Repository: incubator-sentry Updated Branches: refs/heads/master 5c5b87ce1 -> d6b1eb6e8
SENTRY-339: Remove PrivilegeName column and constructPrivilegeName() function (Arun Suresh via Sravya Tirukkovalur) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/d6b1eb6e Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/d6b1eb6e Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/d6b1eb6e Branch: refs/heads/master Commit: d6b1eb6e8f74b95e3a1098c1a0e6e17b049fb102 Parents: 5c5b87c Author: Sravya Tirukkovalur <[email protected]> Authored: Mon Jul 28 15:00:46 2014 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Mon Jul 28 15:00:46 2014 -0700 ---------------------------------------------------------------------- .../db/service/thrift/TSentryPrivilege.java | 150 +++----------- .../db/service/model/MSentryPrivilege.java | 120 ++++++----- .../provider/db/service/model/package.jdo | 11 +- .../db/service/persistent/SentryStore.java | 197 ++++++------------- .../thrift/SentryPolicyStoreProcessor.java | 6 +- .../src/main/resources/sentry-db2-1.4.0.sql | 3 +- .../src/main/resources/sentry-derby-1.4.0.sql | 3 +- .../src/main/resources/sentry-mysql-1.4.0.sql | 3 +- .../src/main/resources/sentry-oracle-1.4.0.sql | 3 +- .../main/resources/sentry-postgres-1.4.0.sql | 3 +- .../main/resources/sentry_policy_service.thrift | 9 +- .../db/service/persistent/TestSentryStore.java | 30 +-- .../thrift/TestSentryServerWithoutKerberos.java | 4 +- .../thrift/TestSentryServiceIntegration.java | 4 - .../sentry/tests/e2e/hive/TestPolicyImport.java | 1 - 15 files changed, 184 insertions(+), 363 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java index 9e8ac4c..c48e8cc 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java @@ -35,7 +35,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TSentryPrivilege"); private static final org.apache.thrift.protocol.TField PRIVILEGE_SCOPE_FIELD_DESC = new org.apache.thrift.protocol.TField("privilegeScope", org.apache.thrift.protocol.TType.STRING, (short)1); - private static final org.apache.thrift.protocol.TField PRIVILEGE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("privilegeName", org.apache.thrift.protocol.TType.STRING, (short)2); private static final org.apache.thrift.protocol.TField SERVER_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("serverName", org.apache.thrift.protocol.TType.STRING, (short)3); private static final org.apache.thrift.protocol.TField DB_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("dbName", org.apache.thrift.protocol.TType.STRING, (short)4); private static final org.apache.thrift.protocol.TField TABLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("tableName", org.apache.thrift.protocol.TType.STRING, (short)5); @@ -51,7 +50,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg } private String privilegeScope; // required - private String privilegeName; // optional private String serverName; // required private String dbName; // optional private String tableName; // optional @@ -63,7 +61,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { PRIVILEGE_SCOPE((short)1, "privilegeScope"), - PRIVILEGE_NAME((short)2, "privilegeName"), SERVER_NAME((short)3, "serverName"), DB_NAME((short)4, "dbName"), TABLE_NAME((short)5, "tableName"), @@ -87,8 +84,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg switch(fieldId) { case 1: // PRIVILEGE_SCOPE return PRIVILEGE_SCOPE; - case 2: // PRIVILEGE_NAME - return PRIVILEGE_NAME; case 3: // SERVER_NAME return SERVER_NAME; case 4: // DB_NAME @@ -145,14 +140,12 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg // isset id assignments private static final int __CREATETIME_ISSET_ID = 0; private byte __isset_bitfield = 0; - private _Fields optionals[] = {_Fields.PRIVILEGE_NAME,_Fields.DB_NAME,_Fields.TABLE_NAME,_Fields.URI,_Fields.CREATE_TIME,_Fields.GRANTOR_PRINCIPAL}; + private _Fields optionals[] = {_Fields.DB_NAME,_Fields.TABLE_NAME,_Fields.URI,_Fields.CREATE_TIME,_Fields.GRANTOR_PRINCIPAL}; public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; static { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); tmpMap.put(_Fields.PRIVILEGE_SCOPE, new org.apache.thrift.meta_data.FieldMetaData("privilegeScope", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); - tmpMap.put(_Fields.PRIVILEGE_NAME, new org.apache.thrift.meta_data.FieldMetaData("privilegeName", org.apache.thrift.TFieldRequirementType.OPTIONAL, - new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.SERVER_NAME, new org.apache.thrift.meta_data.FieldMetaData("serverName", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.DB_NAME, new org.apache.thrift.meta_data.FieldMetaData("dbName", org.apache.thrift.TFieldRequirementType.OPTIONAL, @@ -172,6 +165,14 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg } public TSentryPrivilege() { + this.dbName = ""; + + this.tableName = ""; + + this.URI = ""; + + this.action = ""; + } public TSentryPrivilege( @@ -193,9 +194,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg if (other.isSetPrivilegeScope()) { this.privilegeScope = other.privilegeScope; } - if (other.isSetPrivilegeName()) { - this.privilegeName = other.privilegeName; - } if (other.isSetServerName()) { this.serverName = other.serverName; } @@ -224,12 +222,15 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg @Override public void clear() { this.privilegeScope = null; - this.privilegeName = null; this.serverName = null; - this.dbName = null; - this.tableName = null; - this.URI = null; - this.action = null; + this.dbName = ""; + + this.tableName = ""; + + this.URI = ""; + + this.action = ""; + setCreateTimeIsSet(false); this.createTime = 0; this.grantorPrincipal = null; @@ -258,29 +259,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg } } - public String getPrivilegeName() { - return this.privilegeName; - } - - public void setPrivilegeName(String privilegeName) { - this.privilegeName = privilegeName; - } - - public void unsetPrivilegeName() { - this.privilegeName = null; - } - - /** Returns true if field privilegeName is set (has been assigned a value) and false otherwise */ - public boolean isSetPrivilegeName() { - return this.privilegeName != null; - } - - public void setPrivilegeNameIsSet(boolean value) { - if (!value) { - this.privilegeName = null; - } - } - public String getServerName() { return this.serverName; } @@ -451,14 +429,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg } break; - case PRIVILEGE_NAME: - if (value == null) { - unsetPrivilegeName(); - } else { - setPrivilegeName((String)value); - } - break; - case SERVER_NAME: if (value == null) { unsetServerName(); @@ -523,9 +493,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg case PRIVILEGE_SCOPE: return getPrivilegeScope(); - case PRIVILEGE_NAME: - return getPrivilegeName(); - case SERVER_NAME: return getServerName(); @@ -560,8 +527,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg switch (field) { case PRIVILEGE_SCOPE: return isSetPrivilegeScope(); - case PRIVILEGE_NAME: - return isSetPrivilegeName(); case SERVER_NAME: return isSetServerName(); case DB_NAME: @@ -602,15 +567,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg return false; } - boolean this_present_privilegeName = true && this.isSetPrivilegeName(); - boolean that_present_privilegeName = true && that.isSetPrivilegeName(); - if (this_present_privilegeName || that_present_privilegeName) { - if (!(this_present_privilegeName && that_present_privilegeName)) - return false; - if (!this.privilegeName.equals(that.privilegeName)) - return false; - } - boolean this_present_serverName = true && this.isSetServerName(); boolean that_present_serverName = true && that.isSetServerName(); if (this_present_serverName || that_present_serverName) { @@ -686,11 +642,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg if (present_privilegeScope) builder.append(privilegeScope); - boolean present_privilegeName = true && (isSetPrivilegeName()); - builder.append(present_privilegeName); - if (present_privilegeName) - builder.append(privilegeName); - boolean present_serverName = true && (isSetServerName()); builder.append(present_serverName); if (present_serverName) @@ -747,16 +698,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg return lastComparison; } } - lastComparison = Boolean.valueOf(isSetPrivilegeName()).compareTo(typedOther.isSetPrivilegeName()); - if (lastComparison != 0) { - return lastComparison; - } - if (isSetPrivilegeName()) { - lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privilegeName, typedOther.privilegeName); - if (lastComparison != 0) { - return lastComparison; - } - } lastComparison = Boolean.valueOf(isSetServerName()).compareTo(typedOther.isSetServerName()); if (lastComparison != 0) { return lastComparison; @@ -854,16 +795,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg sb.append(this.privilegeScope); } first = false; - if (isSetPrivilegeName()) { - if (!first) sb.append(", "); - sb.append("privilegeName:"); - if (this.privilegeName == null) { - sb.append("null"); - } else { - sb.append(this.privilegeName); - } - first = false; - } if (!first) sb.append(", "); sb.append("serverName:"); if (this.serverName == null) { @@ -991,14 +922,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; - case 2: // PRIVILEGE_NAME - if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { - struct.privilegeName = iprot.readString(); - struct.setPrivilegeNameIsSet(true); - } else { - org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); - } - break; case 3: // SERVER_NAME if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { struct.serverName = iprot.readString(); @@ -1073,13 +996,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg oprot.writeString(struct.privilegeScope); oprot.writeFieldEnd(); } - if (struct.privilegeName != null) { - if (struct.isSetPrivilegeName()) { - oprot.writeFieldBegin(PRIVILEGE_NAME_FIELD_DESC); - oprot.writeString(struct.privilegeName); - oprot.writeFieldEnd(); - } - } if (struct.serverName != null) { oprot.writeFieldBegin(SERVER_NAME_FIELD_DESC); oprot.writeString(struct.serverName); @@ -1144,28 +1060,22 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg oprot.writeString(struct.serverName); oprot.writeString(struct.action); BitSet optionals = new BitSet(); - if (struct.isSetPrivilegeName()) { - optionals.set(0); - } if (struct.isSetDbName()) { - optionals.set(1); + optionals.set(0); } if (struct.isSetTableName()) { - optionals.set(2); + optionals.set(1); } if (struct.isSetURI()) { - optionals.set(3); + optionals.set(2); } if (struct.isSetCreateTime()) { - optionals.set(4); + optionals.set(3); } if (struct.isSetGrantorPrincipal()) { - optionals.set(5); - } - oprot.writeBitSet(optionals, 6); - if (struct.isSetPrivilegeName()) { - oprot.writeString(struct.privilegeName); + optionals.set(4); } + oprot.writeBitSet(optionals, 5); if (struct.isSetDbName()) { oprot.writeString(struct.dbName); } @@ -1192,28 +1102,24 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg struct.setServerNameIsSet(true); struct.action = iprot.readString(); struct.setActionIsSet(true); - BitSet incoming = iprot.readBitSet(6); + BitSet incoming = iprot.readBitSet(5); if (incoming.get(0)) { - struct.privilegeName = iprot.readString(); - struct.setPrivilegeNameIsSet(true); - } - if (incoming.get(1)) { struct.dbName = iprot.readString(); struct.setDbNameIsSet(true); } - if (incoming.get(2)) { + if (incoming.get(1)) { struct.tableName = iprot.readString(); struct.setTableNameIsSet(true); } - if (incoming.get(3)) { + if (incoming.get(2)) { struct.URI = iprot.readString(); struct.setURIIsSet(true); } - if (incoming.get(4)) { + if (incoming.get(3)) { struct.createTime = iprot.readI64(); struct.setCreateTimeIsSet(true); } - if (incoming.get(5)) { + if (incoming.get(4)) { struct.grantorPrincipal = iprot.readString(); struct.setGrantorPrincipalIsSet(true); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java index f8491db..d359abc 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java @@ -23,6 +23,10 @@ import java.util.Set; import javax.jdo.annotations.PersistenceCapable; +import org.apache.sentry.provider.db.service.persistent.SentryStore; + +import com.google.common.base.Strings; + /** * Database backed Sentry Privilege. Any changes to this object * require re-running the maven build so DN an re-enhance. @@ -34,12 +38,11 @@ public class MSentryPrivilege { /** * Privilege name is unique */ - private String privilegeName; - private String serverName; - private String dbName; - private String tableName; - private String URI; - private String action; + private String serverName = ""; + private String dbName = ""; + private String tableName = ""; + private String URI = ""; + private String action = ""; // roles this privilege is a part of private Set<MSentryRole> roles; private long createTime; @@ -52,13 +55,12 @@ public class MSentryPrivilege { public MSentryPrivilege(String privilegeName, String privilegeScope, String serverName, String dbName, String tableName, String URI, String action) { - this.privilegeName = privilegeName; this.privilegeScope = privilegeScope; this.serverName = serverName; - this.dbName = dbName; - this.tableName = tableName; - this.URI = URI; - this.action = action; + this.dbName = SentryStore.toNULLCol(dbName); + this.tableName = SentryStore.toNULLCol(tableName); + this.URI = SentryStore.toNULLCol(URI); + this.action = SentryStore.toNULLCol(action); this.roles = new HashSet<MSentryRole>(); } @@ -67,7 +69,7 @@ public class MSentryPrivilege { } public void setServerName(String serverName) { - this.serverName = serverName; + this.serverName = (serverName == null) ? "" : serverName; } public String getDbName() { @@ -75,7 +77,7 @@ public class MSentryPrivilege { } public void setDbName(String dbName) { - this.dbName = dbName; + this.dbName = (dbName == null) ? "" : dbName; } public String getTableName() { @@ -83,7 +85,7 @@ public class MSentryPrivilege { } public void setTableName(String tableName) { - this.tableName = tableName; + this.tableName = (tableName == null) ? "" : tableName; } public String getURI() { @@ -91,7 +93,7 @@ public class MSentryPrivilege { } public void setURI(String uRI) { - URI = uRI; + URI = (uRI == null) ? "" : uRI; } public String getAction() { @@ -99,7 +101,7 @@ public class MSentryPrivilege { } public void setAction(String action) { - this.action = action; + this.action = (action == null) ? "" : action; } public long getCreateTime() { @@ -126,14 +128,6 @@ public class MSentryPrivilege { this.privilegeScope = privilegeScope; } - public String getPrivilegeName() { - return privilegeName; - } - - public void setPrivilegeName(String privilegeName) { - this.privilegeName = privilegeName; - } - public void appendRole(MSentryRole role) { roles.add(role); } @@ -150,35 +144,61 @@ public class MSentryPrivilege { @Override public String toString() { return "MSentryPrivilege [privilegeScope=" + privilegeScope - + ", privilegeName=" + privilegeName + ", serverName=" + serverName - + ", dbName=" + dbName + ", tableName=" + tableName + ", URI=" + URI + + ", serverName=" + serverName + ", dbName=" + dbName + + ", tableName=" + tableName + ", URI=" + URI + ", action=" + action + ", roles=[...]" + ", createTime=" + createTime + ", grantorPrincipal=" + grantorPrincipal + "]"; } - @Override - public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result - + ((privilegeName == null) ? 0 : privilegeName.hashCode()); - return result; - } +@Override +public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((URI == null) ? 0 : URI.hashCode()); + result = prime * result + ((action == null) ? 0 : action.hashCode()); + result = prime * result + ((dbName == null) ? 0 : dbName.hashCode()); + result = prime * result + + ((serverName == null) ? 0 : serverName.hashCode()); + result = prime * result + ((tableName == null) ? 0 : tableName.hashCode()); + return result; +} + +@Override +public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + MSentryPrivilege other = (MSentryPrivilege) obj; + if (URI == null) { + if (other.URI != null) + return false; + } else if (!URI.equals(other.URI)) + return false; + if (action == null) { + if (other.action != null) + return false; + } else if (!action.equals(other.action)) + return false; + if (dbName == null) { + if (other.dbName != null) + return false; + } else if (!dbName.equals(other.dbName)) + return false; + if (serverName == null) { + if (other.serverName != null) + return false; + } else if (!serverName.equals(other.serverName)) + return false; + if (tableName == null) { + if (other.tableName != null) + return false; + } else if (!tableName.equals(other.tableName)) + return false; + return true; +} + - @Override - public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - MSentryPrivilege other = (MSentryPrivilege) obj; - if (privilegeName == null) { - if (other.privilegeName != null) - return false; - } else if (!privilegeName.equals(other.privilegeName)) - return false; - return true; - } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo index 945227e..e3f1372 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo @@ -87,10 +87,13 @@ <datastore-identity> <column name="DB_PRIVILEGE_ID"/> </datastore-identity> - <field name="privilegeName"> - <column name="PRIVILEGE_NAME" length="4000" jdbc-type="VARCHAR"/> - <index name="SentryPrivilegeName" unique="true"/> - </field> + <index name="PRIVILEGE_INDEX" unique="true"> + <field name="serverName"/> + <field name="dbName"/> + <field name="tableName"/> + <field name="URI"/> + <field name="action"/> + </index> <field name="privilegeScope"> <column name="PRIVILEGE_SCOPE" length="40" jdbc-type="VARCHAR"/> </field> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index ff8acdc..a9fe01e 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -77,6 +77,8 @@ import com.google.common.collect.Sets; */ public class SentryStore { private static final UUID SERVER_UUID = UUID.randomUUID(); + + public static String NULL_COL = "__NULL__"; static final String DEFAULT_DATA_DIR = "sentry_policy_db"; /** * Commit order sequence id. This is used by notification handlers @@ -289,17 +291,15 @@ public class SentryStore { throw new SentryNoSuchObjectException("Role: " + roleName); } else { - if ((privilege.getTableName() != null) || (privilege.getDbName() != null)) { + if ((!isNULL(privilege.getTableName())) || (!isNULL(privilege.getDbName()))) { // If Grant is for ALL and Either INSERT/SELECT already exists.. // need to remove it and GRANT ALL.. if (privilege.getAction().equalsIgnoreCase("*")) { TSentryPrivilege tNotAll = new TSentryPrivilege(privilege); tNotAll.setAction(AccessConstants.SELECT); - MSentryPrivilege mSelect = getMSentryPrivilege( - constructPrivilegeName(tNotAll), pm); + MSentryPrivilege mSelect = getMSentryPrivilege(tNotAll, pm); tNotAll.setAction(AccessConstants.INSERT); - MSentryPrivilege mInsert = getMSentryPrivilege( - constructPrivilegeName(tNotAll), pm); + MSentryPrivilege mInsert = getMSentryPrivilege(tNotAll, pm); if ((mSelect != null) && (mRole.getPrivileges().contains(mSelect))) { mSelect.removeRole(mRole); pm.makePersistent(mSelect); @@ -313,16 +313,14 @@ public class SentryStore { // do nothing.. TSentryPrivilege tAll = new TSentryPrivilege(privilege); tAll.setAction(AccessConstants.ALL); - MSentryPrivilege mAll = getMSentryPrivilege( - constructPrivilegeName(tAll), pm); + MSentryPrivilege mAll = getMSentryPrivilege(tAll, pm); if ((mAll != null) && (mRole.getPrivileges().contains(mAll))) { return; } } } - MSentryPrivilege mPrivilege = getMSentryPrivilege( - constructPrivilegeName(privilege), pm); + MSentryPrivilege mPrivilege = getMSentryPrivilege(privilege, pm); if (mPrivilege == null) { mPrivilege = convertToMSentryPrivilege(privilege); } @@ -364,8 +362,7 @@ public class SentryStore { throw new SentryNoSuchObjectException("Role: " + roleName); } else { query = pm.newQuery(MSentryPrivilege.class); - MSentryPrivilege mPrivilege = getMSentryPrivilege( - constructPrivilegeName(tPrivilege), pm); + MSentryPrivilege mPrivilege = getMSentryPrivilege(tPrivilege, pm); if (mPrivilege == null) { mPrivilege = convertToMSentryPrivilege(tPrivilege); } else { @@ -390,7 +387,7 @@ public class SentryStore { private void revokePartial(PersistenceManager pm, TSentryPrivilege requestedPrivToRevoke, MSentryRole mRole, MSentryPrivilege currentPrivilege) throws SentryInvalidInputException { - MSentryPrivilege persistedPriv = getMSentryPrivilege(constructPrivilegeName(convertToTSentryPrivilege(currentPrivilege)), pm); + MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege)); } @@ -415,13 +412,13 @@ public class SentryStore { pm.makePersistent(persistedPriv); currentPrivilege.setAction(AccessConstants.ALL); - persistedPriv = getMSentryPrivilege(constructPrivilegeName(convertToTSentryPrivilege(currentPrivilege)), pm); + persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if ((persistedPriv != null)&&(mRole.getPrivileges().contains(persistedPriv))) { persistedPriv.removeRole(mRole); pm.makePersistent(persistedPriv); currentPrivilege.setAction(addAction); - persistedPriv = getMSentryPrivilege(constructPrivilegeName(convertToTSentryPrivilege(currentPrivilege)), pm); + persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege)); mRole.appendPrivilege(persistedPriv); @@ -438,12 +435,12 @@ public class SentryStore { */ private void populateChildren(Set<String> roleNames, MSentryPrivilege priv, Set<MSentryPrivilege> children) throws SentryInvalidInputException { - if ((priv.getServerName() != null) || (priv.getDbName() != null)) { + if ((!isNULL(priv.getServerName())) || (!isNULL(priv.getDbName()))) { // Get all DBLevel Privs Set<MSentryPrivilege> childPrivs = getChildPrivileges(roleNames, priv); for (MSentryPrivilege childPriv : childPrivs) { // Only recurse for db level privs.. - if ((childPriv.getDbName() != null) && (childPriv.getTableName() == null)) { + if ((!isNULL(childPriv.getDbName())) && (!isNULL(childPriv.getTableName()))) { populateChildren(roleNames, childPriv, children); } children.add(childPriv); @@ -454,7 +451,7 @@ public class SentryStore { private Set<MSentryPrivilege> getChildPrivileges(Set<String> roleNames, MSentryPrivilege parent) throws SentryInvalidInputException { // Table and URI do not have children - if ((parent.getTableName() != null)||(parent.getURI() != null)) return new HashSet<MSentryPrivilege>(); + if ((!isNULL(parent.getTableName()))||(!isNULL(parent.getURI()))) return new HashSet<MSentryPrivilege>(); boolean rollbackTransaction = true; PersistenceManager pm = null; try { @@ -469,11 +466,11 @@ public class SentryStore { StringBuilder filters = new StringBuilder("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")"); filters.append(" && serverName == \"" + parent.getServerName() + "\""); - if (parent.getDbName() != null) { + if (!isNULL(parent.getDbName())) { filters.append(" && dbName == \"" + parent.getDbName() + "\""); - filters.append(" && tableName != null"); + filters.append(" && tableName != \"__NULL__\""); } else { - filters.append(" && (dbName != null || URI != null)"); + filters.append(" && (dbName != \"__NULL__\" || URI != \"__NULL__\")"); } query.setFilter(filters.toString()); query @@ -488,7 +485,6 @@ public class SentryStore { priv.setURI((String) privObj[4]); priv.setAction((String) privObj[5]); priv.setGrantorPrincipal((String) privObj[6]); - priv.setPrivilegeName(constructPrivilegeName(convertToTSentryPrivilege(priv))); privileges.add(priv); } rollbackTransaction = false; @@ -501,97 +497,20 @@ public class SentryStore { } } - private MSentryPrivilege getMSentryPrivilege(String privilegeName, PersistenceManager pm) { - Query query = pm.newQuery(MSentryPrivilege.class); - query.setFilter("this.privilegeName == t"); - query.declareParameters("java.lang.String t"); + private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) { + Query query = pm.newQuery(MSentryPrivilege.class); + query.setFilter("this.serverName == \"" + toNULLCol(tPriv.getServerName()) + "\" " + + "&& this.dbName == \"" + toNULLCol(tPriv.getDbName()) + "\" " + + "&& this.tableName == \"" + toNULLCol(tPriv.getTableName()) + "\" " + + "&& this.URI == \"" + toNULLCol(tPriv.getURI()) + "\" " + + "&& this.action == \"" + toNULLCol(tPriv.getAction().toLowerCase()) + "\""); query.setUnique(true); - Object obj = query.execute(privilegeName); + Object obj = query.execute(); if (obj != null) return (MSentryPrivilege) obj; return null; } - //TODO:Validate privilege scope? - @VisibleForTesting - public static String constructPrivilegeName(TSentryPrivilege privilege) throws SentryInvalidInputException { - StringBuilder privilegeName = new StringBuilder(); - String serverName = safeTrimLower(privilege.getServerName()); - String dbName = safeTrimLower(privilege.getDbName()); - String tableName = safeTrimLower(privilege.getTableName()); - String uri = privilege.getURI(); - String action = safeTrimLower(privilege.getAction()); - PrivilegeScope scope; - - if (serverName == null) { - throw new SentryInvalidInputException("Server name is null"); - } - - if (AccessConstants.SELECT.equalsIgnoreCase(action) || - AccessConstants.INSERT.equalsIgnoreCase(action)) { - if (Strings.nullToEmpty(tableName).trim().isEmpty() - &&Strings.nullToEmpty(dbName).trim().isEmpty()) { - throw new SentryInvalidInputException("Either Table name or Db name must be NON-NULL for SELECT/INSERT privilege"); - } - } - if (action == null) { - action = AccessConstants.ALL; - } - - // Validate privilege scope - try { - scope = Enum.valueOf(PrivilegeScope.class, privilege.getPrivilegeScope().toUpperCase()); - } catch (IllegalArgumentException e) { - throw new SentryInvalidInputException("Invalid Privilege scope: " + - privilege.getPrivilegeScope()); - } - if (PrivilegeScope.SERVER.equals(scope)) { - if (StringUtils.isNotEmpty(dbName) || StringUtils.isNotEmpty(tableName)) { - throw new SentryInvalidInputException("DB and TABLE names should not be " - + "set for SERVER scope"); - } - } else if (PrivilegeScope.DATABASE.equals(scope)) { - if (StringUtils.isEmpty(dbName)) { - throw new SentryInvalidInputException("DB name not set for DB scope"); - } - if (StringUtils.isNotEmpty(tableName)) { - StringUtils.isNotEmpty("TABLE names should not be set for DB scope"); - } - } else if (PrivilegeScope.TABLE.equals(scope)) { - if (StringUtils.isEmpty(dbName) || StringUtils.isEmpty(tableName)) { - throw new SentryInvalidInputException("TABLE or DB name not set for TABLE scope"); - } - } else if (PrivilegeScope.URI.equals(scope)){ - if (StringUtils.isEmpty(uri)) { - throw new SentryInvalidInputException("URI path not set for URI scope"); - } - if (StringUtils.isNotEmpty(tableName)) { - throw new SentryInvalidInputException("TABLE should not be set for URI scope"); - } - } else { - throw new SentryInvalidInputException("Unsupported operation scope: " + scope); - } - - if (uri == null || uri.equals("")) { - privilegeName.append(serverName); - privilegeName.append("+"); - privilegeName.append(dbName); - - if (tableName != null && !tableName.equals("")) { - privilegeName.append("+"); - privilegeName.append(tableName); - } - privilegeName.append("+"); - privilegeName.append(action); - } else { - privilegeName.append(serverName); - privilegeName.append("+"); - privilegeName.append(uri); - } - return privilegeName.toString(); - } - - public CommitContext dropSentryRole(String roleName) throws SentryNoSuchObjectException { boolean rollbackTransaction = true; @@ -781,15 +700,15 @@ public class SentryStore { if ((authHierarchy != null) && (authHierarchy.getServer() != null)) { filters.append("&& serverName == \"" + authHierarchy.getServer().toLowerCase() + "\""); if (authHierarchy.getDb() != null) { - filters.append(" && ((dbName == \"" + authHierarchy.getDb().toLowerCase() + "\") || (dbName == null)) && (URI == null)"); + filters.append(" && ((dbName == \"" + authHierarchy.getDb().toLowerCase() + "\") || (dbName == \"__NULL__\")) && (URI == \"__NULL__\")"); if ((authHierarchy.getTable() != null) && !AccessConstants.ALL .equalsIgnoreCase(authHierarchy.getTable())) { - filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == null)) && (URI == null)"); + filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == \"__NULL__\")) && (URI == \"__NULL__\")"); } } if (authHierarchy.getUri() != null) { - filters.append(" && ((\"" + authHierarchy.getUri() + "\".startsWith(URI)) || (URI == null)) && (dbName == null)"); + filters.append(" && ((URI != \"__NULL__\") && (\"" + authHierarchy.getUri() + "\".startsWith(URI)) || (URI == \"__NULL__\")) && (dbName == \"__NULL__\")"); } } query.setFilter(filters.toString()); @@ -1008,11 +927,11 @@ public class SentryStore { List<String> authorizable = new ArrayList<String>(4); authorizable.add(KV_JOINER.join(AuthorizableType.Server.name().toLowerCase(), privilege.getServerName())); - if (Strings.nullToEmpty(privilege.getURI()).isEmpty()) { - if (!Strings.nullToEmpty(privilege.getDbName()).isEmpty()) { + if (isNULL(privilege.getURI())) { + if (!isNULL(privilege.getDbName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Db.name().toLowerCase(), privilege.getDbName())); - if (!Strings.nullToEmpty(privilege.getTableName()).isEmpty()) { + if (!isNULL(privilege.getTableName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Table.name().toLowerCase(), privilege.getTableName())); } @@ -1021,7 +940,7 @@ public class SentryStore { authorizable.add(KV_JOINER.join(AuthorizableType.URI.name().toLowerCase(), privilege.getURI())); } - if (!Strings.nullToEmpty(privilege.getAction()).isEmpty() + if (!isNULL(privilege.getAction()) && !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) { authorizable .add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(), @@ -1087,13 +1006,12 @@ public class SentryStore { private TSentryPrivilege convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege) { TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setCreateTime(mSentryPrivilege.getCreateTime()); - privilege.setPrivilegeName(mSentryPrivilege.getPrivilegeName()); - privilege.setAction(mSentryPrivilege.getAction()); + privilege.setAction(fromNULLCol(mSentryPrivilege.getAction())); privilege.setPrivilegeScope(mSentryPrivilege.getPrivilegeScope()); - privilege.setServerName(mSentryPrivilege.getServerName()); - privilege.setDbName(mSentryPrivilege.getDbName()); - privilege.setTableName(mSentryPrivilege.getTableName()); - privilege.setURI(mSentryPrivilege.getURI()); + privilege.setServerName(fromNULLCol(mSentryPrivilege.getServerName())); + privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName())); + privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName())); + privilege.setURI(fromNULLCol(mSentryPrivilege.getURI())); privilege.setGrantorPrincipal(mSentryPrivilege.getGrantorPrincipal()); return privilege; } @@ -1106,15 +1024,14 @@ public class SentryStore { private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege) throws SentryInvalidInputException { MSentryPrivilege mSentryPrivilege = new MSentryPrivilege(); - mSentryPrivilege.setServerName(safeTrimLower(privilege.getServerName())); - mSentryPrivilege.setDbName(safeTrimLower(privilege.getDbName())); - mSentryPrivilege.setTableName(safeTrimLower(privilege.getTableName())); + mSentryPrivilege.setServerName(toNULLCol(safeTrimLower(privilege.getServerName()))); + mSentryPrivilege.setDbName(toNULLCol(safeTrimLower(privilege.getDbName()))); + mSentryPrivilege.setTableName(toNULLCol(safeTrimLower(privilege.getTableName()))); mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope())); - mSentryPrivilege.setAction(safeTrim(privilege.getAction())); + mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction()))); mSentryPrivilege.setCreateTime(System.currentTimeMillis()); mSentryPrivilege.setGrantorPrincipal(safeTrim(privilege.getGrantorPrincipal())); - mSentryPrivilege.setURI(safeTrim(privilege.getURI())); - mSentryPrivilege.setPrivilegeName(constructPrivilegeName(privilege)); + mSentryPrivilege.setURI(toNULLCol(safeTrim(privilege.getURI()))); return mSentryPrivilege; } private static String safeTrim(String s) { @@ -1312,10 +1229,8 @@ public class SentryStore { TSentryPrivilege newTPrivilege) throws SentryNoSuchObjectException, SentryInvalidInputException { HashSet<MSentryRole> roleSet = Sets.newHashSet(); - tPrivilege.setPrivilegeName(constructPrivilegeName(tPrivilege)); - MSentryPrivilege mPrivilege = getMSentryPrivilege( - tPrivilege.getPrivilegeName(), pm); + MSentryPrivilege mPrivilege = getMSentryPrivilege(tPrivilege, pm); if (mPrivilege != null) { roleSet.addAll(ImmutableSet.copyOf((mPrivilege.getRoles()))); } @@ -1336,17 +1251,17 @@ public class SentryStore { private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable, String grantorPrincipal) throws SentryInvalidInputException { TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); - tSentryPrivilege.setDbName(tAuthorizable.getDb()); - tSentryPrivilege.setServerName(tAuthorizable.getServer()); - tSentryPrivilege.setTableName(tAuthorizable.getTable()); - tSentryPrivilege.setURI(tAuthorizable.getUri()); + tSentryPrivilege.setDbName(fromNULLCol(tAuthorizable.getDb())); + tSentryPrivilege.setServerName(fromNULLCol(tAuthorizable.getServer())); + tSentryPrivilege.setTableName(fromNULLCol(tAuthorizable.getTable())); + tSentryPrivilege.setURI(fromNULLCol(tAuthorizable.getUri())); tSentryPrivilege.setGrantorPrincipal(grantorPrincipal); PrivilegeScope scope; - if (tSentryPrivilege.getTableName() != null) { + if (!isNULL(tSentryPrivilege.getTableName())) { scope = PrivilegeScope.TABLE; - } else if (tSentryPrivilege.getDbName() != null) { + } else if (!isNULL(tSentryPrivilege.getDbName())) { scope = PrivilegeScope.DATABASE; - } else if (tSentryPrivilege.getURI() != null) { + } else if (!isNULL(tSentryPrivilege.getURI())) { scope = PrivilegeScope.URI; } else { scope = PrivilegeScope.SERVER; @@ -1355,4 +1270,16 @@ public class SentryStore { tSentryPrivilege.setAction(AccessConstants.ALL); return tSentryPrivilege; } + + public static String toNULLCol(String s) { + return Strings.isNullOrEmpty(s) ? NULL_COL : s; + } + + public static String fromNULLCol(String s) { + return isNULL(s) ? "" : s; + } + + public static boolean isNULL(String s) { + return Strings.isNullOrEmpty(s) || s.equals(NULL_COL); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 3bb7285..1b05db3 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -207,7 +207,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { notificationHandlerInvoker.alter_sentry_role_revoke_privilege(commitContext, request, response); } catch (SentryNoSuchObjectException e) { - String msg = "Privilege: " + request.getPrivilege().getPrivilegeName() + " doesn't exist."; + String msg = "Privilege: [server=" + request.getPrivilege().getServerName() + + ",db=" + request.getPrivilege().getDbName() + + ",table=" + request.getPrivilege().getTableName() + + ",URI=" + request.getPrivilege().getURI() + + ",action=" + request.getPrivilege().getAction() + "] doesn't exist."; LOGGER.error(msg, e); response.setStatus(Status.NoSuchObject(msg, e)); } catch (SentryInvalidInputException e) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql index f2a62d2..3886d29 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql @@ -22,7 +22,6 @@ CREATE TABLE SENTRY_DB_PRIVILEGE CREATE_TIME BIGINT NOT NULL, DB_NAME VARCHAR(4000), GRANTOR_PRINCIPAL VARCHAR(4000), - PRIVILEGE_NAME VARCHAR(4000), PRIVILEGE_SCOPE VARCHAR(40), "SERVER_NAME" VARCHAR(4000), "TABLE_NAME" VARCHAR(4000) @@ -79,7 +78,7 @@ CREATE TABLE "SENTRY_VERSION" ( ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID); -- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege] -CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE (PRIVILEGE_NAME); +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION"); -- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole] http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql index f2a62d2..3886d29 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql @@ -22,7 +22,6 @@ CREATE TABLE SENTRY_DB_PRIVILEGE CREATE_TIME BIGINT NOT NULL, DB_NAME VARCHAR(4000), GRANTOR_PRINCIPAL VARCHAR(4000), - PRIVILEGE_NAME VARCHAR(4000), PRIVILEGE_SCOPE VARCHAR(40), "SERVER_NAME" VARCHAR(4000), "TABLE_NAME" VARCHAR(4000) @@ -79,7 +78,7 @@ CREATE TABLE "SENTRY_VERSION" ( ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID); -- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege] -CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE (PRIVILEGE_NAME); +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION"); -- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole] http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql index 70f4dbb..fee5028 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql @@ -27,7 +27,6 @@ CREATE TABLE `SENTRY_DB_PRIVILEGE` ( `DB_PRIVILEGE_ID` BIGINT NOT NULL, - `PRIVILEGE_NAME` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, @@ -81,7 +80,7 @@ ALTER TABLE `SENTRY_VERSION` ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`); ALTER TABLE `SENTRY_DB_PRIVILEGE` - ADD INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`PRIVILEGE_NAME`(250)); + ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`URI`(250),`ACTION`); ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql index 363590e..cbdd337 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql @@ -15,7 +15,6 @@ CREATE TABLE "SENTRY_DB_PRIVILEGE" ( "DB_PRIVILEGE_ID" NUMBER NOT NULL, - "PRIVILEGE_NAME" VARCHAR2(4000) NOT NULL, "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL, "SERVER_NAME" VARCHAR2(128) NOT NULL, "DB_NAME" VARCHAR2(128) NULL, @@ -68,7 +67,7 @@ ALTER TABLE "SENTRY_GROUP" ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID"); ALTER TABLE "SENTRY_DB_PRIVILEGE" - ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("PRIVILEGE_NAME"); + ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI","ACTION"); CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql index 5dfae03..5a30aa7 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql @@ -27,7 +27,6 @@ SET default_with_oids = false; CREATE TABLE "SENTRY_DB_PRIVILEGE" ( "DB_PRIVILEGE_ID" BIGINT NOT NULL, - "PRIVILEGE_NAME" character varying(4000) NOT NULL, "PRIVILEGE_SCOPE" character varying(32) NOT NULL, "SERVER_NAME" character varying(128) NOT NULL, "DB_NAME" character varying(128) DEFAULT NULL::character varying, @@ -81,7 +80,7 @@ ALTER TABLE ONLY "SENTRY_GROUP" ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID"); ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE" - ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("PRIVILEGE_NAME"); + ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI", "ACTION"); CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift index fdc7b9c..eb3e73e 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift @@ -33,12 +33,11 @@ namespace cpp Apache.Sentry.Provider.Db.Service.Thrift # Represents a Privilege in transport from the client to the server struct TSentryPrivilege { 1: required string privilegeScope, # Valid values are SERVER, DATABASE, TABLE -2: optional string privilegeName, # Generated on server side 3: required string serverName, -4: optional string dbName, -5: optional string tableName, -6: optional string URI, -7: required string action, +4: optional string dbName = "", +5: optional string tableName = "", +6: optional string URI = "", +7: required string action = "", 8: optional i64 createTime, # Set on server side 9: optional string grantorPrincipal # Set on server side } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index 7637376..7e1ae58 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -89,7 +89,6 @@ public class TestSentryStore { privilege.setAction(AccessConstants.ALL); privilege.setGrantorPrincipal(grantor); privilege.setCreateTime(System.currentTimeMillis()); - privilege.setPrivilegeName(SentryStore.constructPrivilegeName(privilege)); long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups).getSequenceId()); @@ -105,7 +104,6 @@ public class TestSentryStore { sentryStore.createSentryRole(roleName, grantor); TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("URI", "server1", "ALL"); tSentryPrivilege.setURI(uri); - tSentryPrivilege.setPrivilegeName(SentryStore.constructPrivilegeName(tSentryPrivilege)); sentryStore.alterSentryRoleGrantPrivilege(roleName, tSentryPrivilege); TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); @@ -128,7 +126,7 @@ public class TestSentryStore { sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("group1")), thriftRoleSet, tSentryAuthorizable); assertTrue(privs.size()==1); - assertTrue(privs.contains("server=server1->uri=" + uri + "->action=ALL")); + assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all")); } @Test @@ -205,13 +203,11 @@ public class TestSentryStore { privilege.setAction(AccessConstants.ALL); privilege.setGrantorPrincipal(grantor); privilege.setCreateTime(System.currentTimeMillis()); - privilege.setPrivilegeName(SentryStore.constructPrivilegeName(privilege)); assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege) .getSequenceId()); MSentryRole role = sentryStore.getMSentryRoleByName(roleName); Set<MSentryPrivilege> privileges = role.getPrivileges(); assertEquals(privileges.toString(), 1, privileges.size()); - assertEquals(privilege.getPrivilegeName(), Iterables.get(privileges, 0).getPrivilegeName()); privilege.setAction(AccessConstants.SELECT); assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege) .getSequenceId()); @@ -241,7 +237,6 @@ public class TestSentryStore { privilege1.setAction("SELECT"); privilege1.setGrantorPrincipal(grantor); privilege1.setCreateTime(System.currentTimeMillis()); - privilege1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege1)); assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege1) .getSequenceId()); assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege1) @@ -251,7 +246,6 @@ public class TestSentryStore { privilege2.setServerName("server1"); privilege2.setGrantorPrincipal(grantor); privilege2.setCreateTime(System.currentTimeMillis()); - privilege2.setPrivilegeName(SentryStore.constructPrivilegeName(privilege2)); assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege2) .getSequenceId()); Set<TSentryGroup> groups = Sets.newHashSet(); @@ -377,25 +371,20 @@ public class TestSentryStore { privilege_tbl1.setTableName("tbl1"); privilege_tbl1.setGrantorPrincipal(grantor); privilege_tbl1.setCreateTime(System.currentTimeMillis()); - privilege_tbl1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege_tbl1)); TSentryPrivilege privilege1 = new TSentryPrivilege(privilege_tbl1); privilege1.setAction("SELECT"); - privilege1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege1)); TSentryPrivilege privilege2_1 = new TSentryPrivilege(privilege_tbl1); privilege2_1.setAction("INSERT"); - privilege2_1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege2_1)); TSentryPrivilege privilege3_1 = new TSentryPrivilege(privilege_tbl1); privilege3_1.setAction("*"); - privilege3_1.setPrivilegeName(SentryStore.constructPrivilegeName(privilege3_1)); TSentryPrivilege privilege_server = new TSentryPrivilege(); privilege_server.setPrivilegeScope("SERVER"); privilege_server.setServerName("server1"); privilege_server.setGrantorPrincipal(grantor); privilege_server.setCreateTime(System.currentTimeMillis()); - privilege_server.setPrivilegeName(SentryStore.constructPrivilegeName(privilege_server)); TSentryPrivilege privilege_tbl2 = new TSentryPrivilege(); privilege_tbl2.setPrivilegeScope("TABLE"); @@ -407,12 +396,9 @@ public class TestSentryStore { TSentryPrivilege privilege2_3 = new TSentryPrivilege(privilege_tbl2); privilege2_3.setAction("SELECT"); - privilege2_3.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege2_3)); TSentryPrivilege privilege3_2 = new TSentryPrivilege(privilege_tbl2); privilege3_2.setAction("INSERT"); - privilege2_3.setPrivilegeName(SentryStore.constructPrivilegeName(privilege2_3)); sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege1); @@ -453,19 +439,13 @@ public class TestSentryStore { privilege_tbl1.setTableName("tbl1"); privilege_tbl1.setGrantorPrincipal(grantor); privilege_tbl1.setCreateTime(System.currentTimeMillis()); - privilege_tbl1.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege_tbl1)); TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege( privilege_tbl1); privilege_tbl1_insert.setAction("INSERT"); - privilege_tbl1_insert.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege_tbl1_insert)); TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1); privilege_tbl1_all.setAction("*"); - privilege_tbl1_all.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege_tbl1_all)); sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_insert); sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_all); @@ -507,25 +487,17 @@ public class TestSentryStore { privilege_tbl1.setTableName(table1); privilege_tbl1.setGrantorPrincipal(grantor); privilege_tbl1.setCreateTime(System.currentTimeMillis()); - privilege_tbl1.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege_tbl1)); TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege( privilege_tbl1); privilege_tbl1_insert.setAction(AccessConstants.INSERT); - privilege_tbl1_insert.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege_tbl1_insert)); TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege( privilege_tbl1); privilege_tbl1_select.setAction(AccessConstants.SELECT); - privilege_tbl1_select.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege_tbl1_select)); TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1); privilege_tbl1_all.setAction(AccessConstants.ALL); - privilege_tbl1_all.setPrivilegeName(SentryStore - .constructPrivilegeName(privilege_tbl1_all)); sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_insert); sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege_tbl1_select); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java index 79579c6..e5238a6 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java @@ -103,11 +103,11 @@ public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBas Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db2")); Assert.assertEquals("Privilege not correctly assigned to roles !!", - Sets.newHashSet("server=server->db=db2->table=table4->action=ALL", "server=server->db=db2->table=table3->action=ALL"), + Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"), listPrivilegesForProvider); listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db3")); - Assert.assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=ALL"), listPrivilegesForProvider); + Assert.assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider); listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3")); Assert.assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index a4ae291..e2f0a8d 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -186,10 +186,6 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); assertTrue(privileges.size() == 1); - for (TSentryPrivilege privilege:privileges) { - assertTrue(privilege.getPrivilegeName(), - privilege.getPrivilegeName().equalsIgnoreCase(SentryStore.constructPrivilegeName(privilege))); - } client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); client.dropRole(requestorUserName, roleName); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d6b1eb6e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java index 948b0c4..c238361 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPolicyImport.java @@ -127,7 +127,6 @@ public class TestPolicyImport extends AbstractTestWithStaticConfiguration { for (TSentryPrivilege privilege : actualPrivileges) { privilege.unsetCreateTime(); privilege.unsetGrantorPrincipal(); - privilege.unsetPrivilegeName(); } assertEquals("Expected privileges don't match.", expectedPrivileges, actualPrivileges);
