SENTRY-74: Add column-level privileges for Hive/Impala (Dapeng Sun and Xiaomeng Huang via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/13e83d6e Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/13e83d6e Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/13e83d6e Branch: refs/heads/master Commit: 13e83d6e524e696ef973f251577e93f236e39cd9 Parents: aab7873 Author: Prasad Mujumdar <pras...@cloudera.com> Authored: Tue Nov 18 00:47:09 2014 -0800 Committer: Prasad Mujumdar <pras...@cloudera.com> Committed: Tue Nov 18 00:47:09 2014 -0800 ---------------------------------------------------------------------- .../apache/hadoop/hive/SentryHiveConstants.java | 1 - .../hive/ql/exec/SentryGrantRevokeTask.java | 52 +- .../ql/exec/SentryHivePrivilegeObjectDesc.java | 12 + .../binding/hive/HiveAuthzBindingHook.java | 109 +- .../SentryHiveAuthorizationTaskFactoryImpl.java | 35 +- .../binding/hive/authz/HiveAuthzBinding.java | 4 +- .../hive/authz/HiveAuthzPrivilegesMap.java | 6 +- .../binding/hive/authz/SentryConfigTool.java | 15 + .../binding/hive/TestHiveAuthzBindings.java | 18 +- .../org/apache/sentry/core/model/db/Column.java | 51 + .../core/model/db/DBModelAuthorizable.java | 1 + .../sentry/policy/db/DBModelAuthorizables.java | 3 + .../common/ResourceAuthorizationProvider.java | 5 +- .../TAlterSentryRoleGrantPrivilegeRequest.java | 217 +++- .../TAlterSentryRoleGrantPrivilegeResponse.java | 168 +++- .../TAlterSentryRoleRevokePrivilegeRequest.java | 217 +++- .../TListSentryPrivilegesByAuthRequest.java | 68 +- .../TListSentryPrivilegesByAuthResponse.java | 52 +- ...TListSentryPrivilegesForProviderRequest.java | 32 +- ...ListSentryPrivilegesForProviderResponse.java | 32 +- .../thrift/TListSentryPrivilegesResponse.java | 36 +- .../thrift/TListSentryRolesResponse.java | 36 +- .../db/service/thrift/TSentryActiveRoleSet.java | 32 +- .../db/service/thrift/TSentryAuthorizable.java | 114 ++- .../db/service/thrift/TSentryPrivilege.java | 117 ++- .../db/service/thrift/TSentryPrivilegeMap.java | 76 +- .../provider/db/service/thrift/TSentryRole.java | 36 +- .../db/log/entity/AuditMetadataLogEntity.java | 15 +- .../db/log/entity/JsonLogEntityFactory.java | 37 +- .../provider/db/log/util/CommandUtil.java | 20 +- .../sentry/provider/db/log/util/Constants.java | 1 + .../db/service/model/MSentryPrivilege.java | 151 +-- .../provider/db/service/model/package.jdo | 4 + .../db/service/persistent/SentryStore.java | 148 ++- .../thrift/SentryPolicyServiceClient.java | 230 ++++- .../thrift/SentryPolicyStoreProcessor.java | 72 +- .../src/main/resources/004-SENTRY-74.derby.sql | 4 + .../src/main/resources/004-SENTRY-74.mysql.sql | 4 + .../src/main/resources/004-SENTRY-74.oracle.sql | 4 + .../main/resources/004-SENTRY-74.postgres.sql | 4 + .../src/main/resources/sentry-db2-1.5.0.sql | 3 +- .../src/main/resources/sentry-derby-1.5.0.sql | 3 +- .../src/main/resources/sentry-mysql-1.5.0.sql | 6 +- .../src/main/resources/sentry-oracle-1.5.0.sql | 5 +- .../main/resources/sentry-postgres-1.5.0.sql | 5 +- .../sentry-upgrade-db2-1.4.0-to-1.5.0.sql | 5 + .../sentry-upgrade-derby-1.4.0-to-1.5.0.sql | 2 + .../sentry-upgrade-mysql-1.4.0-to-1.5.0.sql | 1 + .../sentry-upgrade-oracle-1.4.0-to-1.5.0.sql | 1 + .../sentry-upgrade-postgres-1.4.0-to-1.5.0.sql | 1 + .../main/resources/sentry_policy_service.thrift | 9 +- .../log/entity/TestAuditMetadataLogEntity.java | 3 +- .../db/log/entity/TestJsonLogEntityFactory.java | 58 +- .../provider/db/log/util/TestCommandUtil.java | 50 +- .../service/persistent/TestSentryPrivilege.java | 47 + .../db/service/persistent/TestSentryStore.java | 296 ++++++ .../TestSentryStoreToAuthorizable.java | 22 +- .../thrift/TestSentryServiceIntegration.java | 64 ++ .../e2e/dbprovider/TestColumnEndToEnd.java | 247 +++++ .../e2e/dbprovider/TestDatabaseProvider.java | 141 ++- .../TestDbPrivilegesAtColumnScope.java | 39 + .../AbstractTestWithStaticConfiguration.java | 10 +- .../sentry/tests/e2e/hive/TestConfigTool.java | 68 +- .../e2e/hive/TestExportImportPrivileges.java | 10 + .../sentry/tests/e2e/hive/TestPolicyImport.java | 40 +- .../e2e/hive/TestPrivilegesAtColumnScope.java | 992 +++++++++++++++++++ .../e2e/hive/hiveserver/HiveServerFactory.java | 1 + .../metastore/SentryPolicyProviderForDb.java | 9 +- 68 files changed, 3826 insertions(+), 551 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/SentryHiveConstants.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/SentryHiveConstants.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/SentryHiveConstants.java index 6f83cc6..f5b1f4d 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/SentryHiveConstants.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/SentryHiveConstants.java @@ -27,7 +27,6 @@ public class SentryHiveConstants { PrivilegeType.ALTER_METADATA, PrivilegeType.INDEX, PrivilegeType.LOCK); public static final String PRIVILEGE_NOT_SUPPORTED = "Sentry does not support privilege: "; - public static final String COLUMN_PRIVS_NOT_SUPPORTED = "Sentry users should use views to grant privileges on columns"; public static final String PARTITION_PRIVS_NOT_SUPPORTED = "Sentry does not support partition level authorization"; public static final String GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT = "Sentry does not allow grant/revoke on: "; public static final String GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL = "Sentry does not allow privileges to be granted/revoked to/from: "; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java index ac45746..5357180 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java @@ -39,6 +39,7 @@ import org.apache.hadoop.hive.ql.hooks.ReadEntity; import org.apache.hadoop.hive.ql.hooks.WriteEntity; import org.apache.hadoop.hive.ql.metadata.AuthorizationException; import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.plan.DDLWork; import org.apache.hadoop.hive.ql.plan.GrantDesc; import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL; @@ -66,6 +67,7 @@ import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.common.utils.PathUtils; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.Column; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; @@ -81,6 +83,8 @@ import org.slf4j.LoggerFactory; import com.google.common.base.Preconditions; import com.google.common.base.Splitter; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; import com.google.common.collect.Iterables; public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable { @@ -316,7 +320,16 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable } else { SentryHivePrivilegeObjectDesc privSubjectDesc = toSentryHivePrivilegeObjectDesc(hiveObjectDesc); List<Authorizable> authorizableHeirarchy = toAuthorizable(privSubjectDesc); - privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, authorizableHeirarchy); + if (privSubjectDesc.getColumns() != null && !privSubjectDesc.getColumns().isEmpty()) { + List<List<Authorizable>> ps = parseColumnToAuthorizable(authorizableHeirarchy, privSubjectDesc); + ImmutableSet.Builder<TSentryPrivilege> pbuilder = new ImmutableSet.Builder<TSentryPrivilege>(); + for (List<Authorizable> p : ps) { + pbuilder.addAll(sentryClient.listPrivilegesByRoleName(subject, principalName, p)); + } + privileges = pbuilder.build(); + } else { + privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, authorizableHeirarchy); + } } writeToFile(writeGrantInfo(privileges, principalName), desc.getResFile()); return RETURN_CODE_SUCCESS; @@ -343,7 +356,6 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable String tableName = dbTable.getTable(); authorizableHeirarchy.add(new Table(tableName)); authorizableHeirarchy.add(new Database(dbName)); - } else if (privSubjectDesc.getUri()) { String uriPath = privSubjectDesc.getObject(); String warehouseDir = conf.getVar(HiveConf.ConfVars.METASTOREWAREHOUSE); @@ -359,6 +371,21 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable return authorizableHeirarchy; } + private List<List<Authorizable>> parseColumnToAuthorizable(List<Authorizable> authorizableHeirarchy, + SentryHivePrivilegeObjectDesc privSubjectDesc) { + ImmutableList.Builder<List<Authorizable>> listsBuilder = ImmutableList.builder(); + List<String> cols = privSubjectDesc.getColumns(); + if ( cols != null && !cols.isEmpty() ) { + for ( String col : cols ) { + ImmutableList.Builder<Authorizable> listBuilder = ImmutableList.builder(); + listBuilder.addAll(authorizableHeirarchy); + listBuilder.add(new Column(col)); + listsBuilder.add(listBuilder.build()); + } + } + return listsBuilder.build(); + } + private void writeToFile(String data, String file) throws IOException { Path resFile = new Path(file); FileSystem fs = resFile.getFileSystem(conf); @@ -425,7 +452,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable } appendNonNull(builder, privilege.getTableName()); appendNonNull(builder, null);//getPartValues() - appendNonNull(builder, null);//getColumnName() + appendNonNull(builder, privilege.getColumnName());//getColumnName() appendNonNull(builder, roleName);//getPrincipalName() appendNonNull(builder, "ROLE");//getPrincipalType() appendNonNull(builder, privilege.getAction()); @@ -502,6 +529,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable String dbName = null; String tableName = null; + List<String> columnNames = null; String uriPath = null; String serverName = null; try { @@ -528,12 +556,18 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable for (PrivilegeDesc privDesc : privileges) { List<String> columns = privDesc.getColumns(); if (columns != null && !columns.isEmpty()) { - throw new HiveException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED); + columnNames = columns; } if (!SentryHiveConstants.ALLOWED_PRIVS.contains(privDesc.getPrivilege().getPriv())) { String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privDesc.getPrivilege().getPriv(); throw new HiveException(msg); } + if (columnNames != null && (privDesc.getPrivilege().getPriv().equals(PrivilegeType.INSERT) + || privDesc.getPrivilege().getPriv().equals(PrivilegeType.ALL))) { + String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + + privDesc.getPrivilege().getPriv() + " on Column"; + throw new SemanticException(msg); + } } for (PrincipalDesc princ : principals) { if (princ.getType() != PrincipalType.ROLE) { @@ -550,9 +584,12 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable } else if (tableName == null) { sentryClient.grantDatabasePrivilege(subject, princ.getName(), server, dbName, toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption); - } else { + } else if (columnNames == null) { sentryClient.grantTablePrivilege(subject, princ.getName(), server, dbName, tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else { + sentryClient.grantColumnsPrivileges(subject, princ.getName(), server, dbName, + tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } } else { if (serverName != null) { @@ -562,9 +599,12 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable } else if (tableName == null) { sentryClient.revokeDatabasePrivilege(subject, princ.getName(), server, dbName, toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption); - } else { + } else if (columnNames == null) { sentryClient.revokeTablePrivilege(subject, princ.getName(), server, dbName, tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); + } else { + sentryClient.revokeColumnsPrivilege(subject, princ.getName(), server, dbName, + tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java index 1b5f557..0c59abb 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java @@ -17,11 +17,15 @@ package org.apache.hadoop.hive.ql.exec; +import java.util.ArrayList; +import java.util.List; + import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; public class SentryHivePrivilegeObjectDesc extends PrivilegeObjectDesc { private boolean isUri; private boolean isServer; + private List<String> columns = new ArrayList<String>(); public SentryHivePrivilegeObjectDesc() { // reset table type which is on by default @@ -44,4 +48,12 @@ public class SentryHivePrivilegeObjectDesc extends PrivilegeObjectDesc { this.isServer = isServer; } + public List<String> getColumns() { + return columns; + } + + public void setColumns(List<String> columns) { + this.columns = columns; + } + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 1e59671..97ef3b8 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -56,6 +56,7 @@ import org.apache.sentry.binding.hive.conf.HiveAuthzConf; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.common.utils.PathUtils; import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.Column; import org.apache.sentry.core.model.db.DBModelAction; import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; @@ -417,24 +418,7 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { inputHierarchy.add(dbHierarchy); outputHierarchy.add(dbHierarchy); - for(ReadEntity readEntity:inputs) { - // skip the tables/view that are part of expanded view definition. - if (isChildTabForView(readEntity)) { - continue; - } - // If this is a UDF, then check whether its allowed to be executed - // TODO: when we support execute privileges on UDF, this can be removed. - if (isUDF(readEntity)) { - if (isBuiltinUDF(readEntity)) { - checkUDFWhiteList(readEntity.getUDF().getDisplayName()); - } - continue; - } - List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>(); - entityHierarchy.add(hiveAuthzBinding.getAuthServer()); - entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity)); - inputHierarchy.add(entityHierarchy); - } + getInputHierarchyFromInputs(inputHierarchy, inputs); break; case TABLE: // workaround for add partitions @@ -442,24 +426,8 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { inputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), partitionURI)); } - for (ReadEntity readEntity: inputs) { - // skip the tables/view that are part of expanded view definition. - if (isChildTabForView(readEntity)) { - continue; - } - // If this is a UDF, then check whether its allowed to be executed - // TODO: when we support execute privileges on UDF, this can be removed. - if (isUDF(readEntity)) { - if (isBuiltinUDF(readEntity)) { - checkUDFWhiteList(readEntity.getUDF().getDisplayName()); - } - continue; - } - List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>(); - entityHierarchy.add(hiveAuthzBinding.getAuthServer()); - entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity)); - inputHierarchy.add(entityHierarchy); - } + getInputHierarchyFromInputs(inputHierarchy, inputs); + for (WriteEntity writeEntity: outputs) { if (filterWriteEntity(writeEntity)) { continue; @@ -491,6 +459,7 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { connectHierarchy.add(hiveAuthzBinding.getAuthServer()); // by default allow connect access to default db Table currTbl = Table.ALL; + Column currCol = Column.ALL; if ((DEFAULT_DATABASE_NAME.equalsIgnoreCase(currDB.getName()) && "false".equalsIgnoreCase(authzConf. get(HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false"))) @@ -502,6 +471,7 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { connectHierarchy.add(currDB); connectHierarchy.add(currTbl); + connectHierarchy.add(currCol); inputHierarchy.add(connectHierarchy); // check if this is a create temp function and we need to validate URI @@ -600,6 +570,67 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { return objectHierarchy; } + /** + * Add column level hierarchy to inputHierarchy + * + * @param inputHierarchy + * @param entity + * @param sentryContext + */ + private void addColumnHierarchy(List<List<DBModelAuthorizable>> inputHierarchy, + ReadEntity entity) { + List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>(); + entityHierarchy.add(hiveAuthzBinding.getAuthServer()); + entityHierarchy.addAll(getAuthzHierarchyFromEntity(entity)); + + switch (entity.getType()) { + case TABLE: + case PARTITION: + List<String> cols = entity.getAccessedColumns(); + for (String col : cols) { + List<DBModelAuthorizable> colHierarchy = new ArrayList<DBModelAuthorizable>(entityHierarchy); + colHierarchy.add(new Column(col)); + inputHierarchy.add(colHierarchy); + } + break; + default: + inputHierarchy.add(entityHierarchy); + } + } + + /** + * Get Authorizable from inputs and put into inputHierarchy + * + * @param inputHierarchy + * @param entity + * @param sentryContext + */ + private void getInputHierarchyFromInputs(List<List<DBModelAuthorizable>> inputHierarchy, + Set<ReadEntity> inputs) { + for (ReadEntity readEntity: inputs) { + // skip the tables/view that are part of expanded view definition. + if (isChildTabForView(readEntity)) { + continue; + } + // If this is a UDF, then check whether its allowed to be executed + // TODO: when we support execute privileges on UDF, this can be removed. + if (isUDF(readEntity)) { + if (isBuiltinUDF(readEntity)) { + checkUDFWhiteList(readEntity.getUDF().getDisplayName()); + } + continue; + } + if (readEntity.getAccessedColumns() != null && !readEntity.getAccessedColumns().isEmpty()) { + addColumnHierarchy(inputHierarchy, readEntity); + } else { + List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>(); + entityHierarchy.add(hiveAuthzBinding.getAuthServer()); + entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity)); + inputHierarchy.add(entityHierarchy); + } + } + } + // Check if this write entity needs to skipped private boolean filterWriteEntity(WriteEntity writeEntity) throws AuthorizationException { @@ -640,7 +671,7 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { List<String> filteredResult = new ArrayList<String>(); Subject subject = new Subject(userName); HiveAuthzPrivileges tableMetaDataPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). - addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)). + addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)). setOperationScope(HiveOperationScope.TABLE). setOperationType(HiveOperationType.INFO). build(); @@ -657,6 +688,7 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer()); externalAuthorizableHierarchy.add(database); externalAuthorizableHierarchy.add(table); + externalAuthorizableHierarchy.add(Column.ALL); inputHierarchy.add(externalAuthorizableHierarchy); try { @@ -679,7 +711,7 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { List<String> filteredResult = new ArrayList<String>(); Subject subject = new Subject(userName); HiveAuthzPrivileges anyPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). - addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)). + addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)). addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.SELECT)). setOperationScope(HiveOperationScope.CONNECT). setOperationType(HiveOperationType.QUERY). @@ -707,6 +739,7 @@ hiveAuthzBinding.getAuthzConf().get( externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer()); externalAuthorizableHierarchy.add(database); externalAuthorizableHierarchy.add(Table.ALL); + externalAuthorizableHierarchy.add(Column.ALL); inputHierarchy.add(externalAuthorizableHierarchy); try { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java index 39a22c6..9b44f15 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java @@ -48,6 +48,7 @@ import org.apache.hadoop.hive.ql.plan.RoleDDLDesc; import org.apache.hadoop.hive.ql.plan.ShowGrantDesc; import org.apache.hadoop.hive.ql.security.authorization.Privilege; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.sentry.core.model.db.AccessConstants; import org.slf4j.Logger; @@ -140,12 +141,6 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization if (privilegeObj.getPartSpec() != null) { throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED); } - for (PrivilegeDesc privDesc : privilegeDesc) { - List<String> columns = privDesc.getColumns(); - if (columns != null && !columns.isEmpty()) { - throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED); - } - } for (PrincipalDesc princ : principalDesc) { if (princ.getType() != PrincipalType.ROLE) { String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + princ.getType(); @@ -169,12 +164,6 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization if (privilegeObj.getPartSpec() != null) { throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED); } - for (PrivilegeDesc privDesc : privilegeDesc) { - List<String> columns = privDesc.getColumns(); - if (columns != null && !columns.isEmpty()) { - throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED); - } - } for (PrincipalDesc princ : principalDesc) { if (princ.getType() != PrincipalType.ROLE) { String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + princ.getType(); @@ -194,7 +183,7 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization @Override public Task<? extends Serializable> createShowGrantTask(ASTNode ast, Path resultFile, HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException { - PrivilegeObjectDesc privHiveObj = null; + SentryHivePrivilegeObjectDesc privHiveObj = null; ASTNode principal = (ASTNode) ast.getChild(0); PrincipalType type = PrincipalType.USER; @@ -216,18 +205,20 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization String principalName = BaseSemanticAnalyzer.unescapeIdentifier(principal.getChild(0).getText()); PrincipalDesc principalDesc = new PrincipalDesc(principalName, type); - //Column privileges and Partition privileges are not supported by Sentry + // Partition privileges are not supported by Sentry + List<String> cols = null; if (ast.getChildCount() > 1) { ASTNode child = (ASTNode) ast.getChild(1); if (child.getToken().getType() == HiveParser.TOK_PRIV_OBJECT_COL) { privHiveObj = analyzePrivilegeObject(child); + cols = privHiveObj.getColumns(); }else { throw new SemanticException("Unrecognized Token: " + child.getToken().getType()); } } ShowGrantDesc showGrant = new ShowGrantDesc(resultFile.toString(), - principalDesc, privHiveObj, null); + principalDesc, privHiveObj, cols); return createTask(new DDLWork(inputs, outputs, showGrant)); } @@ -297,8 +288,8 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization if (astChild.getToken().getType() == HiveParser.TOK_PARTSPEC) { throw new SemanticException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED); } else if (astChild.getToken().getType() == HiveParser.TOK_TABCOLNAME) { - throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED); - }else if (astChild.getToken().getType() == HiveParser.TOK_URI) { + subject.setColumns(BaseSemanticAnalyzer.getColumnNames(astChild)); + } else if (astChild.getToken().getType() == HiveParser.TOK_URI) { privilegeObject = privilegeObject.replaceAll("'", "").replaceAll("\"", ""); subject.setUri(true); } else if (astChild.getToken().getType() == HiveParser.TOK_SERVER) { @@ -359,10 +350,16 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privObj.getPriv(); throw new SemanticException(msg); } + List<String> cols = null; if (privilegeDef.getChildCount() > 1) { - throw new SemanticException(SentryHiveConstants.COLUMN_PRIVS_NOT_SUPPORTED); + cols = BaseSemanticAnalyzer.getColumnNames((ASTNode) privilegeDef.getChild(1)); + } + if (cols != null && (privObj.getPriv().equals(PrivilegeType.INSERT) + || privObj.getPriv().equals(PrivilegeType.ALL))) { + String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privObj.getPriv() + " on Column"; + throw new SemanticException(msg); } - PrivilegeDesc privilegeDesc = new PrivilegeDesc(privObj, null); + PrivilegeDesc privilegeDesc = new PrivilegeDesc(privObj, cols); ret.add(privilegeDesc); } return ret; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java index 68b93aa..b4b69e1 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java @@ -322,9 +322,11 @@ public class HiveAuthzBinding { } } } - if(!found && !(key.equals(AuthorizableType.URI)) && !(hiveOp.equals(HiveOperation.QUERY))) { + if(!found && !(key.equals(AuthorizableType.URI)) && !(hiveOp.equals(HiveOperation.QUERY)) + && !(hiveOp.equals(HiveOperation.CREATETABLE_AS_SELECT))) { //URI privileges are optional for some privileges: anyPrivilege, tableDDLAndOptionalUriPrivilege //Query can mean select/insert/analyze where all of them have different required privileges. + //CreateAsSelect can has table/columns privileges with select. //For these alone we skip if there is no equivalent input privilege //TODO: Even this case should be handled to make sure we do not skip the privilege check if we did not build //the input privileges correctly http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index fa4efc9..b5c7aff 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -114,6 +114,7 @@ public class HiveAuthzPrivilegesMap { */ HiveAuthzPrivileges tableQueryPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)). + addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT)). addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT)). addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). setOperationScope(HiveOperationScope.TABLE). @@ -168,8 +169,8 @@ public class HiveAuthzPrivilegesMap { build(); HiveAuthzPrivileges anyPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). - addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT, - DBModelAction.ALTER, DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.DROP, + addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, + DBModelAction.INSERT, DBModelAction.ALTER, DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.INDEX, DBModelAction.LOCK)). addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). //TODO: make them || addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). @@ -261,6 +262,7 @@ public class HiveAuthzPrivilegesMap { hiveAuthzStmtPrivMap.put(HiveOperation.CREATETABLE_AS_SELECT, new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)). + addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT)). addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)). setOperationScope(HiveOperationScope.DATABASE). setOperationType(HiveOperationType.DDL). http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java index 2b978d5..8bf1d86 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java @@ -290,6 +290,7 @@ public class SentryConfigTool { String server = null; String database = null; String table = null; + String column = null; String uri = null; String action = AccessConstants.ALL; for (String authorizable : PolicyFileConstants.AUTHORIZABLE_SPLITTER. @@ -315,6 +316,9 @@ public class SentryConfigTool { case URI: uri = a.getName(); break; + case Column: + column = a.getName(); + break; default: break; } @@ -329,6 +333,17 @@ public class SentryConfigTool { uri, roleName)); client.grantURIPrivilege(requestorUserName, roleName, server, uri); + } else if (column != null && !AccessConstants.ALL.equals(column)) { + System.out.println(String.format( + "# server=%s, database=%s", + server, database)); + System.out.println(String.format( + "GRANT %s (%s) ON TABLE %s TO ROLE %s;", + "*".equals(action) ? "ALL" : action.toUpperCase(), column, + table, roleName)); + + client.grantColumnPrivilege(requestorUserName, roleName, server, + database, table, column, action); } else if (table != null && !AccessConstants.ALL.equals(table)) { System.out.println(String.format( "# server=%s, database=%s", http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java index 84d7fba..d41f6cf 100644 --- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java +++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java @@ -37,6 +37,7 @@ import org.apache.sentry.binding.hive.conf.InvalidConfigurationException; import org.apache.sentry.core.common.Subject; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.Column; import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; @@ -75,6 +76,10 @@ public class TestHiveAuthzBindings { private static final String PURCHASES_TAB = "purchases"; private static final String PAYMENT_TAB = "payments"; + // Columns + private static final String AGE_COL = "age"; + private static final String NAME_COL = "name"; + // Entities private List<List<DBModelAuthorizable>> inputTabHierarcyList = new ArrayList<List<DBModelAuthorizable>>(); private List<List<DBModelAuthorizable>> outputTabHierarcyList = new ArrayList<List<DBModelAuthorizable>>(); @@ -279,7 +284,7 @@ public class TestHiveAuthzBindings { */ @Test public void testValidateCreateFunctionForAdmin() throws Exception { - inputTabHierarcyList.add(buildObjectHierarchy(SERVER1, CUSTOMER_DB, PURCHASES_TAB)); + inputTabHierarcyList.add(buildObjectHierarchy(SERVER1, CUSTOMER_DB, PURCHASES_TAB, AGE_COL)); inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { new Server(SERVER1), new AccessURI("file:///some/path/to/a/jar") })); @@ -289,7 +294,8 @@ public class TestHiveAuthzBindings { @Test public void testValidateCreateFunctionAppropiateURI() throws Exception { inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { - new Server(SERVER1), new Database(CUSTOMER_DB), new Table(AccessConstants.ALL) + new Server(SERVER1), new Database(CUSTOMER_DB), new Table(AccessConstants.ALL), + new Column(AccessConstants.ALL) })); inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] { new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar") @@ -397,6 +403,14 @@ public class TestHiveAuthzBindings { return authList; } + private List <DBModelAuthorizable> buildObjectHierarchy(String server, String db, String table, String column) { + List <DBModelAuthorizable> authList = buildObjectHierarchy(server, db, table); + if (server != null && db != null && table != null && column != null) { + authList.add(new Column(column)); + } + return authList; + } + /** * Turn off authentication and verify exception is raised in non-testing mode * @throws Exception http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/Column.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/Column.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/Column.java new file mode 100644 index 0000000..89aabfc --- /dev/null +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/Column.java @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.core.model.db; + +public class Column implements DBModelAuthorizable { + + /** + * Represents all Column + */ + public static final Column ALL = new Column(AccessConstants.ALL); + + private final String name; + + public Column(String name) { + this.name = name; + } + + @Override + public String getName() { + return name; + } + + @Override + public String toString() { + return "Column [name=" + name + "]"; + } + + @Override + public AuthorizableType getAuthzType() { + return AuthorizableType.Column; + } + + @Override + public String getTypeName() { + return getAuthzType().name(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizable.java ---------------------------------------------------------------------- diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizable.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizable.java index de35bfa..4d74356 100644 --- a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizable.java +++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/DBModelAuthorizable.java @@ -24,6 +24,7 @@ public interface DBModelAuthorizable extends Authorizable { Server, Db, Table, + Column, View, URI }; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java index 873f789..e47c733 100644 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java +++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java @@ -17,6 +17,7 @@ package org.apache.sentry.policy.db; import org.apache.sentry.core.model.db.AccessURI; +import org.apache.sentry.core.model.db.Column; import org.apache.sentry.core.model.db.DBModelAuthorizable; import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; import org.apache.sentry.core.model.db.Database; @@ -55,6 +56,8 @@ public class DBModelAuthorizables { return new Table(name); case View: return new View(name); + case Column: + return new Column(name); case URI: return new AccessURI(name); default: http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java index 51d4248..6449405 100644 --- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java +++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java @@ -135,12 +135,13 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv private ImmutableSet<String> appendDefaultDBPriv(ImmutableSet<String> privileges, Authorizable[] authorizables) { // Only for switch db - if ((authorizables != null)&&(authorizables.length == 3)&&(authorizables[2].getName().equals("+"))) { + if ((authorizables != null)&&(authorizables.length == 4)&&(authorizables[2].getName().equals("+"))) { if ((privileges.size() == 1) && hasOnlyServerPrivilege(privileges.asList().get(0))) { // Assuming authorizable[0] will always be the server // This Code is only reachable only when user fires a 'use default' // and the user has a privilege on atleast 1 privilized Object - String defaultPriv = "Server=" + authorizables[0].getName() + "->Db=default->Table=*->action=select"; + String defaultPriv = "Server=" + authorizables[0].getName() + + "->Db=default->Table=*->Column=*->action=select"; HashSet<String> newPrivs = Sets.newHashSet(defaultPriv); return ImmutableSet.copyOf(newPrivs); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java index 62b6b31..6b051a1 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java @@ -38,6 +38,7 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. private static final org.apache.thrift.protocol.TField REQUESTOR_USER_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("requestorUserName", org.apache.thrift.protocol.TType.STRING, (short)2); private static final org.apache.thrift.protocol.TField ROLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("roleName", org.apache.thrift.protocol.TType.STRING, (short)3); private static final org.apache.thrift.protocol.TField PRIVILEGE_FIELD_DESC = new org.apache.thrift.protocol.TField("privilege", org.apache.thrift.protocol.TType.STRUCT, (short)5); + private static final org.apache.thrift.protocol.TField PRIVILEGES_FIELD_DESC = new org.apache.thrift.protocol.TField("privileges", org.apache.thrift.protocol.TType.SET, (short)6); private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); static { @@ -48,14 +49,16 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. private int protocol_version; // required private String requestorUserName; // required private String roleName; // required - private TSentryPrivilege privilege; // required + private TSentryPrivilege privilege; // optional + private Set<TSentryPrivilege> privileges; // optional /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { PROTOCOL_VERSION((short)1, "protocol_version"), REQUESTOR_USER_NAME((short)2, "requestorUserName"), ROLE_NAME((short)3, "roleName"), - PRIVILEGE((short)5, "privilege"); + PRIVILEGE((short)5, "privilege"), + PRIVILEGES((short)6, "privileges"); private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); @@ -78,6 +81,8 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. return ROLE_NAME; case 5: // PRIVILEGE return PRIVILEGE; + case 6: // PRIVILEGES + return PRIVILEGES; default: return null; } @@ -120,6 +125,7 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. // isset id assignments private static final int __PROTOCOL_VERSION_ISSET_ID = 0; private byte __isset_bitfield = 0; + private _Fields optionals[] = {_Fields.PRIVILEGE,_Fields.PRIVILEGES}; public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; static { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); @@ -129,8 +135,11 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.ROLE_NAME, new org.apache.thrift.meta_data.FieldMetaData("roleName", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); - tmpMap.put(_Fields.PRIVILEGE, new org.apache.thrift.meta_data.FieldMetaData("privilege", org.apache.thrift.TFieldRequirementType.REQUIRED, + tmpMap.put(_Fields.PRIVILEGE, new org.apache.thrift.meta_data.FieldMetaData("privilege", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class))); + tmpMap.put(_Fields.PRIVILEGES, new org.apache.thrift.meta_data.FieldMetaData("privileges", org.apache.thrift.TFieldRequirementType.OPTIONAL, + new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class)))); metaDataMap = Collections.unmodifiableMap(tmpMap); org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TAlterSentryRoleGrantPrivilegeRequest.class, metaDataMap); } @@ -143,15 +152,13 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. public TAlterSentryRoleGrantPrivilegeRequest( int protocol_version, String requestorUserName, - String roleName, - TSentryPrivilege privilege) + String roleName) { this(); this.protocol_version = protocol_version; setProtocol_versionIsSet(true); this.requestorUserName = requestorUserName; this.roleName = roleName; - this.privilege = privilege; } /** @@ -169,6 +176,13 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. if (other.isSetPrivilege()) { this.privilege = new TSentryPrivilege(other.privilege); } + if (other.isSetPrivileges()) { + Set<TSentryPrivilege> __this__privileges = new HashSet<TSentryPrivilege>(); + for (TSentryPrivilege other_element : other.privileges) { + __this__privileges.add(new TSentryPrivilege(other_element)); + } + this.privileges = __this__privileges; + } } public TAlterSentryRoleGrantPrivilegeRequest deepCopy() { @@ -182,6 +196,7 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. this.requestorUserName = null; this.roleName = null; this.privilege = null; + this.privileges = null; } public int getProtocol_version() { @@ -275,6 +290,44 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. } } + public int getPrivilegesSize() { + return (this.privileges == null) ? 0 : this.privileges.size(); + } + + public java.util.Iterator<TSentryPrivilege> getPrivilegesIterator() { + return (this.privileges == null) ? null : this.privileges.iterator(); + } + + public void addToPrivileges(TSentryPrivilege elem) { + if (this.privileges == null) { + this.privileges = new HashSet<TSentryPrivilege>(); + } + this.privileges.add(elem); + } + + public Set<TSentryPrivilege> getPrivileges() { + return this.privileges; + } + + public void setPrivileges(Set<TSentryPrivilege> privileges) { + this.privileges = privileges; + } + + public void unsetPrivileges() { + this.privileges = null; + } + + /** Returns true if field privileges is set (has been assigned a value) and false otherwise */ + public boolean isSetPrivileges() { + return this.privileges != null; + } + + public void setPrivilegesIsSet(boolean value) { + if (!value) { + this.privileges = null; + } + } + public void setFieldValue(_Fields field, Object value) { switch (field) { case PROTOCOL_VERSION: @@ -309,6 +362,14 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. } break; + case PRIVILEGES: + if (value == null) { + unsetPrivileges(); + } else { + setPrivileges((Set<TSentryPrivilege>)value); + } + break; + } } @@ -326,6 +387,9 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. case PRIVILEGE: return getPrivilege(); + case PRIVILEGES: + return getPrivileges(); + } throw new IllegalStateException(); } @@ -345,6 +409,8 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. return isSetRoleName(); case PRIVILEGE: return isSetPrivilege(); + case PRIVILEGES: + return isSetPrivileges(); } throw new IllegalStateException(); } @@ -398,6 +464,15 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. return false; } + boolean this_present_privileges = true && this.isSetPrivileges(); + boolean that_present_privileges = true && that.isSetPrivileges(); + if (this_present_privileges || that_present_privileges) { + if (!(this_present_privileges && that_present_privileges)) + return false; + if (!this.privileges.equals(that.privileges)) + return false; + } + return true; } @@ -425,6 +500,11 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. if (present_privilege) builder.append(privilege); + boolean present_privileges = true && (isSetPrivileges()); + builder.append(present_privileges); + if (present_privileges) + builder.append(privileges); + return builder.toHashCode(); } @@ -476,6 +556,16 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. return lastComparison; } } + lastComparison = Boolean.valueOf(isSetPrivileges()).compareTo(typedOther.isSetPrivileges()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetPrivileges()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privileges, typedOther.privileges); + if (lastComparison != 0) { + return lastComparison; + } + } return 0; } @@ -515,14 +605,26 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. sb.append(this.roleName); } first = false; - if (!first) sb.append(", "); - sb.append("privilege:"); - if (this.privilege == null) { - sb.append("null"); - } else { - sb.append(this.privilege); + if (isSetPrivilege()) { + if (!first) sb.append(", "); + sb.append("privilege:"); + if (this.privilege == null) { + sb.append("null"); + } else { + sb.append(this.privilege); + } + first = false; + } + if (isSetPrivileges()) { + if (!first) sb.append(", "); + sb.append("privileges:"); + if (this.privileges == null) { + sb.append("null"); + } else { + sb.append(this.privileges); + } + first = false; } - first = false; sb.append(")"); return sb.toString(); } @@ -541,10 +643,6 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. throw new org.apache.thrift.protocol.TProtocolException("Required field 'roleName' is unset! Struct:" + toString()); } - if (!isSetPrivilege()) { - throw new org.apache.thrift.protocol.TProtocolException("Required field 'privilege' is unset! Struct:" + toString()); - } - // check for sub-struct validity if (privilege != null) { privilege.validate(); @@ -620,6 +718,25 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; + case 6: // PRIVILEGES + if (schemeField.type == org.apache.thrift.protocol.TType.SET) { + { + org.apache.thrift.protocol.TSet _set16 = iprot.readSetBegin(); + struct.privileges = new HashSet<TSentryPrivilege>(2*_set16.size); + for (int _i17 = 0; _i17 < _set16.size; ++_i17) + { + TSentryPrivilege _elem18; // required + _elem18 = new TSentryPrivilege(); + _elem18.read(iprot); + struct.privileges.add(_elem18); + } + iprot.readSetEnd(); + } + struct.setPrivilegesIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; default: org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } @@ -647,9 +764,25 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. oprot.writeFieldEnd(); } if (struct.privilege != null) { - oprot.writeFieldBegin(PRIVILEGE_FIELD_DESC); - struct.privilege.write(oprot); - oprot.writeFieldEnd(); + if (struct.isSetPrivilege()) { + oprot.writeFieldBegin(PRIVILEGE_FIELD_DESC); + struct.privilege.write(oprot); + oprot.writeFieldEnd(); + } + } + if (struct.privileges != null) { + if (struct.isSetPrivileges()) { + oprot.writeFieldBegin(PRIVILEGES_FIELD_DESC); + { + oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.privileges.size())); + for (TSentryPrivilege _iter19 : struct.privileges) + { + _iter19.write(oprot); + } + oprot.writeSetEnd(); + } + oprot.writeFieldEnd(); + } } oprot.writeFieldStop(); oprot.writeStructEnd(); @@ -671,7 +804,26 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. oprot.writeI32(struct.protocol_version); oprot.writeString(struct.requestorUserName); oprot.writeString(struct.roleName); - struct.privilege.write(oprot); + BitSet optionals = new BitSet(); + if (struct.isSetPrivilege()) { + optionals.set(0); + } + if (struct.isSetPrivileges()) { + optionals.set(1); + } + oprot.writeBitSet(optionals, 2); + if (struct.isSetPrivilege()) { + struct.privilege.write(oprot); + } + if (struct.isSetPrivileges()) { + { + oprot.writeI32(struct.privileges.size()); + for (TSentryPrivilege _iter20 : struct.privileges) + { + _iter20.write(oprot); + } + } + } } @Override @@ -683,9 +835,26 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. struct.setRequestorUserNameIsSet(true); struct.roleName = iprot.readString(); struct.setRoleNameIsSet(true); - struct.privilege = new TSentryPrivilege(); - struct.privilege.read(iprot); - struct.setPrivilegeIsSet(true); + BitSet incoming = iprot.readBitSet(2); + if (incoming.get(0)) { + struct.privilege = new TSentryPrivilege(); + struct.privilege.read(iprot); + struct.setPrivilegeIsSet(true); + } + if (incoming.get(1)) { + { + org.apache.thrift.protocol.TSet _set21 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); + struct.privileges = new HashSet<TSentryPrivilege>(2*_set21.size); + for (int _i22 = 0; _i22 < _set21.size; ++_i22) + { + TSentryPrivilege _elem23; // required + _elem23 = new TSentryPrivilege(); + _elem23.read(iprot); + struct.privileges.add(_elem23); + } + } + struct.setPrivilegesIsSet(true); + } } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeResponse.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeResponse.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeResponse.java index 5246889..0cadf16 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeResponse.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TAlterSentryRoleGrantPrivilegeResponse.java @@ -36,6 +36,7 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift private static final org.apache.thrift.protocol.TField STATUS_FIELD_DESC = new org.apache.thrift.protocol.TField("status", org.apache.thrift.protocol.TType.STRUCT, (short)1); private static final org.apache.thrift.protocol.TField PRIVILEGE_FIELD_DESC = new org.apache.thrift.protocol.TField("privilege", org.apache.thrift.protocol.TType.STRUCT, (short)2); + private static final org.apache.thrift.protocol.TField PRIVILEGES_FIELD_DESC = new org.apache.thrift.protocol.TField("privileges", org.apache.thrift.protocol.TType.SET, (short)3); private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); static { @@ -45,11 +46,13 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift private org.apache.sentry.service.thrift.TSentryResponseStatus status; // required private TSentryPrivilege privilege; // optional + private Set<TSentryPrivilege> privileges; // optional /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { STATUS((short)1, "status"), - PRIVILEGE((short)2, "privilege"); + PRIVILEGE((short)2, "privilege"), + PRIVILEGES((short)3, "privileges"); private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); @@ -68,6 +71,8 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift return STATUS; case 2: // PRIVILEGE return PRIVILEGE; + case 3: // PRIVILEGES + return PRIVILEGES; default: return null; } @@ -108,7 +113,7 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift } // isset id assignments - private _Fields optionals[] = {_Fields.PRIVILEGE}; + private _Fields optionals[] = {_Fields.PRIVILEGE,_Fields.PRIVILEGES}; public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; static { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); @@ -116,6 +121,9 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, org.apache.sentry.service.thrift.TSentryResponseStatus.class))); tmpMap.put(_Fields.PRIVILEGE, new org.apache.thrift.meta_data.FieldMetaData("privilege", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class))); + tmpMap.put(_Fields.PRIVILEGES, new org.apache.thrift.meta_data.FieldMetaData("privileges", org.apache.thrift.TFieldRequirementType.OPTIONAL, + new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class)))); metaDataMap = Collections.unmodifiableMap(tmpMap); org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TAlterSentryRoleGrantPrivilegeResponse.class, metaDataMap); } @@ -140,6 +148,13 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift if (other.isSetPrivilege()) { this.privilege = new TSentryPrivilege(other.privilege); } + if (other.isSetPrivileges()) { + Set<TSentryPrivilege> __this__privileges = new HashSet<TSentryPrivilege>(); + for (TSentryPrivilege other_element : other.privileges) { + __this__privileges.add(new TSentryPrivilege(other_element)); + } + this.privileges = __this__privileges; + } } public TAlterSentryRoleGrantPrivilegeResponse deepCopy() { @@ -150,6 +165,7 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift public void clear() { this.status = null; this.privilege = null; + this.privileges = null; } public org.apache.sentry.service.thrift.TSentryResponseStatus getStatus() { @@ -198,6 +214,44 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift } } + public int getPrivilegesSize() { + return (this.privileges == null) ? 0 : this.privileges.size(); + } + + public java.util.Iterator<TSentryPrivilege> getPrivilegesIterator() { + return (this.privileges == null) ? null : this.privileges.iterator(); + } + + public void addToPrivileges(TSentryPrivilege elem) { + if (this.privileges == null) { + this.privileges = new HashSet<TSentryPrivilege>(); + } + this.privileges.add(elem); + } + + public Set<TSentryPrivilege> getPrivileges() { + return this.privileges; + } + + public void setPrivileges(Set<TSentryPrivilege> privileges) { + this.privileges = privileges; + } + + public void unsetPrivileges() { + this.privileges = null; + } + + /** Returns true if field privileges is set (has been assigned a value) and false otherwise */ + public boolean isSetPrivileges() { + return this.privileges != null; + } + + public void setPrivilegesIsSet(boolean value) { + if (!value) { + this.privileges = null; + } + } + public void setFieldValue(_Fields field, Object value) { switch (field) { case STATUS: @@ -216,6 +270,14 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift } break; + case PRIVILEGES: + if (value == null) { + unsetPrivileges(); + } else { + setPrivileges((Set<TSentryPrivilege>)value); + } + break; + } } @@ -227,6 +289,9 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift case PRIVILEGE: return getPrivilege(); + case PRIVILEGES: + return getPrivileges(); + } throw new IllegalStateException(); } @@ -242,6 +307,8 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift return isSetStatus(); case PRIVILEGE: return isSetPrivilege(); + case PRIVILEGES: + return isSetPrivileges(); } throw new IllegalStateException(); } @@ -277,6 +344,15 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift return false; } + boolean this_present_privileges = true && this.isSetPrivileges(); + boolean that_present_privileges = true && that.isSetPrivileges(); + if (this_present_privileges || that_present_privileges) { + if (!(this_present_privileges && that_present_privileges)) + return false; + if (!this.privileges.equals(that.privileges)) + return false; + } + return true; } @@ -294,6 +370,11 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift if (present_privilege) builder.append(privilege); + boolean present_privileges = true && (isSetPrivileges()); + builder.append(present_privileges); + if (present_privileges) + builder.append(privileges); + return builder.toHashCode(); } @@ -325,6 +406,16 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift return lastComparison; } } + lastComparison = Boolean.valueOf(isSetPrivileges()).compareTo(typedOther.isSetPrivileges()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetPrivileges()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privileges, typedOther.privileges); + if (lastComparison != 0) { + return lastComparison; + } + } return 0; } @@ -362,6 +453,16 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift } first = false; } + if (isSetPrivileges()) { + if (!first) sb.append(", "); + sb.append("privileges:"); + if (this.privileges == null) { + sb.append("null"); + } else { + sb.append(this.privileges); + } + first = false; + } sb.append(")"); return sb.toString(); } @@ -433,6 +534,25 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; + case 3: // PRIVILEGES + if (schemeField.type == org.apache.thrift.protocol.TType.SET) { + { + org.apache.thrift.protocol.TSet _set24 = iprot.readSetBegin(); + struct.privileges = new HashSet<TSentryPrivilege>(2*_set24.size); + for (int _i25 = 0; _i25 < _set24.size; ++_i25) + { + TSentryPrivilege _elem26; // required + _elem26 = new TSentryPrivilege(); + _elem26.read(iprot); + struct.privileges.add(_elem26); + } + iprot.readSetEnd(); + } + struct.setPrivilegesIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; default: org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } @@ -458,6 +578,20 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift oprot.writeFieldEnd(); } } + if (struct.privileges != null) { + if (struct.isSetPrivileges()) { + oprot.writeFieldBegin(PRIVILEGES_FIELD_DESC); + { + oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.privileges.size())); + for (TSentryPrivilege _iter27 : struct.privileges) + { + _iter27.write(oprot); + } + oprot.writeSetEnd(); + } + oprot.writeFieldEnd(); + } + } oprot.writeFieldStop(); oprot.writeStructEnd(); } @@ -480,10 +614,22 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift if (struct.isSetPrivilege()) { optionals.set(0); } - oprot.writeBitSet(optionals, 1); + if (struct.isSetPrivileges()) { + optionals.set(1); + } + oprot.writeBitSet(optionals, 2); if (struct.isSetPrivilege()) { struct.privilege.write(oprot); } + if (struct.isSetPrivileges()) { + { + oprot.writeI32(struct.privileges.size()); + for (TSentryPrivilege _iter28 : struct.privileges) + { + _iter28.write(oprot); + } + } + } } @Override @@ -492,12 +638,26 @@ public class TAlterSentryRoleGrantPrivilegeResponse implements org.apache.thrift struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus(); struct.status.read(iprot); struct.setStatusIsSet(true); - BitSet incoming = iprot.readBitSet(1); + BitSet incoming = iprot.readBitSet(2); if (incoming.get(0)) { struct.privilege = new TSentryPrivilege(); struct.privilege.read(iprot); struct.setPrivilegeIsSet(true); } + if (incoming.get(1)) { + { + org.apache.thrift.protocol.TSet _set29 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); + struct.privileges = new HashSet<TSentryPrivilege>(2*_set29.size); + for (int _i30 = 0; _i30 < _set29.size; ++_i30) + { + TSentryPrivilege _elem31; // required + _elem31 = new TSentryPrivilege(); + _elem31.read(iprot); + struct.privileges.add(_elem31); + } + } + struct.setPrivilegesIsSet(true); + } } }
