Repository: incubator-sentry Updated Branches: refs/heads/master 642037105 -> af221d152
SENTRY-488: Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges for some cases. (Arun Suresh via Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/561b3c8a Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/561b3c8a Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/561b3c8a Branch: refs/heads/master Commit: 561b3c8a9620aa070030440ebdce045c9c23fd33 Parents: 6420371 Author: Prasad Mujumdar <[email protected]> Authored: Sat Oct 4 01:38:02 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Sat Oct 4 01:38:02 2014 -0700 ---------------------------------------------------------------------- .../db/service/persistent/SentryStore.java | 33 ++++++++++++-------- .../thrift/SentryPolicyStoreProcessor.java | 3 +- .../thrift/TestSentryServiceIntegration.java | 16 ++++++++++ 3 files changed, 38 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/561b3c8a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 350eb32..85a4947 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -820,7 +820,7 @@ public class SentryStore { public TSentryPrivilegeMap listSentryPrivilegesByAuthorizable( Set<String> groups, TSentryActiveRoleSet activeRoles, - TSentryAuthorizable authHierarchy) + TSentryAuthorizable authHierarchy, boolean isAdmin) throws SentryInvalidInputException { Map<String, Set<TSentryPrivilege>> resultPrivilegeMap = Maps.newTreeMap(); Set<String> roles = Sets.newHashSet(); @@ -828,20 +828,27 @@ public class SentryStore { roles = getRolesToQuery(groups, new TSentryActiveRoleSet(true, null)); } if (activeRoles != null && !activeRoles.isAll()) { - roles.addAll(activeRoles.getRoles()); + // need to check/convert to lowercase here since this is from user input + for (String aRole : activeRoles.getRoles()) { + roles.add(aRole.toLowerCase()); + } } - List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivilegesByAuth(roles, - authHierarchy); - for (MSentryPrivilege priv : mSentryPrivileges) { - for (MSentryRole role : priv.getRoles()) { - TSentryPrivilege tPriv = convertToTSentryPrivilege(priv); - if (resultPrivilegeMap.containsKey(role.getRoleName())) { - resultPrivilegeMap.get(role.getRoleName()).add(tPriv); - } else { - Set<TSentryPrivilege> tPrivSet = Sets.newTreeSet(); - tPrivSet.add(tPriv); - resultPrivilegeMap.put(role.getRoleName(), tPrivSet); + // An empty 'roles' is a treated as a wildcard (in case of admin role).. + // so if not admin, don't return anything if 'roles' is empty.. + if (isAdmin || !roles.isEmpty()) { + List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivilegesByAuth(roles, + authHierarchy); + for (MSentryPrivilege priv : mSentryPrivileges) { + for (MSentryRole role : priv.getRoles()) { + TSentryPrivilege tPriv = convertToTSentryPrivilege(priv); + if (resultPrivilegeMap.containsKey(role.getRoleName())) { + resultPrivilegeMap.get(role.getRoleName()).add(tPriv); + } else { + Set<TSentryPrivilege> tPrivSet = Sets.newTreeSet(); + tPrivSet.add(tPriv); + resultPrivilegeMap.put(role.getRoleName(), tPrivSet); + } } } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/561b3c8a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 67dc1f8..b54e12e 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -569,10 +569,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } } + // If user is not part of any group.. return empty response for (TSentryAuthorizable authorizable : request.getAuthorizableSet()) { authRoleMap.put(authorizable, sentryStore .listSentryPrivilegesByAuthorizable(requestedGroups, - request.getRoleSet(), authorizable)); + request.getRoleSet(), authorizable, inAdminGroups(memberGroups))); } response.setPrivilegesMapByAuth(authRoleMap); response.setStatus(Status.OK()); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/561b3c8a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 95c908f..ff6cff4 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -22,6 +22,7 @@ import static junit.framework.Assert.assertEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; @@ -317,6 +318,11 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { String db2 = "testDB2"; String tab = "testTab"; setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + String group1user = "group1user"; + setLocalGroupMapping(group1user, Sets.newHashSet(group1)); + String group2user = "group2user"; + setLocalGroupMapping(group2user, Sets.newHashSet(group2)); + setLocalGroupMapping("random", Sets.newHashSet("foo")); writePolicyFile(); client.dropRoleIfExists(requestorUserName, roleName1); @@ -389,6 +395,16 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, testGroupSet, ActiveRoleSet.ALL); assertEquals(expectedResults, authPrivMap); + + // verify users not belonging to any group are not shown anything + authPrivMap = client + .listPrivilegsbyAuthorizable("random", authorizableSet, + new HashSet<String>(), ActiveRoleSet.ALL); + expectedResults.clear(); + expectedResults.put( + SentryPolicyServiceClient.setupSentryAuthorizable(db1Authrizable), + new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>())); + assertEquals(expectedResults, authPrivMap); } @Test
