requestorUserGroupNames); request.setRoleName(roleName); TSentryPrivilege privilege = new TSentryPrivilege(); - privilege.setPrivilegeScope(scope); + privilege.setPrivilegeScope(scope.toString()); privilege.setServerName(serverName); privilege.setURI(uri); privilege.setDbName(db); @@ -209,33 +210,34 @@ public class SentryPolicyServiceClient { public void revokeURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server, String uri) throws SentryUserException { - revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, uri, - null, null, AccessConstants.ALL); + revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, + PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL); } public void revokeServerPrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server) throws SentryUserException { - revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, null, - null, null, AccessConstants.ALL); + revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, + PrivilegeScope.SERVER, server, null, null, null, AccessConstants.ALL); } public void revokeDatabasePrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server, String db) throws SentryUserException { - revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "DATABASE", server, null, - db, null, AccessConstants.ALL); + revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, + PrivilegeScope.DATABASE, server, null, db, null, AccessConstants.ALL); } public void revokeTablePrivilege(String requestorUserName, Set<String> requestorUserGroupNames, String roleName, String server, String db, String table, String action) throws SentryUserException { - revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "TABLE", server, null, + revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, + PrivilegeScope.TABLE, server, null, db, table, action); } private void revokePrivilege(String requestorUserName, Set<String> requestorUserGroupNames, - String roleName, String scope, String serverName, String uri, String db, String table, String action) + String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, String action) throws SentryUserException { TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest(); request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); @@ -243,7 +245,7 @@ public class SentryPolicyServiceClient { request.setRequestorGroupNames(requestorUserGroupNames); request.setRoleName(roleName); TSentryPrivilege privilege = new TSentryPrivilege(); - privilege.setPrivilegeScope(scope); + privilege.setPrivilegeScope(scope.toString()); privilege.setServerName(serverName); privilege.setURI(uri); privilege.setDbName(db); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4247d21f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 9562783..9793ab4 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -23,6 +23,7 @@ import java.util.HashSet; import java.util.List; import java.util.Set; +import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.provider.db.SentryAlreadyExistsException; @@ -31,6 +32,7 @@ import org.apache.sentry.provider.db.SentryNoSuchObjectException; import org.apache.sentry.provider.db.service.persistent.CommitContext; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig; +import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; import org.apache.sentry.service.thrift.Status; import org.apache.sentry.service.thrift.TSentryResponseStatus; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; @@ -106,7 +108,6 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { return handlers; } - //TODO:Validate privilege scope? @VisibleForTesting public static String constructPrivilegeName(TSentryPrivilege privilege) throws SentryInvalidInputException { StringBuilder privilegeName = new StringBuilder(); @@ -115,6 +116,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { String tableName = privilege.getTableName(); String uri = privilege.getURI(); String action = privilege.getAction(); + PrivilegeScope scope; if (serverName == null) { throw new SentryInvalidInputException("Server name is null"); @@ -126,10 +128,38 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } } - if (dbName == null || dbName.equals("")) { - if (tableName != null && !tableName.equals("")) { - throw new SentryInvalidInputException("Db name can't be null"); + // Validate privilege scope + try { + scope = Enum.valueOf(PrivilegeScope.class, privilege.getPrivilegeScope()); + } catch (IllegalArgumentException e) { + throw new SentryInvalidInputException("Invalid Privilege scope: " + + privilege.getPrivilegeScope()); + } + if (PrivilegeScope.SERVER.equals(scope)) { + if (StringUtils.isNotEmpty(dbName) || StringUtils.isNotEmpty(tableName)) { + throw new SentryInvalidInputException("DB and TABLE names should not be " + + "set for SERVER scope"); + } + } else if (PrivilegeScope.DATABASE.equals(scope)) { + if (StringUtils.isEmpty(dbName)) { + throw new SentryInvalidInputException("DB name not set for DB scope"); + } + if (StringUtils.isNotEmpty(tableName)) { + StringUtils.isNotEmpty("TABLE names should not be set for DB scope"); } + } else if (PrivilegeScope.TABLE.equals(scope)) { + if (StringUtils.isEmpty(dbName) || StringUtils.isEmpty(tableName)) { + throw new SentryInvalidInputException("TABLE or DB name not set for TABLE scope"); + } + } else if (PrivilegeScope.URI.equals(scope)){ + if (StringUtils.isEmpty(uri)) { + throw new SentryInvalidInputException("URI path not set for URI scope"); + } + if (StringUtils.isNotEmpty(tableName)) { + throw new SentryInvalidInputException("TABLE should not be set for URI scope"); + } + } else { + throw new SentryInvalidInputException("Unsupported operation scope: " + scope); } if (uri == null || uri.equals("")) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4247d21f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index 1b36690..6258471 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -122,4 +122,13 @@ public class ServiceConstants { public static class ThriftConstants extends org.apache.sentry.service.thrift.sentry_common_serviceConstants { public static final int TSENTRY_SERVICE_VERSION_CURRENT = TSENTRY_SERVICE_V1; } + + /* Privilege operation scope */ + public static enum PrivilegeScope { + SERVER, + URI, + DATABASE, + TABLE, + COLUMN + } }
