SENTRY-380: Clean up some grantorPrincipal semantics (Sravya Tirukkovalur via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/dbcdb6d6 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/dbcdb6d6 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/dbcdb6d6 Branch: refs/heads/master Commit: dbcdb6d6430fd5cde17df1cf3bd0f805795da2d7 Parents: fd70448 Author: Prasad Mujumdar <[email protected]> Authored: Tue Sep 16 23:00:33 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Tue Sep 16 23:00:33 2014 -0700 ---------------------------------------------------------------------- .../hive/ql/exec/SentryGrantRevokeTask.java | 4 +- .../db/service/thrift/TSentryPrivilege.java | 122 +-------------- .../provider/db/service/thrift/TSentryRole.java | 105 +------------ .../provider/db/service/model/MSentryGroup.java | 16 +- .../db/service/model/MSentryPrivilege.java | 11 +- .../provider/db/service/model/MSentryRole.java | 15 +- .../provider/db/service/model/package.jdo | 11 +- .../db/service/persistent/SentryStore.java | 44 ++---- .../thrift/SentryPolicyServiceClient.java | 2 - .../thrift/SentryPolicyStoreProcessor.java | 13 +- .../src/main/resources/sentry-db2-1.5.0.sql | 9 +- .../src/main/resources/sentry-derby-1.5.0.sql | 9 +- .../src/main/resources/sentry-mysql-1.5.0.sql | 15 +- .../src/main/resources/sentry-oracle-1.5.0.sql | 13 +- .../main/resources/sentry-postgres-1.5.0.sql | 13 +- .../main/resources/sentry_policy_service.thrift | 5 +- .../db/service/persistent/TestSentryStore.java | 155 ++++++++----------- .../e2e/dbprovider/TestDatabaseProvider.java | 34 ++-- .../tests/e2e/hive/TestMovingToProduction.java | 2 +- .../sentry/tests/e2e/hive/TestPolicyImport.java | 1 - 20 files changed, 151 insertions(+), 448 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java index 4f34de6..4126341 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -425,7 +425,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable appendNonNull(builder, privilege.getAction()); appendNonNull(builder, false);//isGrantOption() appendNonNull(builder, privilege.getCreateTime() * 1000L); - appendNonNull(builder, privilege.getGrantorPrincipal()); + appendNonNull(builder, "--"); } LOG.info("builder.toString(): " + builder.toString()); return builder.toString(); @@ -440,7 +440,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable appendNonNull(builder, roleGrant.getRoleName(), true); appendNonNull(builder, false);//isGrantOption() appendNonNull(builder, null);//roleGrant.getGrantTime() * 1000L - appendNonNull(builder, roleGrant.getGrantorPrincipal()); + appendNonNull(builder, "--"); } return builder.toString(); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java index 54b6204..dbe96ff 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java @@ -41,8 +41,7 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg private static final org.apache.thrift.protocol.TField URI_FIELD_DESC = new org.apache.thrift.protocol.TField("URI", org.apache.thrift.protocol.TType.STRING, (short)6); private static final org.apache.thrift.protocol.TField ACTION_FIELD_DESC = new org.apache.thrift.protocol.TField("action", org.apache.thrift.protocol.TType.STRING, (short)7); private static final org.apache.thrift.protocol.TField CREATE_TIME_FIELD_DESC = new org.apache.thrift.protocol.TField("createTime", org.apache.thrift.protocol.TType.I64, (short)8); - private static final org.apache.thrift.protocol.TField GRANTOR_PRINCIPAL_FIELD_DESC = new org.apache.thrift.protocol.TField("grantorPrincipal", org.apache.thrift.protocol.TType.STRING, (short)9); - private static final org.apache.thrift.protocol.TField GRANT_OPTION_FIELD_DESC = new org.apache.thrift.protocol.TField("grantOption", org.apache.thrift.protocol.TType.I32, (short)10); + private static final org.apache.thrift.protocol.TField GRANT_OPTION_FIELD_DESC = new org.apache.thrift.protocol.TField("grantOption", org.apache.thrift.protocol.TType.I32, (short)9); private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); static { @@ -57,7 +56,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg private String URI; // optional private String action; // required private long createTime; // optional - private String grantorPrincipal; // optional private TSentryGrantOption grantOption; // optional /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ @@ -69,12 +67,11 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg URI((short)6, "URI"), ACTION((short)7, "action"), CREATE_TIME((short)8, "createTime"), - GRANTOR_PRINCIPAL((short)9, "grantorPrincipal"), /** * * @see TSentryGrantOption */ - GRANT_OPTION((short)10, "grantOption"); + GRANT_OPTION((short)9, "grantOption"); private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); @@ -103,9 +100,7 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg return ACTION; case 8: // CREATE_TIME return CREATE_TIME; - case 9: // GRANTOR_PRINCIPAL - return GRANTOR_PRINCIPAL; - case 10: // GRANT_OPTION + case 9: // GRANT_OPTION return GRANT_OPTION; default: return null; @@ -149,7 +144,7 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg // isset id assignments private static final int __CREATETIME_ISSET_ID = 0; private byte __isset_bitfield = 0; - private _Fields optionals[] = {_Fields.DB_NAME,_Fields.TABLE_NAME,_Fields.URI,_Fields.CREATE_TIME,_Fields.GRANTOR_PRINCIPAL,_Fields.GRANT_OPTION}; + private _Fields optionals[] = {_Fields.DB_NAME,_Fields.TABLE_NAME,_Fields.URI,_Fields.CREATE_TIME,_Fields.GRANT_OPTION}; public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; static { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); @@ -167,8 +162,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.CREATE_TIME, new org.apache.thrift.meta_data.FieldMetaData("createTime", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.I64))); - tmpMap.put(_Fields.GRANTOR_PRINCIPAL, new org.apache.thrift.meta_data.FieldMetaData("grantorPrincipal", org.apache.thrift.TFieldRequirementType.OPTIONAL, - new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.GRANT_OPTION, new org.apache.thrift.meta_data.FieldMetaData("grantOption", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.EnumMetaData(org.apache.thrift.protocol.TType.ENUM, TSentryGrantOption.class))); metaDataMap = Collections.unmodifiableMap(tmpMap); @@ -223,9 +216,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg this.action = other.action; } this.createTime = other.createTime; - if (other.isSetGrantorPrincipal()) { - this.grantorPrincipal = other.grantorPrincipal; - } if (other.isSetGrantOption()) { this.grantOption = other.grantOption; } @@ -249,7 +239,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg setCreateTimeIsSet(false); this.createTime = 0; - this.grantorPrincipal = null; this.grantOption = org.apache.sentry.provider.db.service.thrift.TSentryGrantOption.FALSE; } @@ -414,29 +403,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg __isset_bitfield = EncodingUtils.setBit(__isset_bitfield, __CREATETIME_ISSET_ID, value); } - public String getGrantorPrincipal() { - return this.grantorPrincipal; - } - - public void setGrantorPrincipal(String grantorPrincipal) { - this.grantorPrincipal = grantorPrincipal; - } - - public void unsetGrantorPrincipal() { - this.grantorPrincipal = null; - } - - /** Returns true if field grantorPrincipal is set (has been assigned a value) and false otherwise */ - public boolean isSetGrantorPrincipal() { - return this.grantorPrincipal != null; - } - - public void setGrantorPrincipalIsSet(boolean value) { - if (!value) { - this.grantorPrincipal = null; - } - } - /** * * @see TSentryGrantOption @@ -526,14 +492,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg } break; - case GRANTOR_PRINCIPAL: - if (value == null) { - unsetGrantorPrincipal(); - } else { - setGrantorPrincipal((String)value); - } - break; - case GRANT_OPTION: if (value == null) { unsetGrantOption(); @@ -568,9 +526,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg case CREATE_TIME: return Long.valueOf(getCreateTime()); - case GRANTOR_PRINCIPAL: - return getGrantorPrincipal(); - case GRANT_OPTION: return getGrantOption(); @@ -599,8 +554,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg return isSetAction(); case CREATE_TIME: return isSetCreateTime(); - case GRANTOR_PRINCIPAL: - return isSetGrantorPrincipal(); case GRANT_OPTION: return isSetGrantOption(); } @@ -683,15 +636,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg return false; } - boolean this_present_grantorPrincipal = true && this.isSetGrantorPrincipal(); - boolean that_present_grantorPrincipal = true && that.isSetGrantorPrincipal(); - if (this_present_grantorPrincipal || that_present_grantorPrincipal) { - if (!(this_present_grantorPrincipal && that_present_grantorPrincipal)) - return false; - if (!this.grantorPrincipal.equals(that.grantorPrincipal)) - return false; - } - boolean this_present_grantOption = true && this.isSetGrantOption(); boolean that_present_grantOption = true && that.isSetGrantOption(); if (this_present_grantOption || that_present_grantOption) { @@ -743,11 +687,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg if (present_createTime) builder.append(createTime); - boolean present_grantorPrincipal = true && (isSetGrantorPrincipal()); - builder.append(present_grantorPrincipal); - if (present_grantorPrincipal) - builder.append(grantorPrincipal); - boolean present_grantOption = true && (isSetGrantOption()); builder.append(present_grantOption); if (present_grantOption) @@ -834,16 +773,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg return lastComparison; } } - lastComparison = Boolean.valueOf(isSetGrantorPrincipal()).compareTo(typedOther.isSetGrantorPrincipal()); - if (lastComparison != 0) { - return lastComparison; - } - if (isSetGrantorPrincipal()) { - lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.grantorPrincipal, typedOther.grantorPrincipal); - if (lastComparison != 0) { - return lastComparison; - } - } lastComparison = Boolean.valueOf(isSetGrantOption()).compareTo(typedOther.isSetGrantOption()); if (lastComparison != 0) { return lastComparison; @@ -933,16 +862,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg sb.append(this.createTime); first = false; } - if (isSetGrantorPrincipal()) { - if (!first) sb.append(", "); - sb.append("grantorPrincipal:"); - if (this.grantorPrincipal == null) { - sb.append("null"); - } else { - sb.append(this.grantorPrincipal); - } - first = false; - } if (isSetGrantOption()) { if (!first) sb.append(", "); sb.append("grantOption:"); @@ -1066,15 +985,7 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; - case 9: // GRANTOR_PRINCIPAL - if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { - struct.grantorPrincipal = iprot.readString(); - struct.setGrantorPrincipalIsSet(true); - } else { - org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); - } - break; - case 10: // GRANT_OPTION + case 9: // GRANT_OPTION if (schemeField.type == org.apache.thrift.protocol.TType.I32) { struct.grantOption = TSentryGrantOption.findByValue(iprot.readI32()); struct.setGrantOptionIsSet(true); @@ -1136,13 +1047,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg oprot.writeI64(struct.createTime); oprot.writeFieldEnd(); } - if (struct.grantorPrincipal != null) { - if (struct.isSetGrantorPrincipal()) { - oprot.writeFieldBegin(GRANTOR_PRINCIPAL_FIELD_DESC); - oprot.writeString(struct.grantorPrincipal); - oprot.writeFieldEnd(); - } - } if (struct.grantOption != null) { if (struct.isSetGrantOption()) { oprot.writeFieldBegin(GRANT_OPTION_FIELD_DESC); @@ -1183,13 +1087,10 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg if (struct.isSetCreateTime()) { optionals.set(3); } - if (struct.isSetGrantorPrincipal()) { - optionals.set(4); - } if (struct.isSetGrantOption()) { - optionals.set(5); + optionals.set(4); } - oprot.writeBitSet(optionals, 6); + oprot.writeBitSet(optionals, 5); if (struct.isSetDbName()) { oprot.writeString(struct.dbName); } @@ -1202,9 +1103,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg if (struct.isSetCreateTime()) { oprot.writeI64(struct.createTime); } - if (struct.isSetGrantorPrincipal()) { - oprot.writeString(struct.grantorPrincipal); - } if (struct.isSetGrantOption()) { oprot.writeI32(struct.grantOption.getValue()); } @@ -1219,7 +1117,7 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg struct.setServerNameIsSet(true); struct.action = iprot.readString(); struct.setActionIsSet(true); - BitSet incoming = iprot.readBitSet(6); + BitSet incoming = iprot.readBitSet(5); if (incoming.get(0)) { struct.dbName = iprot.readString(); struct.setDbNameIsSet(true); @@ -1237,10 +1135,6 @@ public class TSentryPrivilege implements org.apache.thrift.TBase<TSentryPrivileg struct.setCreateTimeIsSet(true); } if (incoming.get(4)) { - struct.grantorPrincipal = iprot.readString(); - struct.setGrantorPrincipalIsSet(true); - } - if (incoming.get(5)) { struct.grantOption = TSentryGrantOption.findByValue(iprot.readI32()); struct.setGrantOptionIsSet(true); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java index f43a6d5..cc7973f 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java @@ -36,7 +36,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry private static final org.apache.thrift.protocol.TField ROLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("roleName", org.apache.thrift.protocol.TType.STRING, (short)1); private static final org.apache.thrift.protocol.TField GROUPS_FIELD_DESC = new org.apache.thrift.protocol.TField("groups", org.apache.thrift.protocol.TType.SET, (short)2); - private static final org.apache.thrift.protocol.TField GRANTOR_PRINCIPAL_FIELD_DESC = new org.apache.thrift.protocol.TField("grantorPrincipal", org.apache.thrift.protocol.TType.STRING, (short)3); private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); static { @@ -46,13 +45,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry private String roleName; // required private Set<TSentryGroup> groups; // required - private String grantorPrincipal; // required /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { ROLE_NAME((short)1, "roleName"), - GROUPS((short)2, "groups"), - GRANTOR_PRINCIPAL((short)3, "grantorPrincipal"); + GROUPS((short)2, "groups"); private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); @@ -71,8 +68,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry return ROLE_NAME; case 2: // GROUPS return GROUPS; - case 3: // GRANTOR_PRINCIPAL - return GRANTOR_PRINCIPAL; default: return null; } @@ -121,8 +116,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry tmpMap.put(_Fields.GROUPS, new org.apache.thrift.meta_data.FieldMetaData("groups", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryGroup.class)))); - tmpMap.put(_Fields.GRANTOR_PRINCIPAL, new org.apache.thrift.meta_data.FieldMetaData("grantorPrincipal", org.apache.thrift.TFieldRequirementType.REQUIRED, - new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); metaDataMap = Collections.unmodifiableMap(tmpMap); org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TSentryRole.class, metaDataMap); } @@ -132,13 +125,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry public TSentryRole( String roleName, - Set<TSentryGroup> groups, - String grantorPrincipal) + Set<TSentryGroup> groups) { this(); this.roleName = roleName; this.groups = groups; - this.grantorPrincipal = grantorPrincipal; } /** @@ -155,9 +146,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } this.groups = __this__groups; } - if (other.isSetGrantorPrincipal()) { - this.grantorPrincipal = other.grantorPrincipal; - } } public TSentryRole deepCopy() { @@ -168,7 +156,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry public void clear() { this.roleName = null; this.groups = null; - this.grantorPrincipal = null; } public String getRoleName() { @@ -232,29 +219,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } } - public String getGrantorPrincipal() { - return this.grantorPrincipal; - } - - public void setGrantorPrincipal(String grantorPrincipal) { - this.grantorPrincipal = grantorPrincipal; - } - - public void unsetGrantorPrincipal() { - this.grantorPrincipal = null; - } - - /** Returns true if field grantorPrincipal is set (has been assigned a value) and false otherwise */ - public boolean isSetGrantorPrincipal() { - return this.grantorPrincipal != null; - } - - public void setGrantorPrincipalIsSet(boolean value) { - if (!value) { - this.grantorPrincipal = null; - } - } - public void setFieldValue(_Fields field, Object value) { switch (field) { case ROLE_NAME: @@ -273,14 +237,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } break; - case GRANTOR_PRINCIPAL: - if (value == null) { - unsetGrantorPrincipal(); - } else { - setGrantorPrincipal((String)value); - } - break; - } } @@ -292,9 +248,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry case GROUPS: return getGroups(); - case GRANTOR_PRINCIPAL: - return getGrantorPrincipal(); - } throw new IllegalStateException(); } @@ -310,8 +263,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry return isSetRoleName(); case GROUPS: return isSetGroups(); - case GRANTOR_PRINCIPAL: - return isSetGrantorPrincipal(); } throw new IllegalStateException(); } @@ -347,15 +298,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry return false; } - boolean this_present_grantorPrincipal = true && this.isSetGrantorPrincipal(); - boolean that_present_grantorPrincipal = true && that.isSetGrantorPrincipal(); - if (this_present_grantorPrincipal || that_present_grantorPrincipal) { - if (!(this_present_grantorPrincipal && that_present_grantorPrincipal)) - return false; - if (!this.grantorPrincipal.equals(that.grantorPrincipal)) - return false; - } - return true; } @@ -373,11 +315,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry if (present_groups) builder.append(groups); - boolean present_grantorPrincipal = true && (isSetGrantorPrincipal()); - builder.append(present_grantorPrincipal); - if (present_grantorPrincipal) - builder.append(grantorPrincipal); - return builder.toHashCode(); } @@ -409,16 +346,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry return lastComparison; } } - lastComparison = Boolean.valueOf(isSetGrantorPrincipal()).compareTo(typedOther.isSetGrantorPrincipal()); - if (lastComparison != 0) { - return lastComparison; - } - if (isSetGrantorPrincipal()) { - lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.grantorPrincipal, typedOther.grantorPrincipal); - if (lastComparison != 0) { - return lastComparison; - } - } return 0; } @@ -454,14 +381,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry sb.append(this.groups); } first = false; - if (!first) sb.append(", "); - sb.append("grantorPrincipal:"); - if (this.grantorPrincipal == null) { - sb.append("null"); - } else { - sb.append(this.grantorPrincipal); - } - first = false; sb.append(")"); return sb.toString(); } @@ -476,10 +395,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry throw new org.apache.thrift.protocol.TProtocolException("Required field 'groups' is unset! Struct:" + toString()); } - if (!isSetGrantorPrincipal()) { - throw new org.apache.thrift.protocol.TProtocolException("Required field 'grantorPrincipal' is unset! Struct:" + toString()); - } - // check for sub-struct validity } @@ -544,14 +459,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; - case 3: // GRANTOR_PRINCIPAL - if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { - struct.grantorPrincipal = iprot.readString(); - struct.setGrantorPrincipalIsSet(true); - } else { - org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); - } - break; default: org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } @@ -582,11 +489,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } oprot.writeFieldEnd(); } - if (struct.grantorPrincipal != null) { - oprot.writeFieldBegin(GRANTOR_PRINCIPAL_FIELD_DESC); - oprot.writeString(struct.grantorPrincipal); - oprot.writeFieldEnd(); - } oprot.writeFieldStop(); oprot.writeStructEnd(); } @@ -612,7 +514,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry _iter20.write(oprot); } } - oprot.writeString(struct.grantorPrincipal); } @Override @@ -632,8 +533,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry } } struct.setGroupsIsSet(true); - struct.grantorPrincipal = iprot.readString(); - struct.setGrantorPrincipalIsSet(true); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java index 3f68f0d..32dbafc 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java @@ -36,13 +36,10 @@ public class MSentryGroup { // set of roles granted to this group private Set<MSentryRole> roles; private long createTime; - private String grantorPrincipal; - public MSentryGroup(String groupName, long createTime, String grantorPrincipal, - Set<MSentryRole> roles) { + public MSentryGroup(String groupName, long createTime, Set<MSentryRole> roles) { this.setGroupName(groupName); this.createTime = createTime; - this.grantorPrincipal = grantorPrincipal; this.roles = roles; } @@ -54,14 +51,6 @@ public class MSentryGroup { this.createTime = createTime; } - public String getGrantorPrincipal() { - return grantorPrincipal; - } - - public void setGrantorPrincipal(String grantorPrincipal) { - this.grantorPrincipal = grantorPrincipal; - } - public Set<MSentryRole> getRoles() { return roles; } @@ -89,8 +78,7 @@ public class MSentryGroup { @Override public String toString() { return "MSentryGroup [groupName=" + groupName + ", roles=[...]" - + ", createTime=" + createTime + ", grantorPrincipal=" - + grantorPrincipal + "]"; + + ", createTime=" + createTime + "]"; } @Override http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java index 5328fff..0667cb5 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java @@ -46,7 +46,6 @@ public class MSentryPrivilege { // roles this privilege is a part of private Set<MSentryRole> roles; private long createTime; - private String grantorPrincipal; public MSentryPrivilege() { this.roles = new HashSet<MSentryRole>(); @@ -134,14 +133,6 @@ public class MSentryPrivilege { this.createTime = createTime; } - public String getGrantorPrincipal() { - return grantorPrincipal; - } - - public void setGrantorPrincipal(String grantorPrincipal) { - this.grantorPrincipal = grantorPrincipal; - } - public String getPrivilegeScope() { return privilegeScope; } @@ -177,7 +168,7 @@ public class MSentryPrivilege { + ", serverName=" + serverName + ", dbName=" + dbName + ", tableName=" + tableName + ", URI=" + URI + ", action=" + action + ", roles=[...]" + ", createTime=" - + createTime + ", grantorPrincipal=" + grantorPrincipal + + createTime + ", grantOption=" + grantOption +"]"; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java index 912ed95..bca9fb9 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java @@ -39,12 +39,10 @@ public class MSentryRole { // set of groups this role belongs to private Set<MSentryGroup> groups; private long createTime; - private String grantorPrincipal; - public MSentryRole(String roleName, long createTime, String grantorPrincipal) { + public MSentryRole(String roleName, long createTime) { this.roleName = roleName; this.createTime = createTime; - this.grantorPrincipal = grantorPrincipal; privileges = new HashSet<MSentryPrivilege>(); groups = new HashSet<MSentryGroup>(); } @@ -57,14 +55,6 @@ public class MSentryRole { this.createTime = createTime; } - public String getGrantorPrincipal() { - return grantorPrincipal; - } - - public void setGrantorPrincipal(String grantorPrincipal) { - this.grantorPrincipal = grantorPrincipal; - } - public String getRoleName() { return roleName; } @@ -132,8 +122,7 @@ public class MSentryRole { @Override public String toString() { return "MSentryRole [roleName=" + roleName + ", privileges=[..]" - + ", groups=[...]" + ", createTime=" + createTime - + ", grantorPrincipal=" + grantorPrincipal + "]"; + + ", groups=[...]" + ", createTime=" + createTime + "]"; } @Override http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo index b39cb18..9abaab8 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo @@ -38,10 +38,7 @@ <field name = "createTime"> <column name = "CREATE_TIME" jdbc-type="BIGINT"/> </field> - <field name="grantorPrincipal"> - <column name="GRANTOR_PRINCIPAL" length="4000" jdbc-type="VARCHAR"/> - </field> - + <field name="roles" mapped-by="groups"> <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/> </field> @@ -59,9 +56,6 @@ <field name = "createTime"> <column name = "CREATE_TIME" jdbc-type="BIGINT"/> </field> - <field name="grantorPrincipal"> - <column name="GRANTOR_PRINCIPAL" length="4000" jdbc-type="VARCHAR"/> - </field> <field name = "privileges" table="SENTRY_ROLE_DB_PRIVILEGE_MAP" default-fetch-group="true"> <collection element-type="org.apache.sentry.provider.db.service.model.MSentryPrivilege"/> <join> @@ -116,9 +110,6 @@ <field name = "createTime"> <column name = "CREATE_TIME" jdbc-type="BIGINT"/> </field> - <field name="grantorPrincipal"> - <column name="GRANTOR_PRINCIPAL" length="4000" jdbc-type="VARCHAR"/> - </field> <field name="grantOption"> <column name="WITH_GRANT_OPTION" length="1" jdbc-type="CHAR"/> </field> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 718306d..869b8e3 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -243,11 +243,10 @@ public class SentryStore { /** * Create a sentry role and persist it. * @param roleName: Name of the role being persisted - * @param grantorPrincipal: TODO: Currently not used * @returns commit context used for notification handlers * @throws SentryAlreadyExistsException */ - public CommitContext createSentryRole(String roleName, String grantorPrincipal) + public CommitContext createSentryRole(String roleName) throws SentryAlreadyExistsException { roleName = trimAndLower(roleName); boolean rollbackTransaction = true; @@ -256,7 +255,7 @@ public class SentryStore { pm = openTransaction(); MSentryRole mSentryRole = getMSentryRole(pm, roleName); if (mSentryRole == null) { - MSentryRole mRole = new MSentryRole(roleName, System.currentTimeMillis(), grantorPrincipal); + MSentryRole mRole = new MSentryRole(roleName, System.currentTimeMillis()); pm.makePersistent(mRole); CommitContext commit = commitUpdateTransaction(pm); rollbackTransaction = false; @@ -271,7 +270,8 @@ public class SentryStore { } } - public CommitContext alterSentryRoleGrantPrivilege(String roleName, TSentryPrivilege privilege) + public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal, + String roleName, TSentryPrivilege privilege) throws SentryUserException { boolean rollbackTransaction = true; PersistenceManager pm = null; @@ -279,7 +279,7 @@ public class SentryStore { try { pm = openTransaction(); // first do grant check - grantOptionCheck(pm, privilege); + grantOptionCheck(pm, grantorPrincipal, privilege); alterSentryRoleGrantPrivilegeCore(pm, roleName, privilege); CommitContext commit = commitUpdateTransaction(pm); @@ -340,7 +340,7 @@ public class SentryStore { return; } - public CommitContext alterSentryRoleRevokePrivilege(String roleName, + public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal, String roleName, TSentryPrivilege tPrivilege) throws SentryUserException { boolean rollbackTransaction = true; PersistenceManager pm = null; @@ -348,7 +348,7 @@ public class SentryStore { try { pm = openTransaction(); // first do revoke check - grantOptionCheck(pm, tPrivilege); + grantOptionCheck(pm, grantorPrincipal, tPrivilege); alterSentryRoleRevokePrivilegeCore(pm, roleName, tPrivilege); @@ -497,7 +497,7 @@ public class SentryStore { query.setFilter(filters.toString()); query - .setResult("privilegeScope, serverName, dbName, tableName, URI, action, grantorPrincipal, grantOption"); + .setResult("privilegeScope, serverName, dbName, tableName, URI, action, grantOption"); Set<MSentryPrivilege> privileges = new HashSet<MSentryPrivilege>(); for (Object[] privObj : (List<Object[]>) query.execute()) { MSentryPrivilege priv = new MSentryPrivilege(); @@ -507,8 +507,7 @@ public class SentryStore { priv.setTableName((String) privObj[3]); priv.setURI((String) privObj[4]); priv.setAction((String) privObj[5]); - priv.setGrantorPrincipal((String) privObj[6]); - priv.setGrantOption((Boolean) privObj[7]); + priv.setGrantOption((Boolean) privObj[6]); privileges.add(priv); } rollbackTransaction = false; @@ -573,8 +572,8 @@ public class SentryStore { } } - public CommitContext alterSentryRoleAddGroups(String grantorPrincipal, - String roleName, Set<TSentryGroup> groupNames) + public CommitContext alterSentryRoleAddGroups( String grantorPrincipal, String roleName, + Set<TSentryGroup> groupNames) throws SentryNoSuchObjectException { boolean rollbackTransaction = true; PersistenceManager pm = null; @@ -599,7 +598,7 @@ public class SentryStore { MSentryGroup group = (MSentryGroup) query.execute(groupName); if (group == null) { group = new MSentryGroup(groupName, System.currentTimeMillis(), - grantorPrincipal, Sets.newHashSet(role)); + Sets.newHashSet(role)); } group.appendRole(role); groups.add(group); @@ -1000,7 +999,6 @@ public class SentryStore { private TSentryRole convertToTSentryRole(MSentryRole mSentryRole) { TSentryRole role = new TSentryRole(); role.setRoleName(mSentryRole.getRoleName()); - role.setGrantorPrincipal(mSentryRole.getGrantorPrincipal()); Set<TSentryGroup> sentryGroups = new HashSet<TSentryGroup>(); for(MSentryGroup mSentryGroup:mSentryRole.getGroups()) { TSentryGroup group = convertToTSentryGroup(mSentryGroup); @@ -1026,7 +1024,6 @@ public class SentryStore { privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName())); privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName())); privilege.setURI(fromNULLCol(mSentryPrivilege.getURI())); - privilege.setGrantorPrincipal(mSentryPrivilege.getGrantorPrincipal()); if (mSentryPrivilege.getGrantOption() != null) { privilege.setGrantOption(TSentryGrantOption.valueOf(mSentryPrivilege.getGrantOption().toString().toUpperCase())); } else { @@ -1049,7 +1046,6 @@ public class SentryStore { mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope())); mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction()))); mSentryPrivilege.setCreateTime(System.currentTimeMillis()); - mSentryPrivilege.setGrantorPrincipal(safeTrim(privilege.getGrantorPrincipal())); mSentryPrivilege.setURI(toNULLCol(safeTrim(privilege.getURI()))); if ( !privilege.getGrantOption().equals(TSentryGrantOption.UNSET) ) { mSentryPrivilege.setGrantOption(Boolean.valueOf(privilege.getGrantOption().toString())); @@ -1183,14 +1179,14 @@ public class SentryStore { * @throws SentryInvalidInputException */ public void renamePrivilege(TSentryAuthorizable tAuthorizable, - TSentryAuthorizable newTAuthorizable, String grantorPrincipal) + TSentryAuthorizable newTAuthorizable) throws SentryNoSuchObjectException, SentryInvalidInputException { PersistenceManager pm = null; boolean rollbackTransaction = true; TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable); - TSentryPrivilege newPrivilege = toSentryPrivilege(newTAuthorizable, - grantorPrincipal); + TSentryPrivilege newPrivilege = toSentryPrivilege(newTAuthorizable); + try { pm = openTransaction(); // In case of tables or DBs, check all actions @@ -1266,20 +1262,13 @@ public class SentryStore { } } - // convert TSentryAuthorizable to TSentryPrivilege private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable) throws SentryInvalidInputException { - return toSentryPrivilege(tAuthorizable, null); - } - - private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable, - String grantorPrincipal) throws SentryInvalidInputException { TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); tSentryPrivilege.setDbName(fromNULLCol(tAuthorizable.getDb())); tSentryPrivilege.setServerName(fromNULLCol(tAuthorizable.getServer())); tSentryPrivilege.setTableName(fromNULLCol(tAuthorizable.getTable())); tSentryPrivilege.setURI(fromNULLCol(tAuthorizable.getUri())); - tSentryPrivilege.setGrantorPrincipal(grantorPrincipal); PrivilegeScope scope; if (!isNULL(tSentryPrivilege.getTableName())) { scope = PrivilegeScope.TABLE; @@ -1313,10 +1302,9 @@ public class SentryStore { * @param privilege * @throws SentryUserException */ - private void grantOptionCheck(PersistenceManager pm, TSentryPrivilege privilege) + private void grantOptionCheck(PersistenceManager pm, String grantorPrincipal, TSentryPrivilege privilege) throws SentryUserException { MSentryPrivilege mPrivilege = convertToMSentryPrivilege(privilege); - String grantorPrincipal = mPrivilege.getGrantorPrincipal(); if (grantorPrincipal == null) { throw new SentryInvalidInputException("grantorPrincipal should not be null"); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 6358289..5d97dc1 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -376,7 +376,6 @@ public class SentryPolicyServiceClient { privilege.setDbName(db); privilege.setTableName(table); privilege.setAction(action); - privilege.setGrantorPrincipal(requestorUserName); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(convertTSentryGrantOption(grantOption)); request.setPrivilege(privilege); @@ -466,7 +465,6 @@ public class SentryPolicyServiceClient { privilege.setDbName(db); privilege.setTableName(table); privilege.setAction(action); - privilege.setGrantorPrincipal(requestorUserName); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(convertTSentryGrantOption(grantOption)); request.setPrivilege(privilege); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index ad66838..5b829a8 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -149,8 +149,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { try { authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); - CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName(), - request.getRequestorUserName()); + CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName()); response.setStatus(Status.OK()); notificationHandlerInvoker.create_sentry_role(commitContext, request, response); @@ -178,8 +177,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse(); try { - CommitContext commitContext = sentryStore.alterSentryRoleGrantPrivilege(request.getRoleName(), - request.getPrivilege()); + CommitContext commitContext = sentryStore.alterSentryRoleGrantPrivilege(request.getRequestorUserName(), + request.getRoleName(), request.getPrivilege()); response.setStatus(Status.OK()); notificationHandlerInvoker.alter_sentry_role_grant_privilege(commitContext, request, response); @@ -210,8 +209,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { (TAlterSentryRoleRevokePrivilegeRequest request) throws TException { TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse(); try { - CommitContext commitContext = sentryStore.alterSentryRoleRevokePrivilege(request.getRoleName(), - request.getPrivilege()); + CommitContext commitContext = sentryStore.alterSentryRoleRevokePrivilege(request.getRequestorUserName(), + request.getRoleName(), request.getPrivilege()); response.setStatus(Status.OK()); notificationHandlerInvoker.alter_sentry_role_revoke_privilege(commitContext, request, response); @@ -513,7 +512,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { try { authorize(request.getRequestorUserName(), adminGroups); sentryStore.renamePrivilege(request.getOldAuthorizable(), - request.getNewAuthorizable(), request.getRequestorUserName()); + request.getNewAuthorizable()); response.setStatus(Status.OK()); } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql index 785c885..4c5ae39 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql @@ -21,7 +21,6 @@ CREATE TABLE SENTRY_DB_PRIVILEGE "ACTION" VARCHAR(40), CREATE_TIME BIGINT NOT NULL, DB_NAME VARCHAR(4000), - GRANTOR_PRINCIPAL VARCHAR(4000), PRIVILEGE_SCOPE VARCHAR(40), "SERVER_NAME" VARCHAR(4000), "TABLE_NAME" VARCHAR(4000), @@ -35,7 +34,6 @@ CREATE TABLE SENTRY_ROLE ( ROLE_ID BIGINT NOT NULL generated always as identity (start with 1), CREATE_TIME BIGINT NOT NULL, - GRANTOR_PRINCIPAL VARCHAR(4000), ROLE_NAME VARCHAR(128) ); @@ -46,7 +44,6 @@ CREATE TABLE SENTRY_GROUP ( GROUP_ID BIGINT NOT NULL generated always as identity (start with 1), CREATE_TIME BIGINT NOT NULL, - GRANTOR_PRINCIPAL VARCHAR(4000), GROUP_NAME VARCHAR(128) ); @@ -56,7 +53,8 @@ ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID); CREATE TABLE SENTRY_ROLE_GROUP_MAP ( GROUP_ID BIGINT NOT NULL, - ROLE_ID BIGINT NOT NULL + ROLE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) ); ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID); @@ -65,7 +63,8 @@ ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMAR CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ( ROLE_ID BIGINT NOT NULL, - DB_PRIVILEGE_ID BIGINT NOT NULL + DB_PRIVILEGE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) ); ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql index 785c885..4c5ae39 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql @@ -21,7 +21,6 @@ CREATE TABLE SENTRY_DB_PRIVILEGE "ACTION" VARCHAR(40), CREATE_TIME BIGINT NOT NULL, DB_NAME VARCHAR(4000), - GRANTOR_PRINCIPAL VARCHAR(4000), PRIVILEGE_SCOPE VARCHAR(40), "SERVER_NAME" VARCHAR(4000), "TABLE_NAME" VARCHAR(4000), @@ -35,7 +34,6 @@ CREATE TABLE SENTRY_ROLE ( ROLE_ID BIGINT NOT NULL generated always as identity (start with 1), CREATE_TIME BIGINT NOT NULL, - GRANTOR_PRINCIPAL VARCHAR(4000), ROLE_NAME VARCHAR(128) ); @@ -46,7 +44,6 @@ CREATE TABLE SENTRY_GROUP ( GROUP_ID BIGINT NOT NULL generated always as identity (start with 1), CREATE_TIME BIGINT NOT NULL, - GRANTOR_PRINCIPAL VARCHAR(4000), GROUP_NAME VARCHAR(128) ); @@ -56,7 +53,8 @@ ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID); CREATE TABLE SENTRY_ROLE_GROUP_MAP ( GROUP_ID BIGINT NOT NULL, - ROLE_ID BIGINT NOT NULL + ROLE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) ); ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID); @@ -65,7 +63,8 @@ ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMAR CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ( ROLE_ID BIGINT NOT NULL, - DB_PRIVILEGE_ID BIGINT NOT NULL + DB_PRIVILEGE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) ); ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql index f94f6bd..803b6a8 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql @@ -33,33 +33,32 @@ CREATE TABLE `SENTRY_DB_PRIVILEGE` ( `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, - `CREATE_TIME` BIGINT NOT NULL, - `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `CREATE_TIME` BIGINT NOT NULL `WITH_GRANT_OPTION` CHAR(1) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `SENTRY_ROLE` ( `ROLE_ID` BIGINT NOT NULL, `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, - `CREATE_TIME` BIGINT NOT NULL, - `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL + `CREATE_TIME` BIGINT NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `SENTRY_GROUP` ( `GROUP_ID` BIGINT NOT NULL, `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, - `CREATE_TIME` BIGINT NOT NULL, - `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL + `CREATE_TIME` BIGINT NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` ( `ROLE_ID` BIGINT NOT NULL, - `DB_PRIVILEGE_ID` BIGINT NOT NULL + `DB_PRIVILEGE_ID` BIGINT NOT NULL, + `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `SENTRY_ROLE_GROUP_MAP` ( `ROLE_ID` BIGINT NOT NULL, - `GROUP_ID` BIGINT NOT NULL + `GROUP_ID` BIGINT NOT NULL, + `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` ( http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql index 35dbc5b..5d8336c 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql @@ -22,32 +22,31 @@ CREATE TABLE "SENTRY_DB_PRIVILEGE" ( "URI" VARCHAR2(4000) NULL, "ACTION" VARCHAR2(128) NOT NULL, "CREATE_TIME" NUMBER NOT NULL, - "GRANTOR_PRINCIPAL" VARCHAR(128) NOT NULL, "WITH_GRANT_OPTION" CHAR(1) NOT NULL ); CREATE TABLE "SENTRY_ROLE" ( "ROLE_ID" NUMBER NOT NULL, "ROLE_NAME" VARCHAR2(128) NOT NULL, - "CREATE_TIME" NUMBER NOT NULL, - "GRANTOR_PRINCIPAL" VARCHAR2(128) NOT NULL + "CREATE_TIME" NUMBER NOT NULL ); CREATE TABLE "SENTRY_GROUP" ( "GROUP_ID" NUMBER NOT NULL, "GROUP_NAME" VARCHAR2(128) NOT NULL, - "CREATE_TIME" NUMBER NOT NULL, - "GRANTOR_PRINCIPAL" VARCHAR2(128) NOT NULL + "CREATE_TIME" NUMBER NOT NULL ); CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ( "ROLE_ID" NUMBER NOT NULL, - "DB_PRIVILEGE_ID" NUMBER NOT NULL + "DB_PRIVILEGE_ID" NUMBER NOT NULL, + "GRANTOR_PRINCIPAL" VARCHAR2(128) ); CREATE TABLE "SENTRY_ROLE_GROUP_MAP" ( "ROLE_ID" NUMBER NOT NULL, - "GROUP_ID" NUMBER NOT NULL + "GROUP_ID" NUMBER NOT NULL, + "GRANTOR_PRINCIPAL" VARCHAR2(128) ); CREATE TABLE "SENTRY_VERSION" ( http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql index 1d6036f..24cac98 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql @@ -34,32 +34,31 @@ CREATE TABLE "SENTRY_DB_PRIVILEGE" ( "URI" character varying(4000) DEFAULT NULL::character varying, "ACTION" character varying(128) NOT NULL, "CREATE_TIME" BIGINT NOT NULL, - "GRANTOR_PRINCIPAL" VARCHAR(128) NOT NULL, "WITH_GRANT_OPTION" CHAR(1) NOT NULL ); CREATE TABLE "SENTRY_ROLE" ( "ROLE_ID" BIGINT NOT NULL, "ROLE_NAME" character varying(128) NOT NULL, - "CREATE_TIME" BIGINT NOT NULL, - "GRANTOR_PRINCIPAL" character varying(128) NOT NULL + "CREATE_TIME" BIGINT NOT NULL ); CREATE TABLE "SENTRY_GROUP" ( "GROUP_ID" BIGINT NOT NULL, "GROUP_NAME" character varying(128) NOT NULL, - "CREATE_TIME" BIGINT NOT NULL, - "GRANTOR_PRINCIPAL" character varying(128) NOT NULL + "CREATE_TIME" BIGINT NOT NULL ); CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ( "ROLE_ID" BIGINT NOT NULL, - "DB_PRIVILEGE_ID" BIGINT NOT NULL + "DB_PRIVILEGE_ID" BIGINT NOT NULL, + "GRANTOR_PRINCIPAL" character varying(128) ); CREATE TABLE "SENTRY_ROLE_GROUP_MAP" ( "ROLE_ID" BIGINT NOT NULL, - "GROUP_ID" BIGINT NOT NULL + "GROUP_ID" BIGINT NOT NULL, + "GRANTOR_PRINCIPAL" character varying(128) ); CREATE TABLE "SENTRY_VERSION" ( http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift index b14616b..d215ffe 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift @@ -48,8 +48,7 @@ struct TSentryPrivilege { 6: optional string URI = "", 7: required string action = "", 8: optional i64 createTime, # Set on server side -9: optional string grantorPrincipal, # Set on server side -10: optional TSentryGrantOption grantOption = TSentryGrantOption.FALSE +9: optional TSentryGrantOption grantOption = TSentryGrantOption.FALSE } # TODO can this be deleted? it's not adding value to TAlterSentryRoleAddGroupsRequest @@ -132,7 +131,7 @@ struct TListSentryRolesRequest { struct TSentryRole { 1: required string roleName, 2: required set<TSentryGroup> groups, -3: required string grantorPrincipal +3: required string grantorPrincipal #Deprecated } struct TListSentryRolesResponse { 1: required sentry_common_service.TSentryResponseStatus status http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/dbcdb6d6/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index 985a73d..befecf4 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -105,25 +105,23 @@ public class TestSentryStore { privilege.setDbName("default"); privilege.setTableName("table1"); privilege.setAction(AccessConstants.ALL); - privilege.setGrantorPrincipal(grantor); privilege.setCreateTime(System.currentTimeMillis()); - long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups).getSequenceId()); assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteGroups(roleName, groups).getSequenceId()); - assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege).getSequenceId()); - assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege).getSequenceId()); + assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege).getSequenceId()); + assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege).getSequenceId()); } @Test public void testURI() throws Exception { String roleName = "test-dup-role"; String grantor = "g1"; String uri = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv1.dat"; - sentryStore.createSentryRole(roleName, grantor); + sentryStore.createSentryRole(roleName); TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("URI", "server1", "ALL"); tSentryPrivilege.setURI(uri); - tSentryPrivilege.setGrantorPrincipal(grantor); - sentryStore.alterSentryRoleGrantPrivilege(roleName, tSentryPrivilege); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege); TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); tSentryAuthorizable.setUri(uri); @@ -151,9 +149,9 @@ public class TestSentryStore { public void testCreateDuplicateRole() throws Exception { String roleName = "test-dup-role"; String grantor = "g1"; - sentryStore.createSentryRole(roleName, grantor); + sentryStore.createSentryRole(roleName); try { - sentryStore.createSentryRole(roleName, grantor); + sentryStore.createSentryRole(roleName); fail("Expected SentryAlreadyExistsException"); } catch(SentryAlreadyExistsException e) { // expected @@ -163,17 +161,16 @@ public class TestSentryStore { public void testCaseSensitiveScope() throws Exception { String roleName = "role1"; String grantor = "g1"; - long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); TSentryPrivilege sentryPrivilege = new TSentryPrivilege("Database", "server1", "all"); sentryPrivilege.setDbName("db1"); - sentryPrivilege.setGrantorPrincipal(grantor); - assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(roleName, sentryPrivilege).getSequenceId()); + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, sentryPrivilege).getSequenceId()); } @Test public void testCreateDropRole() throws Exception { String roleName = "test-drop-role"; String grantor = "g1"; - long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); assertEquals(seqId + 1, sentryStore.dropSentryRole(roleName).getSequenceId()); } @@ -190,7 +187,7 @@ public class TestSentryStore { public void testAddDeleteGroups() throws Exception { String roleName = "test-groups"; String grantor = "g1"; - long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); Set<TSentryGroup> groups = Sets.newHashSet(); TSentryGroup group = new TSentryGroup(); group.setGroupName("test-groups-g1"); @@ -213,22 +210,21 @@ public class TestSentryStore { String server = "server1"; String db = "db1"; String table = "tbl1"; - long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setPrivilegeScope("TABLE"); privilege.setServerName(server); privilege.setDbName(db); privilege.setTableName(table); privilege.setAction(AccessConstants.ALL); - privilege.setGrantorPrincipal(grantor); privilege.setCreateTime(System.currentTimeMillis()); - assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege) + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) .getSequenceId()); MSentryRole role = sentryStore.getMSentryRoleByName(roleName); Set<MSentryPrivilege> privileges = role.getPrivileges(); assertEquals(privileges.toString(), 1, privileges.size()); privilege.setAction(AccessConstants.SELECT); - assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege) + assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) .getSequenceId()); // after having ALL and revoking SELECT, we should have INSERT role = sentryStore.getMSentryRoleByName(roleName); @@ -250,47 +246,45 @@ public class TestSentryStore { String db = "db1"; String table = "tbl1"; TSentryGrantOption grantOption = TSentryGrantOption.TRUE; - long seqId = sentryStore.createSentryRole(roleName, grantor).getSequenceId(); + long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setPrivilegeScope("TABLE"); privilege.setServerName(server); privilege.setDbName(db); privilege.setTableName(table); privilege.setAction(AccessConstants.ALL); - privilege.setGrantorPrincipal(grantor); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(grantOption); - assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege) + assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege) .getSequenceId()); MSentryRole role = sentryStore.getMSentryRoleByName(roleName); Set<MSentryPrivilege> privileges = role.getPrivileges(); assertEquals(privileges.toString(), 1, privileges.size()); assertEquals(Boolean.valueOf(privilege.getGrantOption().toString()), Iterables.get(privileges, 0).getGrantOption()); - assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege) + assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege) .getSequenceId()); role = sentryStore.getMSentryRoleByName(roleName); privileges = role.getPrivileges(); assertEquals(0, privileges.size()); roleName = "test-grantOption-db"; - sentryStore.createSentryRole(roleName, grantor); + sentryStore.createSentryRole(roleName); privilege = new TSentryPrivilege(); privilege.setPrivilegeScope("DATABASE"); privilege.setServerName(server); privilege.setDbName(db); privilege.setAction(AccessConstants.ALL); - privilege.setGrantorPrincipal(grantor); privilege.setGrantOption(TSentryGrantOption.TRUE); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(grantOption); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege); role = sentryStore.getMSentryRoleByName(roleName); privileges = role.getPrivileges(); assertEquals(privileges.toString(), 1, privileges.size()); privilege.setAction(AccessConstants.SELECT); privilege.setGrantOption(TSentryGrantOption.UNSET); - sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege); + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege); // after having ALL and revoking SELECT, we should have INSERT role = sentryStore.getMSentryRoleByName(roleName); privileges = role.getPrivileges(); @@ -315,7 +309,7 @@ public class TestSentryStore { String[] groups = {"group0","group1","group2","group3","group4"}; for (int i = 0; i < users.length; i++) { addGroupsToUser(users[i], groups[i]); - sentryStore.createSentryRole(roles[i], grantor); + sentryStore.createSentryRole(roles[i]); Set<TSentryGroup> tGroups = Sets.newHashSet(); TSentryGroup tGroup = new TSentryGroup(groups[i]); tGroups.add(tGroup); @@ -334,10 +328,9 @@ public class TestSentryStore { privilege1.setServerName(server); privilege1.setDbName(db); privilege1.setAction(AccessConstants.ALL); - privilege1.setGrantorPrincipal(grantor); privilege1.setCreateTime(System.currentTimeMillis()); privilege1.setGrantOption(TSentryGrantOption.TRUE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1); MSentryRole role = sentryStore.getMSentryRoleByName(roleName); Set<MSentryPrivilege> privileges = role.getPrivileges(); assertEquals(privileges.toString(), 1, privileges.size()); @@ -350,10 +343,9 @@ public class TestSentryStore { privilege2.setServerName(server); privilege2.setDbName(db); privilege2.setAction(AccessConstants.SELECT); - privilege2.setGrantorPrincipal(grantor); privilege2.setCreateTime(System.currentTimeMillis()); privilege2.setGrantOption(TSentryGrantOption.TRUE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege2); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2); // 4. user0 grant all on table tb1 to role2, no grant option roleName = roles[2]; @@ -364,10 +356,9 @@ public class TestSentryStore { privilege3.setDbName(db); privilege3.setTableName(table); privilege3.setAction(AccessConstants.ALL); - privilege3.setGrantorPrincipal(grantor); privilege3.setCreateTime(System.currentTimeMillis()); privilege3.setGrantOption(TSentryGrantOption.FALSE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege3); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3); // 5. user1 has role1, no insert privilege, // grant insert to role3, will throw no grant exception @@ -378,12 +369,11 @@ public class TestSentryStore { privilege4.setServerName(server); privilege4.setDbName(db); privilege4.setAction(AccessConstants.INSERT); - privilege4.setGrantorPrincipal(grantor); privilege4.setCreateTime(System.currentTimeMillis()); privilege4.setGrantOption(TSentryGrantOption.FALSE); boolean isGrantOptionException = false; try { - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege4); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege4); } catch (SentryGrantDeniedException e) { isGrantOptionException = true; System.err.println(e.getMessage()); @@ -400,12 +390,11 @@ public class TestSentryStore { privilege5.setDbName(db); privilege5.setTableName(table); privilege5.setAction(AccessConstants.INSERT); - privilege5.setGrantorPrincipal(grantor); privilege5.setCreateTime(System.currentTimeMillis()); privilege5.setGrantOption(TSentryGrantOption.FALSE); isGrantOptionException = false; try { - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege5); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege5); } catch (SentryGrantDeniedException e) { isGrantOptionException = true; System.err.println(e.getMessage()); @@ -425,7 +414,7 @@ public class TestSentryStore { String[] groups = {"group0","group1","group2"}; for (int i = 0; i < users.length; i++) { addGroupsToUser(users[i], groups[i]); - sentryStore.createSentryRole(roles[i], grantor); + sentryStore.createSentryRole(roles[i]); Set<TSentryGroup> tGroups = Sets.newHashSet(); TSentryGroup tGroup = new TSentryGroup(groups[i]); tGroups.add(tGroup); @@ -444,10 +433,9 @@ public class TestSentryStore { privilege1.setServerName(server); privilege1.setDbName(db); privilege1.setAction(AccessConstants.SELECT); - privilege1.setGrantorPrincipal(grantor); privilege1.setCreateTime(System.currentTimeMillis()); privilege1.setGrantOption(TSentryGrantOption.TRUE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1); MSentryRole role = sentryStore.getMSentryRoleByName(roleName); Set<MSentryPrivilege> privileges = role.getPrivileges(); assertEquals(privileges.toString(), 1, privileges.size()); @@ -461,10 +449,9 @@ public class TestSentryStore { privilege2.setDbName(db); privilege2.setTableName(table); privilege2.setAction(AccessConstants.ALL); - privilege2.setGrantorPrincipal(grantor); privilege2.setCreateTime(System.currentTimeMillis()); privilege2.setGrantOption(TSentryGrantOption.FALSE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege2); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2); // 4. g1 grant select on table tb1 to role2, no grant option roleName = roles[2]; @@ -475,19 +462,17 @@ public class TestSentryStore { privilege3.setDbName(db); privilege3.setTableName(table); privilege3.setAction(AccessConstants.SELECT); - privilege3.setGrantorPrincipal(grantor); privilege3.setCreateTime(System.currentTimeMillis()); privilege3.setGrantOption(TSentryGrantOption.FALSE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege3); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3); // 5. user1 has role1, no grant option, // revoke from role2 will throw no grant exception roleName = roles[2]; grantor = users[1]; - privilege3.setGrantorPrincipal(grantor); boolean isGrantOptionException = false; try { - sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege3); + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3); } catch (SentryGrantDeniedException e) { isGrantOptionException = true; System.err.println(e.getMessage()); @@ -498,9 +483,8 @@ public class TestSentryStore { // revoke all from role1 will throw no grant exception roleName = roles[1]; grantor = users[0]; - privilege2.setGrantorPrincipal(grantor); try { - sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege2); + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2); } catch (SentryGrantDeniedException e) { isGrantOptionException = true; System.err.println(e.getMessage()); @@ -511,8 +495,7 @@ public class TestSentryStore { // revoke select from role2 roleName = roles[2]; grantor = users[0]; - privilege3.setGrantorPrincipal(grantor); - sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege3); + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3); role = sentryStore.getMSentryRoleByName(roleName); privileges = role.getPrivileges(); assertEquals(0, privileges.size()); @@ -528,7 +511,7 @@ public class TestSentryStore { String[] groups = {"group0"}; for (int i = 0; i < users.length; i++) { addGroupsToUser(users[i], groups[i]); - sentryStore.createSentryRole(roles[i], grantor); + sentryStore.createSentryRole(roles[i]); Set<TSentryGroup> tGroups = Sets.newHashSet(); TSentryGroup tGroup = new TSentryGroup(groups[i]); tGroups.add(tGroup); @@ -548,22 +531,21 @@ public class TestSentryStore { privilege.setDbName(db); privilege.setTableName(table); privilege.setAction(AccessConstants.SELECT); - privilege.setGrantorPrincipal(grantor); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(TSentryGrantOption.TRUE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege); // 3. g1 grant select on table tb1 to role0, no grant option roleName = roles[0]; grantor = "g1"; privilege.setGrantOption(TSentryGrantOption.FALSE); - sentryStore.alterSentryRoleGrantPrivilege(roleName, privilege); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege); // 4. g1 revoke all privilege from role0 roleName = roles[0]; grantor = "g1"; privilege.setGrantOption(TSentryGrantOption.UNSET); - sentryStore.alterSentryRoleRevokePrivilege(roleName, privilege); + sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege); MSentryRole role = sentryStore.getMSentryRoleByName(roleName); Set<MSentryPrivilege> privileges = role.getPrivileges(); assertEquals(privileges.toString(), 0, privileges.size()); @@ -574,26 +556,24 @@ public class TestSentryStore { String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2"; String groupName1 = "list-privs-g1", groupName2 = "list-privs-g2"; String grantor = "g1"; - long seqId = sentryStore.createSentryRole(roleName1, grantor).getSequenceId(); - assertEquals(seqId + 1, sentryStore.createSentryRole(roleName2, grantor).getSequenceId()); + long seqId = sentryStore.createSentryRole(roleName1).getSequenceId(); + assertEquals(seqId + 1, sentryStore.createSentryRole(roleName2).getSequenceId()); TSentryPrivilege privilege1 = new TSentryPrivilege(); privilege1.setPrivilegeScope("TABLE"); privilege1.setServerName("server1"); privilege1.setDbName("db1"); privilege1.setTableName("tbl1"); privilege1.setAction("SELECT"); - privilege1.setGrantorPrincipal(grantor); privilege1.setCreateTime(System.currentTimeMillis()); - assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege1) + assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege1) .getSequenceId()); - assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege1) + assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege1) .getSequenceId()); TSentryPrivilege privilege2 = new TSentryPrivilege(); privilege2.setPrivilegeScope("SERVER"); privilege2.setServerName("server1"); - privilege2.setGrantorPrincipal(grantor); privilege2.setCreateTime(System.currentTimeMillis()); - assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege2) + assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2) .getSequenceId()); Set<TSentryGroup> groups = Sets.newHashSet(); TSentryGroup group = new TSentryGroup(); @@ -681,9 +661,9 @@ public class TestSentryStore { String group1 = "group1", group2 = "group2"; String grantor = "g1"; - sentryStore.createSentryRole(roleName1, grantor); - sentryStore.createSentryRole(roleName2, grantor); - sentryStore.createSentryRole(roleName3, grantor); + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + sentryStore.createSentryRole(roleName3); sentryStore.alterSentryRoleAddGroups(grantor, roleName1, Sets.newHashSet(new TSentryGroup(group1))); sentryStore.alterSentryRoleAddGroups(grantor, roleName2, Sets.newHashSet(new TSentryGroup(group2))); @@ -707,16 +687,15 @@ public class TestSentryStore { public void testDropDbObject() throws Exception { String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3"; String grantor = "g1"; - sentryStore.createSentryRole(roleName1, grantor); - sentryStore.createSentryRole(roleName2, grantor); - sentryStore.createSentryRole(roleName3, grantor); + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + sentryStore.createSentryRole(roleName3); TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); privilege_tbl1.setPrivilegeScope("TABLE"); privilege_tbl1.setServerName("server1"); privilege_tbl1.setDbName("db1"); privilege_tbl1.setTableName("tbl1"); - privilege_tbl1.setGrantorPrincipal(grantor); privilege_tbl1.setCreateTime(System.currentTimeMillis()); TSentryPrivilege privilege1 = new TSentryPrivilege(privilege_tbl1); @@ -730,7 +709,6 @@ public class TestSentryStore { TSentryPrivilege privilege_server = new TSentryPrivilege(); privilege_server.setPrivilegeScope("SERVER"); privilege_server.setServerName("server1"); - privilege_server.setGrantorPrincipal(grantor); privilege_server.setCreateTime(System.currentTimeMillis()); TSentryPrivilege privilege_tbl2 = new TSentryPrivilege(); @@ -738,7 +716,6 @@ public class TestSentryStore { privilege_tbl2.setServerName("server1"); privilege_tbl2.setDbName("db1"); privilege_tbl2.setTableName("tbl2"); - privilege_tbl2.setGrantorPrincipal(grantor); privilege_tbl2.setCreateTime(System.currentTimeMillis()); TSentryPrivilege privilege2_3 = new TSentryPrivilege(privilege_tbl2); @@ -747,14 +724,14 @@ public class TestSentryStore { TSentryPrivilege privilege3_2 = new TSentryPrivilege(privilege_tbl2); privilege3_2.setAction("INSERT"); - sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege1); - sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege2_1); - sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege_server); - sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege2_3); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2_1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_server); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2_3); - sentryStore.alterSentryRoleGrantPrivilege(roleName3, privilege3_1); - sentryStore.alterSentryRoleGrantPrivilege(roleName3, privilege3_2); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege3_1); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege3_2); sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1)); assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1) @@ -777,14 +754,13 @@ public class TestSentryStore { public void testDropOverlappedPrivileges() throws Exception { String roleName1 = "list-privs-r1"; String grantor = "g1"; - sentryStore.createSentryRole(roleName1, grantor); + sentryStore.createSentryRole(roleName1); TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); privilege_tbl1.setPrivilegeScope("TABLE"); privilege_tbl1.setServerName("server1"); privilege_tbl1.setDbName("db1"); privilege_tbl1.setTableName("tbl1"); - privilege_tbl1.setGrantorPrincipal(grantor); privilege_tbl1.setCreateTime(System.currentTimeMillis()); TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege( @@ -794,8 +770,8 @@ public class TestSentryStore { TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1); privilege_tbl1_all.setAction("*"); - sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_insert); - sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_all); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_all); sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1)); assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1) @@ -823,16 +799,15 @@ public class TestSentryStore { String grantor = "g1"; String table1 = "tbl1", table2 = "tbl2"; - sentryStore.createSentryRole(roleName1, grantor); - sentryStore.createSentryRole(roleName2, grantor); - sentryStore.createSentryRole(roleName3, grantor); + sentryStore.createSentryRole(roleName1); + sentryStore.createSentryRole(roleName2); + sentryStore.createSentryRole(roleName3); TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); privilege_tbl1.setPrivilegeScope("TABLE"); privilege_tbl1.setServerName("server1"); privilege_tbl1.setDbName("db1"); privilege_tbl1.setTableName(table1); - privilege_tbl1.setGrantorPrincipal(grantor); privilege_tbl1.setCreateTime(System.currentTimeMillis()); TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege( @@ -846,14 +821,14 @@ public class TestSentryStore { TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1); privilege_tbl1_all.setAction(AccessConstants.ALL); - sentryStore.alterSentryRoleGrantPrivilege(roleName1, privilege_tbl1_insert); - sentryStore.alterSentryRoleGrantPrivilege(roleName2, privilege_tbl1_select); - sentryStore.alterSentryRoleGrantPrivilege(roleName3, privilege_tbl1_all); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_select); + sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege_tbl1_all); TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1); TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1); newTable.setTable(table2); - sentryStore.renamePrivilege(oldTable, newTable, System.getProperty("user.name")); + sentryStore.renamePrivilege(oldTable, newTable); for (String roleName : Sets.newHashSet(roleName1, roleName2, roleName3)) { Set<TSentryPrivilege> privilegeSet = sentryStore @@ -861,8 +836,6 @@ public class TestSentryStore { assertEquals(1, privilegeSet.size()); for (TSentryPrivilege privilege : privilegeSet) { assertTrue(table2.equalsIgnoreCase(privilege.getTableName())); - assertEquals(System.getProperty("user.name"), - privilege.getGrantorPrincipal()); } } }
