Repository: incubator-sentry Updated Branches: refs/heads/master 7c71b0c88 -> a27f633d2
SENTRY-214: Sentry Service does not allow the same Privilege to be associated to multiple Roles(Arun Suresh via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a27f633d Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a27f633d Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a27f633d Branch: refs/heads/master Commit: a27f633d225fe1f56528a36f3d8e91cddb33c1bc Parents: 7c71b0c Author: Sravya Tirukkovalur <[email protected]> Authored: Mon May 19 15:19:51 2014 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Mon May 19 15:19:51 2014 -0700 ---------------------------------------------------------------------- .../db/service/persistent/SentryStore.java | 34 +++++++++++++------- .../thrift/TestSentryServiceIntegration.java | 33 ++++++++++++++++--- 2 files changed, 50 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a27f633d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 325dedf..604dd64 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -110,6 +110,7 @@ public class SentryStore { } } + boolean checkSchemaVersion = conf.get( ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, ServerConfig.SENTRY_VERIFY_SCHEM_VERSION_DEFAULT).equalsIgnoreCase( @@ -269,7 +270,10 @@ public class SentryStore { if (mRole == null) { throw new SentryNoSuchObjectException("Role: " + roleName); } else { - MSentryPrivilege mPrivilege = convertToMSentryPrivilege(privilege); + MSentryPrivilege mPrivilege = getMSentryPrivilege(constructPrivilegeName(privilege), pm); + if (mPrivilege == null) { + mPrivilege = convertToMSentryPrivilege(privilege); + } // Add privilege and role objects to each other. needed by datanucleus to model // m:n relationships correctly through a join table. mPrivilege.appendRole(mRole); @@ -287,6 +291,7 @@ public class SentryStore { } } + public CommitContext alterSentryRoleRevokePrivilege(String roleName, TSentryPrivilege tPrivilege) throws SentryNoSuchObjectException, SentryInvalidInputException { boolean rollbackTransaction = true; @@ -303,11 +308,7 @@ public class SentryStore { throw new SentryNoSuchObjectException("Role: " + roleName); } else { query = pm.newQuery(MSentryPrivilege.class); - query.setFilter("this.privilegeName == t"); - query.declareParameters("java.lang.String t"); - query.setUnique(true); - String privilegeName = constructPrivilegeName(tPrivilege); - MSentryPrivilege mPrivilege = (MSentryPrivilege) query.execute(privilegeName); + MSentryPrivilege mPrivilege = getMSentryPrivilege(constructPrivilegeName(tPrivilege), pm); if (mPrivilege == null) { revokePartialPrivilege(pm, mRole, tPrivilege); CommitContext commit = commitUpdateTransaction(pm); @@ -317,6 +318,7 @@ public class SentryStore { // remove privilege and role objects from each other's set. needed by // datanucleus to model m:n relationships correctly through a join table. mRole.removePrivilege(mPrivilege); + mPrivilege.removeRole(mRole); CommitContext commit = commitUpdateTransaction(pm); rollbackTransaction = false; return commit; @@ -349,11 +351,7 @@ public class SentryStore { TSentryPrivilege tPrivilegeAll = new TSentryPrivilege(tPrivilege); tPrivilegeAll.setAction(AccessConstants.ALL); String allPrivilegeName = constructPrivilegeName(tPrivilegeAll); - Query query = pm.newQuery(MSentryPrivilege.class); - query.setFilter("this.privilegeName == t"); - query.declareParameters("java.lang.String t"); - query.setUnique(true); - MSentryPrivilege allPrivilege = (MSentryPrivilege) query.execute(allPrivilegeName); + MSentryPrivilege allPrivilege = getMSentryPrivilege(allPrivilegeName, pm); if (allPrivilege == null) { throw new SentryNoSuchObjectException("Unknown privilege: " + tPrivilege); } @@ -368,6 +366,17 @@ public class SentryStore { role.appendPrivilege(convertToMSentryPrivilege(tPrivilege)); } + private MSentryPrivilege getMSentryPrivilege(String privilegeName, PersistenceManager pm) { + Query query = pm.newQuery(MSentryPrivilege.class); + query.setFilter("this.privilegeName == t"); + query.declareParameters("java.lang.String t"); + query.setUnique(true); + Object obj = query.execute(privilegeName); + if (obj != null) + return (MSentryPrivilege) obj; + return null; + } + //TODO:Validate privilege scope? @VisibleForTesting public static String constructPrivilegeName(TSentryPrivilege privilege) throws SentryInvalidInputException { @@ -888,4 +897,5 @@ public class SentryStore { } } -} \ No newline at end of file +} + http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a27f633d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 1e4ed17..a2e877a 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -49,7 +49,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { } client.dropRole(requestorUserName, requestorUserGroupNames, roleName); } - + @Test public void testGranRevokePrivilegeOnTableForRole() throws Exception { String requestorUserName = ADMIN_USER; @@ -58,15 +58,38 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName); client.createRole(requestorUserName, requestorUserGroupNames, roleName); - - client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName, "server", "db", "table", "ALL"); + + client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName, "server", "db", "table", "ALL"); Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, requestorUserGroupNames, roleName); assertTrue("Privilege not assigned to role !!", listPrivilegesByRoleName.size() == 1); - + client.revokeTablePrivilege(requestorUserName, requestorUserGroupNames, roleName, "server", "db", "table", "ALL"); listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, requestorUserGroupNames, roleName); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0); - } + } + + @Test + public void testMultipleRolesSamePrivilege() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + String roleName1 = "admin_r1"; + String roleName2 = "admin_r2"; + + client.dropRoleIfExists(requestorUserName, requestorUserGroupNames,roleName1); + client.createRole(requestorUserName, requestorUserGroupNames, roleName1); + + client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName2); + client.createRole(requestorUserName, requestorUserGroupNames, roleName2); + + client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName1, "server", "db", "table", "ALL"); + Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, requestorUserGroupNames, roleName1); + assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1); + + client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName2, "server", "db", "table", "ALL"); + listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, requestorUserGroupNames, roleName2); + assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1); + } + @Test public void testShowRoleGrant() throws Exception {
