Repository: incubator-sentry Updated Branches: refs/heads/master 8f1ef00be -> 0fea11ab3
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java index dbddcad..0e004f6 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java @@ -35,7 +35,7 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TSentryRole"); private static final org.apache.thrift.protocol.TField ROLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("roleName", org.apache.thrift.protocol.TType.STRING, (short)1); - private static final org.apache.thrift.protocol.TField PRIVILEGES_FIELD_DESC = new org.apache.thrift.protocol.TField("privileges", org.apache.thrift.protocol.TType.SET, (short)2); + private static final org.apache.thrift.protocol.TField GROUPS_FIELD_DESC = new org.apache.thrift.protocol.TField("groups", org.apache.thrift.protocol.TType.SET, (short)2); private static final org.apache.thrift.protocol.TField GRANTOR_PRINCIPAL_FIELD_DESC = new org.apache.thrift.protocol.TField("grantorPrincipal", org.apache.thrift.protocol.TType.STRING, (short)3); private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); @@ -45,13 +45,13 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } private String roleName; // required - private Set<TSentryPrivilege> privileges; // required + private Set<TSentryGroup> groups; // required private String grantorPrincipal; // required /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { ROLE_NAME((short)1, "roleName"), - PRIVILEGES((short)2, "privileges"), + GROUPS((short)2, "groups"), GRANTOR_PRINCIPAL((short)3, "grantorPrincipal"); private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); @@ -69,8 +69,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry switch(fieldId) { case 1: // ROLE_NAME return ROLE_NAME; - case 2: // PRIVILEGES - return PRIVILEGES; + case 2: // GROUPS + return GROUPS; case 3: // GRANTOR_PRINCIPAL return GRANTOR_PRINCIPAL; default: @@ -118,9 +118,9 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); tmpMap.put(_Fields.ROLE_NAME, new org.apache.thrift.meta_data.FieldMetaData("roleName", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); - tmpMap.put(_Fields.PRIVILEGES, new org.apache.thrift.meta_data.FieldMetaData("privileges", org.apache.thrift.TFieldRequirementType.REQUIRED, + tmpMap.put(_Fields.GROUPS, new org.apache.thrift.meta_data.FieldMetaData("groups", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, - new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class)))); + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryGroup.class)))); tmpMap.put(_Fields.GRANTOR_PRINCIPAL, new org.apache.thrift.meta_data.FieldMetaData("grantorPrincipal", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); metaDataMap = Collections.unmodifiableMap(tmpMap); @@ -132,12 +132,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry public TSentryRole( String roleName, - Set<TSentryPrivilege> privileges, + Set<TSentryGroup> groups, String grantorPrincipal) { this(); this.roleName = roleName; - this.privileges = privileges; + this.groups = groups; this.grantorPrincipal = grantorPrincipal; } @@ -148,12 +148,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry if (other.isSetRoleName()) { this.roleName = other.roleName; } - if (other.isSetPrivileges()) { - Set<TSentryPrivilege> __this__privileges = new HashSet<TSentryPrivilege>(); - for (TSentryPrivilege other_element : other.privileges) { - __this__privileges.add(new TSentryPrivilege(other_element)); + if (other.isSetGroups()) { + Set<TSentryGroup> __this__groups = new HashSet<TSentryGroup>(); + for (TSentryGroup other_element : other.groups) { + __this__groups.add(new TSentryGroup(other_element)); } - this.privileges = __this__privileges; + this.groups = __this__groups; } if (other.isSetGrantorPrincipal()) { this.grantorPrincipal = other.grantorPrincipal; @@ -167,7 +167,7 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry @Override public void clear() { this.roleName = null; - this.privileges = null; + this.groups = null; this.grantorPrincipal = null; } @@ -194,41 +194,41 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } } - public int getPrivilegesSize() { - return (this.privileges == null) ? 0 : this.privileges.size(); + public int getGroupsSize() { + return (this.groups == null) ? 0 : this.groups.size(); } - public java.util.Iterator<TSentryPrivilege> getPrivilegesIterator() { - return (this.privileges == null) ? null : this.privileges.iterator(); + public java.util.Iterator<TSentryGroup> getGroupsIterator() { + return (this.groups == null) ? null : this.groups.iterator(); } - public void addToPrivileges(TSentryPrivilege elem) { - if (this.privileges == null) { - this.privileges = new HashSet<TSentryPrivilege>(); + public void addToGroups(TSentryGroup elem) { + if (this.groups == null) { + this.groups = new HashSet<TSentryGroup>(); } - this.privileges.add(elem); + this.groups.add(elem); } - public Set<TSentryPrivilege> getPrivileges() { - return this.privileges; + public Set<TSentryGroup> getGroups() { + return this.groups; } - public void setPrivileges(Set<TSentryPrivilege> privileges) { - this.privileges = privileges; + public void setGroups(Set<TSentryGroup> groups) { + this.groups = groups; } - public void unsetPrivileges() { - this.privileges = null; + public void unsetGroups() { + this.groups = null; } - /** Returns true if field privileges is set (has been assigned a value) and false otherwise */ - public boolean isSetPrivileges() { - return this.privileges != null; + /** Returns true if field groups is set (has been assigned a value) and false otherwise */ + public boolean isSetGroups() { + return this.groups != null; } - public void setPrivilegesIsSet(boolean value) { + public void setGroupsIsSet(boolean value) { if (!value) { - this.privileges = null; + this.groups = null; } } @@ -265,11 +265,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } break; - case PRIVILEGES: + case GROUPS: if (value == null) { - unsetPrivileges(); + unsetGroups(); } else { - setPrivileges((Set<TSentryPrivilege>)value); + setGroups((Set<TSentryGroup>)value); } break; @@ -289,8 +289,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry case ROLE_NAME: return getRoleName(); - case PRIVILEGES: - return getPrivileges(); + case GROUPS: + return getGroups(); case GRANTOR_PRINCIPAL: return getGrantorPrincipal(); @@ -308,8 +308,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry switch (field) { case ROLE_NAME: return isSetRoleName(); - case PRIVILEGES: - return isSetPrivileges(); + case GROUPS: + return isSetGroups(); case GRANTOR_PRINCIPAL: return isSetGrantorPrincipal(); } @@ -338,12 +338,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry return false; } - boolean this_present_privileges = true && this.isSetPrivileges(); - boolean that_present_privileges = true && that.isSetPrivileges(); - if (this_present_privileges || that_present_privileges) { - if (!(this_present_privileges && that_present_privileges)) + boolean this_present_groups = true && this.isSetGroups(); + boolean that_present_groups = true && that.isSetGroups(); + if (this_present_groups || that_present_groups) { + if (!(this_present_groups && that_present_groups)) return false; - if (!this.privileges.equals(that.privileges)) + if (!this.groups.equals(that.groups)) return false; } @@ -368,10 +368,10 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry if (present_roleName) builder.append(roleName); - boolean present_privileges = true && (isSetPrivileges()); - builder.append(present_privileges); - if (present_privileges) - builder.append(privileges); + boolean present_groups = true && (isSetGroups()); + builder.append(present_groups); + if (present_groups) + builder.append(groups); boolean present_grantorPrincipal = true && (isSetGrantorPrincipal()); builder.append(present_grantorPrincipal); @@ -399,12 +399,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry return lastComparison; } } - lastComparison = Boolean.valueOf(isSetPrivileges()).compareTo(typedOther.isSetPrivileges()); + lastComparison = Boolean.valueOf(isSetGroups()).compareTo(typedOther.isSetGroups()); if (lastComparison != 0) { return lastComparison; } - if (isSetPrivileges()) { - lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privileges, typedOther.privileges); + if (isSetGroups()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.groups, typedOther.groups); if (lastComparison != 0) { return lastComparison; } @@ -447,11 +447,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } first = false; if (!first) sb.append(", "); - sb.append("privileges:"); - if (this.privileges == null) { + sb.append("groups:"); + if (this.groups == null) { sb.append("null"); } else { - sb.append(this.privileges); + sb.append(this.groups); } first = false; if (!first) sb.append(", "); @@ -472,8 +472,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry throw new org.apache.thrift.protocol.TProtocolException("Required field 'roleName' is unset! Struct:" + toString()); } - if (!isSetPrivileges()) { - throw new org.apache.thrift.protocol.TProtocolException("Required field 'privileges' is unset! Struct:" + toString()); + if (!isSetGroups()) { + throw new org.apache.thrift.protocol.TProtocolException("Required field 'groups' is unset! Struct:" + toString()); } if (!isSetGrantorPrincipal()) { @@ -525,21 +525,21 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; - case 2: // PRIVILEGES + case 2: // GROUPS if (schemeField.type == org.apache.thrift.protocol.TType.SET) { { - org.apache.thrift.protocol.TSet _set16 = iprot.readSetBegin(); - struct.privileges = new HashSet<TSentryPrivilege>(2*_set16.size); - for (int _i17 = 0; _i17 < _set16.size; ++_i17) + org.apache.thrift.protocol.TSet _set72 = iprot.readSetBegin(); + struct.groups = new HashSet<TSentryGroup>(2*_set72.size); + for (int _i73 = 0; _i73 < _set72.size; ++_i73) { - TSentryPrivilege _elem18; // required - _elem18 = new TSentryPrivilege(); - _elem18.read(iprot); - struct.privileges.add(_elem18); + TSentryGroup _elem74; // required + _elem74 = new TSentryGroup(); + _elem74.read(iprot); + struct.groups.add(_elem74); } iprot.readSetEnd(); } - struct.setPrivilegesIsSet(true); + struct.setGroupsIsSet(true); } else { org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } @@ -570,13 +570,13 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry oprot.writeString(struct.roleName); oprot.writeFieldEnd(); } - if (struct.privileges != null) { - oprot.writeFieldBegin(PRIVILEGES_FIELD_DESC); + if (struct.groups != null) { + oprot.writeFieldBegin(GROUPS_FIELD_DESC); { - oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.privileges.size())); - for (TSentryPrivilege _iter19 : struct.privileges) + oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.groups.size())); + for (TSentryGroup _iter75 : struct.groups) { - _iter19.write(oprot); + _iter75.write(oprot); } oprot.writeSetEnd(); } @@ -606,10 +606,10 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry TTupleProtocol oprot = (TTupleProtocol) prot; oprot.writeString(struct.roleName); { - oprot.writeI32(struct.privileges.size()); - for (TSentryPrivilege _iter20 : struct.privileges) + oprot.writeI32(struct.groups.size()); + for (TSentryGroup _iter76 : struct.groups) { - _iter20.write(oprot); + _iter76.write(oprot); } } oprot.writeString(struct.grantorPrincipal); @@ -621,17 +621,17 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry struct.roleName = iprot.readString(); struct.setRoleNameIsSet(true); { - org.apache.thrift.protocol.TSet _set21 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); - struct.privileges = new HashSet<TSentryPrivilege>(2*_set21.size); - for (int _i22 = 0; _i22 < _set21.size; ++_i22) + org.apache.thrift.protocol.TSet _set77 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); + struct.groups = new HashSet<TSentryGroup>(2*_set77.size); + for (int _i78 = 0; _i78 < _set77.size; ++_i78) { - TSentryPrivilege _elem23; // required - _elem23 = new TSentryPrivilege(); - _elem23.read(iprot); - struct.privileges.add(_elem23); + TSentryGroup _elem79; // required + _elem79 = new TSentryGroup(); + _elem79.read(iprot); + struct.groups.add(_elem79); } } - struct.setPrivilegesIsSet(true); + struct.setGroupsIsSet(true); struct.grantorPrincipal = iprot.readString(); struct.setGrantorPrincipalIsSet(true); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java index dd4a977..13af593 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java @@ -77,7 +77,7 @@ public class SimpleDBProviderBackend implements ProviderBackend { throw new IllegalStateException("Backend has not been properly initialized"); } try { - return ImmutableSet.copyOf(policyServiceClient.listPrivileges(groups, roleSet)); + return ImmutableSet.copyOf(policyServiceClient.listPrivilegesForProvider(groups, roleSet)); } catch (SentryUserException e) { String msg = "Unable to obtain privileges from server: " + e.getMessage(); LOGGER.error(msg, e); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java index 1dfc0cf..e375a4c 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java @@ -18,14 +18,13 @@ package org.apache.sentry.provider.db.service.model; -import java.util.HashSet; -import java.util.Set; - -import javax.jdo.annotations.PersistenceCapable; - import com.google.common.base.Preconditions; import com.google.common.collect.ImmutableSet; +import javax.jdo.annotations.PersistenceCapable; +import java.util.HashSet; +import java.util.Set; + /** * Database backed Sentry Role. Any changes to this object * require re-running the maven build so DN an re-enhance. @@ -41,17 +40,12 @@ public class MSentryRole { private long createTime; private String grantorPrincipal; - public MSentryRole() { - privileges = new HashSet<MSentryPrivilege>(); - } - - MSentryRole(String roleName, long createTime, String grantorPrincipal, - Set<MSentryPrivilege> privileges, Set<MSentryGroup> groups) { + public MSentryRole(String roleName, long createTime, String grantorPrincipal) { this.roleName = roleName; this.createTime = createTime; this.grantorPrincipal = grantorPrincipal; - this.privileges = privileges; - this.groups = groups; + privileges = new HashSet<MSentryPrivilege>(); + groups = new HashSet<MSentryGroup>(); } public long getCreateTime() { @@ -166,4 +160,4 @@ public class MSentryRole { return false; return true; } -} +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 33c8d1a..7301a1a 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -169,21 +169,42 @@ public class SentryStore { } } } + /** + Get the MSentry object from roleName + Note: Should be called inside a transaction + */ + private MSentryRole getMSentryRole(PersistenceManager pm, String roleName) { + Query query = pm.newQuery(MSentryRole.class); + query.setFilter("this.roleName == t"); + query.declareParameters("java.lang.String t"); + query.setUnique(true); + MSentryRole sentryRole = (MSentryRole) query.execute(roleName); + return sentryRole; + } + /** + * Normalize the string values + */ + private String trimAndLower(String input) { + return input.trim().toLowerCase(); + } + /** + * Create a sentry role and persist it. + * @param roleName: Name of the role being persisted + * @param grantorPrincipal: TODO: Currently not used + * @returns commit context used for notification handlers + * @throws SentryAlreadyExistsException + */ public CommitContext createSentryRole(String roleName, String grantorPrincipal) throws SentryAlreadyExistsException { + roleName = trimAndLower(roleName); boolean rollbackTransaction = true; PersistenceManager pm = null; - roleName = roleName.trim().toLowerCase(); try { pm = openTransaction(); - Query query = pm.newQuery(MSentryRole.class); - query.setFilter("this.roleName == t"); - query.declareParameters("java.lang.String t"); - query.setUnique(true); - MSentryRole sentryRole = (MSentryRole) query.execute(roleName); - if (sentryRole == null) { - MSentryRole mRole = convertToMSentryRole(roleName, grantorPrincipal); + MSentryRole mSentryRole = getMSentryRole(pm, roleName); + if (mSentryRole == null) { + MSentryRole mRole = new MSentryRole(roleName, System.currentTimeMillis(), grantorPrincipal); pm.makePersistent(mRole); CommitContext commit = commitUpdateTransaction(pm); rollbackTransaction = false; @@ -199,23 +220,19 @@ public class SentryStore { } //TODO: handle case where a) privilege already exists, b) role to privilege mapping already exists - public CommitContext alterSentryRoleGrantPrivilege(String roleName, - TSentryPrivilege privilege) throws SentryNoSuchObjectException, SentryInvalidInputException { + public CommitContext alterSentryRoleGrantPrivilege(String roleName, TSentryPrivilege privilege) + throws SentryNoSuchObjectException, SentryInvalidInputException { boolean rollbackTransaction = true; PersistenceManager pm = null; - roleName = roleName.trim().toLowerCase(); + roleName = trimAndLower(roleName); try { pm = openTransaction(); - Query query = pm.newQuery(MSentryRole.class); - query.setFilter("this.roleName == t"); - query.declareParameters("java.lang.String t"); - query.setUnique(true); - MSentryRole mRole = (MSentryRole) query.execute(roleName); + MSentryRole mRole = getMSentryRole(pm, roleName); if (mRole == null) { throw new SentryNoSuchObjectException("Role: " + roleName); } else { MSentryPrivilege mPrivilege = convertToMSentryPrivilege(privilege); - // add privilege and role objects to each other. needed by datanucleus to model + // Add privilege and role objects to each other. needed by datanucleus to model // m:n relationships correctly through a join table. mPrivilege.appendRole(mRole); mRole.appendPrivilege(mPrivilege); @@ -530,9 +547,73 @@ public class SentryStore { } } - public TSentryRole getSentryRoleByName(String roleName) - throws SentryNoSuchObjectException { - return convertToSentryRole(getMSentryRoleByName(roleName)); + private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName) + throws SentryNoSuchObjectException { + MSentryRole mSentryRole = getMSentryRoleByName(roleName); + return mSentryRole.getPrivileges(); + } + + /** + * Gets sentry privilege objects for a given roleName from the persistence layer + * @param roleName : roleName to look up + * @return : Set of thrift sentry privilege objects + * @throws SentryNoSuchObjectException + */ + + public Set<TSentryPrivilege> getTSentryPrivilegesByRoleName(String roleName) + throws SentryNoSuchObjectException { + return convertToTSentryPrivileges(getMSentryPrivilegesByRoleName(roleName)); + } + + private Set<MSentryRole> getMSentryRolesByGroupName(String groupName) + throws SentryNoSuchObjectException { + boolean rollbackTransaction = true; + PersistenceManager pm = null; + try { + Set<MSentryRole> roles; + pm = openTransaction(); + + //If no group name was specified, return all roles + if (groupName == null) { + Query query = pm.newQuery(MSentryRole.class); + roles = new HashSet<MSentryRole>((List<MSentryRole>)query.execute()); + } else { + Query query = pm.newQuery(MSentryGroup.class); + MSentryGroup sentryGroup; + groupName = groupName.trim().toLowerCase(); + query.setFilter("this.groupName == t"); + query.declareParameters("java.lang.String t"); + query.setUnique(true); + sentryGroup = (MSentryGroup) query.execute(groupName); + if (sentryGroup == null) { + throw new SentryNoSuchObjectException("Group " + groupName); + } else { + pm.retrieve(sentryGroup); + } + roles = sentryGroup.getRoles(); + } + for ( MSentryRole role: roles) { + pm.retrieve(role); + } + commitTransaction(pm); + rollbackTransaction = false; + return roles; + } finally { + if (rollbackTransaction) { + rollbackTransaction(pm); + } + } + } + + /** + * Gets sentry role objects for a given groupName from the persistence layer + * @param groupName : groupName to look up ( if null returns all roles for all groups) + * @return : Set of thrift sentry role objects + * @throws SentryNoSuchObjectException + */ + public Set<TSentryRole> getTSentryRolesByGroupName(String groupName) + throws SentryNoSuchObjectException { + return convertToTSentryRoles(getMSentryRolesByGroupName(groupName)); } private SetMultimap<String, String> getRoleToPrivilegeMap(Set<String> groups) { @@ -613,35 +694,52 @@ public class SentryStore { return result; } + /** - * Converts thrift object to model object. Additionally does normalization + * Converts model object(s) to thrift object(s). + * Additionally does normalization * such as trimming whitespace and setting appropriate case. Also sets the create * time. */ - private MSentryRole convertToMSentryRole(String roleName, String grantorPrincipal) { - MSentryRole mRole = new MSentryRole(); - mRole.setCreateTime(System.currentTimeMillis()); - mRole.setRoleName(roleName.trim().toLowerCase()); - mRole.setGrantorPrincipal(grantorPrincipal.trim()); - return mRole; + + private Set<TSentryPrivilege> convertToTSentryPrivileges(Set<MSentryPrivilege> mSentryPrivileges) { + Set<TSentryPrivilege> privileges = new HashSet<TSentryPrivilege>(); + for(MSentryPrivilege mSentryPrivilege:mSentryPrivileges) { + privileges.add(convertToTSentryPrivilege(mSentryPrivilege)); + } + return privileges; + } + + private Set<TSentryRole> convertToTSentryRoles(Set<MSentryRole> mSentryRoles) { + Set<TSentryRole> roles = new HashSet<TSentryRole>(); + for(MSentryRole mSentryRole:mSentryRoles) { + roles.add(convertToTSentryRole(mSentryRole)); + } + return roles; } - private TSentryRole convertToSentryRole(MSentryRole mSentryRole) { + private TSentryRole convertToTSentryRole(MSentryRole mSentryRole) { TSentryRole role = new TSentryRole(); role.setRoleName(mSentryRole.getRoleName()); role.setGrantorPrincipal(mSentryRole.getGrantorPrincipal()); - Set<TSentryPrivilege> sentryPrivileges = new HashSet<TSentryPrivilege>(); - for(MSentryPrivilege mSentryPrivilege:mSentryRole.getPrivileges()) { - TSentryPrivilege privilege = convertToSentryPrivilege(mSentryPrivilege); - sentryPrivileges.add(privilege); + Set<TSentryGroup> sentryGroups = new HashSet<TSentryGroup>(); + for(MSentryGroup mSentryGroup:mSentryRole.getGroups()) { + TSentryGroup group = convertToTSentryGroup(mSentryGroup); + sentryGroups.add(group); } - role.setPrivileges(sentryPrivileges); + role.setGroups(sentryGroups); return role; } - private TSentryPrivilege convertToSentryPrivilege(MSentryPrivilege mSentryPrivilege) { + private TSentryGroup convertToTSentryGroup(MSentryGroup mSentryGroup) { + TSentryGroup group = new TSentryGroup(); + group.setGroupName(mSentryGroup.getGroupName()); + return group; + } + + private TSentryPrivilege convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege) { TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setCreateTime(mSentryPrivilege.getCreateTime()); privilege.setPrivilegeName(mSentryPrivilege.getPrivilegeName()); @@ -680,4 +778,4 @@ public class SentryStore { } return s.trim(); } -} +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 7e73b2c..33b8735 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -18,10 +18,8 @@ package org.apache.sentry.provider.db.service.thrift; -import java.io.IOException; -import java.net.InetSocketAddress; -import java.util.Set; - +import com.google.common.base.Preconditions; +import com.google.common.collect.Sets; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.SaslRpcServer; @@ -44,8 +42,10 @@ import org.apache.thrift.transport.TTransportException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.common.base.Preconditions; -import com.google.common.collect.Sets; +import java.io.IOException; +import java.net.InetSocketAddress; +import java.util.HashSet; +import java.util.Set; public class SentryPolicyServiceClient { @@ -58,6 +58,7 @@ public class SentryPolicyServiceClient { private int connectionTimeout; private static final Logger LOGGER = LoggerFactory .getLogger(SentryPolicyServiceClient.class); + private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured "; public SentryPolicyServiceClient(Configuration conf) throws IOException { this.conf = conf; @@ -109,8 +110,7 @@ public class SentryPolicyServiceClient { TCreateSentryRoleResponse response = client.create_sentry_role(request); Status.throwIfNotOk(response.getStatus()); } catch (TException e) { - String msg = "Thrift exception occured: " + e.getMessage(); - throw new SentryUserException(msg, e); + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } } @@ -142,14 +142,66 @@ public class SentryPolicyServiceClient { } Status.throwIfNotOk(response.getStatus()); } catch (TException e) { - String msg = "Thrift exception occured: " + e.getMessage(); - throw new SentryUserException(msg, e); + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + + /** + * Gets sentry role objects for a given groupName using the Sentry service + * @param requestorUserName : user on whose behalf the request is issued + * @param requestorUserGroupNames :groups the requesting user belongs to + * @param groupName : groupName to look up ( if null returns all roles for all groups) + * @return Set of thrift sentry role objects + * @throws SentryUserException + */ + public Set<TSentryRole> listRolesByGroupName(String requestorUserName, + Set<String> requestorUserGroupNames, String groupName) + throws SentryUserException { + TListSentryRolesRequest request = new TListSentryRolesRequest(); + request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); + request.setRequestorUserName(requestorUserName); + request.setRequestorGroupNames(requestorUserGroupNames); + request.setGroupName(groupName); + TListSentryRolesResponse response; + Set<String> roles = new HashSet<String>(); + try { + response = client.list_sentry_roles_by_group(request); + Status.throwIfNotOk(response.getStatus()); + return response.getRoles(); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + + /** + * Gets sentry privilege objects for a given roleName using the Sentry service + * @param requestorUserName : user on whose behalf the request is issued + * @param requestorUserGroupNames :groups the requesting user belongs to + * @param roleName : roleName to look up + * @return Set of thrift sentry privilege objects + * @throws SentryUserException + */ + public Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName, + Set<String> requestorUserGroupNames, String roleName) + throws SentryUserException { + TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest(); + request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); + request.setRequestorUserName(requestorUserName); + request.setRequestorGroupNames(requestorUserGroupNames); + request.setRoleName(roleName); + TListSentryPrivilegesResponse response; + try { + response = client.list_sentry_privileges_by_role(request); + Status.throwIfNotOk(response.getStatus()); + return response.getPrivileges(); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } } - public TListSentryRolesResponse listRoleByName(TListSentryRolesRequest req) - throws TException { - return client.list_sentry_roles_by_role_name(req); + public Set<TSentryRole> listRoles(String requestorUserName, Set<String> requestorUserGroupNames) + throws SentryUserException { + return listRolesByGroupName(requestorUserName, requestorUserGroupNames, null); } public void grantURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames, @@ -202,8 +254,7 @@ public class SentryPolicyServiceClient { TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); Status.throwIfNotOk(response.getStatus()); } catch (TException e) { - String msg = "Thrift exception occured: " + e.getMessage(); - throw new SentryUserException(msg, e); + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } } @@ -257,12 +308,11 @@ public class SentryPolicyServiceClient { TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request); Status.throwIfNotOk(response.getStatus()); } catch (TException e) { - String msg = "Thrift exception occured: " + e.getMessage(); - throw new SentryUserException(msg, e); + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } } - public Set<String> listPrivileges(Set<String> groups, ActiveRoleSet roleSet) + public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException { TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()); TListSentryPrivilegesForProviderRequest request = @@ -273,8 +323,7 @@ public class SentryPolicyServiceClient { Status.throwIfNotOk(response.getStatus()); return response.getPrivileges(); } catch (TException e) { - String msg = "Thrift exception occured: " + e.getMessage(); - throw new SentryUserException(msg, e); + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } } @@ -288,8 +337,7 @@ public class SentryPolicyServiceClient { TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request); Status.throwIfNotOk(response.getStatus()); } catch (TException e) { - String msg = "Thrift exception occured: " + e.getMessage(); - throw new SentryUserException(msg, e); + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } } @@ -303,8 +351,7 @@ public class SentryPolicyServiceClient { TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request); Status.throwIfNotOk(response.getStatus()); } catch (TException e) { - String msg = "Thrift exception occured: " + e.getMessage(); - throw new SentryUserException(msg, e); + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 6c52fa4..3b3bdc3 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -18,12 +18,12 @@ package org.apache.sentry.provider.db.service.thrift; -import java.lang.reflect.Constructor; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.apache.commons.lang.StringUtils; +import com.google.common.annotations.VisibleForTesting; +import com.google.common.base.Preconditions; +import com.google.common.base.Splitter; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; import org.apache.hadoop.conf.Configuration; import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.provider.db.SentryAlreadyExistsException; @@ -32,19 +32,17 @@ import org.apache.sentry.provider.db.SentryNoSuchObjectException; import org.apache.sentry.provider.db.service.persistent.CommitContext; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.apache.sentry.service.thrift.Status; import org.apache.sentry.service.thrift.TSentryResponseStatus; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.apache.thrift.TException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Preconditions; -import com.google.common.base.Splitter; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; -import com.google.common.collect.Sets; +import java.lang.reflect.Constructor; +import java.util.HashSet; +import java.util.List; +import java.util.Set; @SuppressWarnings("unused") public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { @@ -298,12 +296,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TListSentryRolesRequest request) throws TException { TListSentryRolesResponse response = new TListSentryRolesResponse(); TSentryResponseStatus status; - TSentryRole role = null; Set<TSentryRole> roleSet = new HashSet<TSentryRole>(); try { - // TODO implement - role = sentryStore.getSentryRoleByName(request.getRoleName()); - roleSet.add(role); + //TODO: Handle authorization for metadata queries + authorize(request.getRequestorUserName(), request.getRequestorGroupNames()); + roleSet = sentryStore.getTSentryRolesByGroupName(request.getGroupName()); response.setRoles(roleSet); response.setStatus(Status.OK()); } catch (SentryNoSuchObjectException e) { @@ -320,19 +317,22 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } @Override - public TListSentryRolesResponse list_sentry_roles_by_role_name( - TListSentryRolesRequest request) throws TException { - TListSentryRolesResponse response = new TListSentryRolesResponse(); - TSentryRole role = null; - Set<TSentryRole> roleSet = new HashSet<TSentryRole>(); + public TListSentryPrivilegesResponse list_sentry_privileges_by_role( + TListSentryPrivilegesRequest request) throws TException { + TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse(); + TSentryResponseStatus status; + Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>(); try { - role = sentryStore.getSentryRoleByName(request.getRoleName()); - roleSet.add(role); - response.setRoles(roleSet); + //TODO: Handle authorization for metadata queries + // Shall we allow only admin users to list privileges + // or allow all users as long as user is granted this role? + authorize(request.getRequestorUserName(), request.getRequestorGroupNames()); + privilegeSet = sentryStore.getTSentryPrivilegesByRoleName(request.getRoleName()); + response.setPrivileges(privilegeSet); response.setStatus(Status.OK()); } catch (SentryNoSuchObjectException e) { - response.setRoles(roleSet); - String msg = "Role: " + request + " couldn't be retrieved."; + response.setPrivileges(privilegeSet); + String msg = "Privilege: " + request + " couldn't be retrieved."; LOGGER.error(msg, e); response.setStatus(Status.NoSuchObject(msg, e)); } catch (Exception e) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift index 677047f..a8b511d 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift @@ -70,25 +70,6 @@ struct TDropSentryRoleResponse { 1: required sentry_common_service.TSentryResponseStatus status } -# TODO what is this implementing SHOW GRANT/SHOW ROLE GRANT? -# We should have seperate requests for those commands -struct TListSentryRolesRequest { -1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, -2: required string requestorUserName, # user on whose behalf the request is issued -3: optional string rolerequestorGroupNames, # list roles for this group -4: required string roleName # role get prirvilges for -} -# used only for TListSentryRolesResponse -struct TSentryRole { -1: required string roleName, -2: required set<TSentryPrivilege> privileges, -3: required string grantorPrincipal -} -struct TListSentryRolesResponse { -1: required sentry_common_service.TSentryResponseStatus status -2: required set<TSentryRole> roles -} - # GRANT ROLE r1 TO GROUP g1 struct TAlterSentryRoleAddGroupsRequest { 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, @@ -138,6 +119,36 @@ struct TAlterSentryRoleRevokePrivilegeResponse { 1: required sentry_common_service.TSentryResponseStatus status } +# SHOW ROLE GRANT +struct TListSentryRolesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required set<string> requestorGroupNames,# groups the requesting user belongs to +4: optional string groupName # for this group, or all roles for all groups if null +} +# used only for TListSentryRolesResponse +struct TSentryRole { +1: required string roleName, +2: required set<TSentryGroup> groups, +3: required string grantorPrincipal +} +struct TListSentryRolesResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: required set<TSentryRole> roles +} + +# SHOW GRANT +struct TListSentryPrivilegesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required set<string> requestorGroupNames,# groups the requesting user belongs to +4: required string roleName # get privileges assigned for this role +} +struct TListSentryPrivilegesResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: required set<TSentryPrivilege> privileges +} + # This API was created specifically for ProviderBackend.getPrivileges # and is not mean for general purpose privilege retrieval. # This request/response pair are created specifically so we can @@ -168,8 +179,9 @@ service SentryPolicyService TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request) TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request) - TListSentryRolesResponse list_sentry_roles_by_role_name(1:TListSentryRolesRequest request) + + TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request) # For use with ProviderBackend.getPrivileges only TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request) -} +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index dcaa246..e211079 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -17,25 +17,22 @@ */ package org.apache.sentry.provider.db.service.thrift; -import static junit.framework.Assert.assertEquals; - -import java.util.HashSet; -import java.util.Set; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.provider.common.ProviderBackendContext; -import org.apache.sentry.provider.db.SimpleDBProviderBackend; +import com.google.common.collect.Sets; +import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; -import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; import org.junit.Test; -import com.google.common.collect.Sets; +import java.util.Set; + +import static junit.framework.Assert.assertEquals; +import static org.junit.Assert.assertTrue; public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { @Test - public void testCreateRole() throws Exception { + public void testCreateDropShowRole() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); String roleName = "admin_r"; @@ -44,56 +41,68 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { client.createRole(requestorUserName, requestorUserGroupNames, roleName); - TListSentryRolesRequest listReq = new TListSentryRolesRequest(); - listReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - listReq.setRoleName(roleName); - listReq.setRequestorUserName(requestorUserName); - TListSentryRolesResponse listResp = client.listRoleByName(listReq); - Set<TSentryRole> roles = listResp.getRoles(); - assertEquals("Incorrect number of roles:" + roles, 1, roles.size()); + Set<TSentryRole> roles = client.listRoles(requestorUserName, requestorUserGroupNames); + assertEquals("Incorrect number of roles", 1, roles.size()); + for (TSentryRole role:roles) { + assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); + } client.dropRole(requestorUserName, requestorUserGroupNames, roleName); } @Test - public void testGrantRevokePrivilege() throws Exception { - String server = "server1"; + public void testShowRoleGrant() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); String roleName = "admin_testdb"; + String groupName = "group1"; + + client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName); + client.createRole(requestorUserName, requestorUserGroupNames, roleName); + + Set<TSentryRole> roles = client.listRoles(requestorUserName, requestorUserGroupNames); + assertEquals("Incorrect number of roles", 1, roles.size()); + + client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, groupName, roleName); + Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, + requestorUserGroupNames, groupName); + assertTrue(groupRoles.size() == 1); + for (TSentryRole role:groupRoles) { + assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); + assertTrue(role.getGroups().size() == 1); + for (TSentryGroup group :role.getGroups()) { + assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName)); + } + } + + client.dropRole(requestorUserName, requestorUserGroupNames, roleName); + } + + @Test + public void testShowGrant() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName = "admin_testdb"; + String server = "server1"; String db = "testDB"; - String group = "group1"; client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName); client.createRole(requestorUserName, requestorUserGroupNames, roleName); - TListSentryRolesRequest listReq = new TListSentryRolesRequest(); - listReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - listReq.setRoleName("admin_testdb"); - listReq.setRequestorUserName(requestorUserName); - TListSentryRolesResponse listResp = client.listRoleByName(listReq); - Set<TSentryRole> roles = listResp.getRoles(); - assertEquals("Incorrect number of roles:" + roles, 1, roles.size()); + Set<TSentryRole> roles = client.listRoles(requestorUserName, requestorUserGroupNames); + assertEquals("Incorrect number of roles", 1, roles.size()); client.grantDatabasePrivilege(requestorUserName, requestorUserGroupNames, roleName, server, db); - - // verify we can get the privileges from the backend - SimpleDBProviderBackend dbBackend = new SimpleDBProviderBackend(client); - dbBackend.initialize(new ProviderBackendContext()); - assertEquals(Sets.newHashSet(), dbBackend.getPrivileges(Sets.newHashSet(group), - new ActiveRoleSet(true))); - client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, group, roleName); - assertEquals(Sets.newHashSet(), dbBackend.getPrivileges(Sets.newHashSet(group), - new ActiveRoleSet(new HashSet<String>()))); - assertEquals(Sets.newHashSet("server="+ server + "->db=" + db + "->action=*"), - dbBackend.getPrivileges(Sets.newHashSet("group1"), - new ActiveRoleSet(true))); - assertEquals(Sets.newHashSet("server="+ server + "->db=" + db + "->action=*"), - dbBackend.getPrivileges(Sets.newHashSet(group), - new ActiveRoleSet(Sets.newHashSet(roleName)))); + Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, + requestorUserGroupNames, roleName); + assertTrue(privileges.size() == 1); + for (TSentryPrivilege privilege:privileges) { + assertTrue(privilege.getPrivilegeName(), + privilege.getPrivilegeName().equalsIgnoreCase(SentryStore.constructPrivilegeName(privilege))); + } client.revokeDatabasePrivilege(requestorUserName, requestorUserGroupNames, roleName, server, db); client.dropRole(requestorUserName, requestorUserGroupNames, roleName); } -} +} \ No newline at end of file
