SENTRY-530: Add thrift protocol version check ( Dapeng Sun, Reviewed by: Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0dc5aa49 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0dc5aa49 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0dc5aa49 Branch: refs/heads/hive_plugin_v2 Commit: 0dc5aa49fa769aebe64e18ce5cef7fbabb3fe7a4 Parents: 58a8358 Author: Sravya Tirukkovalur <[email protected]> Authored: Tue Jul 21 13:56:58 2015 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Tue Jul 21 13:56:58 2015 -0700 ---------------------------------------------------------------------- .../TAlterSentryRoleAddGroupsRequest.java | 4 +- .../TAlterSentryRoleDeleteGroupsRequest.java | 4 +- .../TAlterSentryRoleGrantPrivilegeRequest.java | 4 +- .../TAlterSentryRoleRevokePrivilegeRequest.java | 4 +- .../thrift/TCreateSentryRoleRequest.java | 4 +- .../service/thrift/TDropPrivilegesRequest.java | 4 +- .../service/thrift/TDropSentryRoleRequest.java | 4 +- ...TListSentryPrivilegesForProviderRequest.java | 4 +- .../thrift/TListSentryPrivilegesRequest.java | 4 +- .../service/thrift/TListSentryRolesRequest.java | 4 +- .../thrift/TRenamePrivilegesRequest.java | 4 +- .../thrift/sentry_common_serviceConstants.java | 4 +- .../db/SentryThriftAPIMismatchException.java | 30 ++++++++ .../thrift/SentryPolicyStoreProcessor.java | 80 +++++++++++++++++--- .../sentry/service/thrift/ServiceConstants.java | 2 +- .../apache/sentry/service/thrift/Status.java | 7 ++ .../main/resources/sentry_common_service.thrift | 3 +- .../thrift/TestSentryPolicyStoreProcessor.java | 11 ++- 18 files changed, 143 insertions(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleAddGroupsRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleAddGroupsRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleAddGroupsRequest.java index a0c30fe..330d37c 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleAddGroupsRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleAddGroupsRequest.java @@ -144,7 +144,7 @@ public class TAlterSentryRoleAddGroupsRequest implements org.apache.thrift.TBase } public TAlterSentryRoleAddGroupsRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -194,7 +194,7 @@ public class TAlterSentryRoleAddGroupsRequest implements org.apache.thrift.TBase @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.roleName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleDeleteGroupsRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleDeleteGroupsRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleDeleteGroupsRequest.java index 156688c..e7b65cd 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleDeleteGroupsRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleDeleteGroupsRequest.java @@ -144,7 +144,7 @@ public class TAlterSentryRoleDeleteGroupsRequest implements org.apache.thrift.TB } public TAlterSentryRoleDeleteGroupsRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -194,7 +194,7 @@ public class TAlterSentryRoleDeleteGroupsRequest implements org.apache.thrift.TB @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.roleName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java index 51e1017..4e245a3 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleGrantPrivilegeRequest.java @@ -143,7 +143,7 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. } public TAlterSentryRoleGrantPrivilegeRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -189,7 +189,7 @@ public class TAlterSentryRoleGrantPrivilegeRequest implements org.apache.thrift. @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.roleName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleRevokePrivilegeRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleRevokePrivilegeRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleRevokePrivilegeRequest.java index 07b155f..e9e06ac 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleRevokePrivilegeRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TAlterSentryRoleRevokePrivilegeRequest.java @@ -143,7 +143,7 @@ public class TAlterSentryRoleRevokePrivilegeRequest implements org.apache.thrift } public TAlterSentryRoleRevokePrivilegeRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -189,7 +189,7 @@ public class TAlterSentryRoleRevokePrivilegeRequest implements org.apache.thrift @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.roleName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TCreateSentryRoleRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TCreateSentryRoleRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TCreateSentryRoleRequest.java index 07f0eca..824361d 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TCreateSentryRoleRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TCreateSentryRoleRequest.java @@ -136,7 +136,7 @@ public class TCreateSentryRoleRequest implements org.apache.thrift.TBase<TCreate } public TCreateSentryRoleRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -177,7 +177,7 @@ public class TCreateSentryRoleRequest implements org.apache.thrift.TBase<TCreate @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.roleName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropPrivilegesRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropPrivilegesRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropPrivilegesRequest.java index 26b136a..667be2e 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropPrivilegesRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropPrivilegesRequest.java @@ -136,7 +136,7 @@ public class TDropPrivilegesRequest implements org.apache.thrift.TBase<TDropPriv } public TDropPrivilegesRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -177,7 +177,7 @@ public class TDropPrivilegesRequest implements org.apache.thrift.TBase<TDropPriv @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.privilege = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropSentryRoleRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropSentryRoleRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropSentryRoleRequest.java index 6958542..1e0c997 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropSentryRoleRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TDropSentryRoleRequest.java @@ -136,7 +136,7 @@ public class TDropSentryRoleRequest implements org.apache.thrift.TBase<TDropSent } public TDropSentryRoleRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -177,7 +177,7 @@ public class TDropSentryRoleRequest implements org.apache.thrift.TBase<TDropSent @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.roleName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesForProviderRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesForProviderRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesForProviderRequest.java index d1dd6a1..5e443b4 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesForProviderRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesForProviderRequest.java @@ -153,7 +153,7 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif } public TListSentryPrivilegesForProviderRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -210,7 +210,7 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.component = null; this.serviceName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesRequest.java index 505c548..d6afe5a 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesRequest.java @@ -152,7 +152,7 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi } public TListSentryPrivilegesRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -205,7 +205,7 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.roleName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryRolesRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryRolesRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryRolesRequest.java index 078cb6b..08a4e36 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryRolesRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryRolesRequest.java @@ -137,7 +137,7 @@ public class TListSentryRolesRequest implements org.apache.thrift.TBase<TListSen } public TListSentryRolesRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -176,7 +176,7 @@ public class TListSentryRolesRequest implements org.apache.thrift.TBase<TListSen @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.groupName = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TRenamePrivilegesRequest.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TRenamePrivilegesRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TRenamePrivilegesRequest.java index 22d9b4c..6b2ec0a 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TRenamePrivilegesRequest.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TRenamePrivilegesRequest.java @@ -152,7 +152,7 @@ public class TRenamePrivilegesRequest implements org.apache.thrift.TBase<TRename } public TRenamePrivilegesRequest() { - this.protocol_version = 1; + this.protocol_version = 2; } @@ -211,7 +211,7 @@ public class TRenamePrivilegesRequest implements org.apache.thrift.TBase<TRename @Override public void clear() { - this.protocol_version = 1; + this.protocol_version = 2; this.requestorUserName = null; this.component = null; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/service/thrift/sentry_common_serviceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/service/thrift/sentry_common_serviceConstants.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/service/thrift/sentry_common_serviceConstants.java index 6c3d171..ff2ddb7 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/service/thrift/sentry_common_serviceConstants.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/service/thrift/sentry_common_serviceConstants.java @@ -35,7 +35,7 @@ public class sentry_common_serviceConstants { public static final int TSENTRY_SERVICE_V1 = 1; - public static final int TSENTRY_SERVICE_V2 = 1; + public static final int TSENTRY_SERVICE_V2 = 2; public static final int TSENTRY_STATUS_OK = 0; @@ -49,4 +49,6 @@ public class sentry_common_serviceConstants { public static final int TSENTRY_STATUS_ACCESS_DENIED = 5; + public static final int TSENTRY_STATUS_THRIFT_VERSION_MISMATCH = 6; + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryThriftAPIMismatchException.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryThriftAPIMismatchException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryThriftAPIMismatchException.java new file mode 100644 index 0000000..1046160 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryThriftAPIMismatchException.java @@ -0,0 +1,30 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.sentry.provider.db; + +import org.apache.sentry.SentryUserException; + +public class SentryThriftAPIMismatchException extends SentryUserException { + private static final long serialVersionUID = 7535410604425511738L; + public SentryThriftAPIMismatchException(String msg) { + super(msg); + } + public SentryThriftAPIMismatchException(String msg, String reason) { + super(msg, reason); + } +} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 30792f3..406daa0 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -18,26 +18,16 @@ package org.apache.sentry.provider.db.service.thrift; -import java.io.IOException; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; -import java.util.HashMap; import java.util.HashSet; import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; import java.util.regex.Pattern; -import java.util.concurrent.atomic.AtomicLong; -import java.util.concurrent.locks.ReentrantReadWriteLock; -import com.codahale.metrics.Timer; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; -import org.apache.hadoop.hive.metastore.api.Database; -import org.apache.hadoop.hive.metastore.api.Partition; -import org.apache.hadoop.hive.metastore.api.Table; import org.apache.sentry.SentryUserException; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.common.GroupMappingService; @@ -47,6 +37,7 @@ import org.apache.sentry.provider.db.SentryInvalidInputException; import org.apache.sentry.provider.db.SentryNoSuchObjectException; import org.apache.sentry.provider.db.SentryPolicyStorePlugin; import org.apache.sentry.provider.db.SentryPolicyStorePlugin.SentryPluginException; +import org.apache.sentry.provider.db.SentryThriftAPIMismatchException; import org.apache.sentry.provider.db.log.entity.JsonLogEntity; import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory; import org.apache.sentry.provider.db.log.util.Constants; @@ -55,10 +46,9 @@ import org.apache.sentry.provider.db.service.persistent.HAContext; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.apache.sentry.provider.db.service.persistent.ServiceRegister; import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig; +import org.apache.sentry.service.thrift.ServiceConstants; import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties; -import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; -import org.apache.sentry.service.thrift.ProcessorFactory; import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; import org.apache.sentry.service.thrift.Status; import org.apache.sentry.service.thrift.TSentryResponseStatus; @@ -66,6 +56,7 @@ import org.apache.thrift.TException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.codahale.metrics.Timer; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; import com.google.common.base.Splitter; @@ -233,6 +224,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { final Timer.Context timerContext = sentryMetrics.createRoleTimer.time(); TCreateSentryRoleResponse response = new TCreateSentryRoleResponse(); try { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName()); @@ -246,6 +238,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -266,6 +261,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse(); try { + validateClientVersion(request.getProtocol_version()); // There should only one field be set if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) { throw new SentryUserException("SENTRY API version is not right!"); @@ -298,6 +294,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -320,6 +319,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { final Timer.Context timerContext = sentryMetrics.revokeTimer.time(); TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse(); try { + validateClientVersion(request.getProtocol_version()); // There should only one field be set if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) { throw new SentryUserException("SENTRY API version is not right!"); @@ -363,6 +363,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -386,6 +389,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TDropSentryRoleResponse response = new TDropSentryRoleResponse(); TSentryResponseStatus status; try { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.dropSentryRole(request.getRoleName()); @@ -402,6 +406,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -421,6 +428,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time(); TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse(); try { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.alterSentryRoleAddGroups(request.getRequestorUserName(), @@ -438,6 +446,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -457,6 +468,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { final Timer.Context timerContext = sentryMetrics.revokeRoleTimer.time(); TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse(); try { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.alterSentryRoleDeleteGroups(request.getRoleName(), @@ -474,6 +486,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error adding groups to role: " + request; LOGGER.error(msg, e); @@ -497,6 +512,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { String subject = request.getRequestorUserName(); boolean checkAllGroups = false; try { + validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(subject); // Don't check admin permissions for listing requestor's own roles if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) { @@ -523,6 +539,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -542,6 +561,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>(); String subject = request.getRequestorUserName(); try { + validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(subject); Boolean admin = inAdminGroups(groups); if(!admin) { @@ -566,6 +586,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -587,6 +610,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TListSentryPrivilegesForProviderResponse response = new TListSentryPrivilegesForProviderResponse(); response.setPrivileges(new HashSet<String>()); try { + validateClientVersion(request.getProtocol_version()); Set<String> privilegesForProvider = sentryStore.listSentryPrivilegesForProvider( request.getGroups(), request.getRoleSet(), request.getAuthorizableHierarchy()); response.setPrivileges(privilegesForProvider); @@ -605,6 +629,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } } response.setStatus(Status.OK()); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); @@ -660,6 +687,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { final Timer.Context timerContext = sentryMetrics.dropPrivilegeTimer.time(); TDropPrivilegesResponse response = new TDropPrivilegesResponse(); try { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), adminGroups); sentryStore.dropPrivilege(request.getAuthorizable()); for (SentryPolicyStorePlugin plugin : sentryPlugins) { @@ -669,6 +697,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); @@ -686,6 +717,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { final Timer.Context timerContext = sentryMetrics.renamePrivilegeTimer.time(); TRenamePrivilegesResponse response = new TRenamePrivilegesResponse(); try { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), adminGroups); sentryStore.renamePrivilege(request.getOldAuthorizable(), request.getNewAuthorizable()); @@ -696,6 +728,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); @@ -717,6 +752,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { Set<String> requestedGroups = request.getGroups(); TSentryActiveRoleSet requestedRoleSet = request.getRoleSet(); try { + validateClientVersion(request.getProtocol_version()); Set<String> memberGroups = getRequestorGroups(subject); if(!inAdminGroups(memberGroups)) { // disallow non-admin to lookup groups that they are not part of @@ -757,6 +793,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); @@ -786,6 +825,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TSentryConfigValueResponse response = new TSentryConfigValueResponse(); String attr = request.getPropertyName(); + try { + validateClientVersion(request.getProtocol_version()); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); + } // Only allow config parameters like... if (!Pattern.matches(requirePattern, attr) || Pattern.matches(excludePattern, attr)) { @@ -801,4 +846,15 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { response.setStatus(Status.OK()); return response; } + + @VisibleForTesting + static void validateClientVersion(int protocol_version) throws SentryThriftAPIMismatchException { + if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocol_version) { + String msg = "Sentry thrift API protocol version mismatch: Client thrift version " + + "is: " + protocol_version + " , server thrift verion " + + "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT; + throw new SentryThriftAPIMismatchException(msg); + } + } + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java index 835c3d0..bc35742 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java @@ -206,7 +206,7 @@ public class ServiceConstants { * Thrift generates terrible constant class names */ public static class ThriftConstants extends org.apache.sentry.service.thrift.sentry_common_serviceConstants { - public static final int TSENTRY_SERVICE_VERSION_CURRENT = TSENTRY_SERVICE_V1; + public static final int TSENTRY_SERVICE_VERSION_CURRENT = TSENTRY_SERVICE_V2; } /* Privilege operation scope */ http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java index c93dad5..ed541d0 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java @@ -27,6 +27,7 @@ import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.provider.db.SentryAlreadyExistsException; import org.apache.sentry.provider.db.SentryInvalidInputException; import org.apache.sentry.provider.db.SentryNoSuchObjectException; +import org.apache.sentry.provider.db.SentryThriftAPIMismatchException; import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; /** @@ -39,6 +40,7 @@ public enum Status { RUNTIME_ERROR(ThriftConstants.TSENTRY_STATUS_RUNTIME_ERROR), INVALID_INPUT(ThriftConstants.TSENTRY_STATUS_INVALID_INPUT), ACCESS_DENIED(ThriftConstants.TSENTRY_STATUS_ACCESS_DENIED), + THRIFT_VERSION_MISMATCH(ThriftConstants.TSENTRY_STATUS_THRIFT_VERSION_MISMATCH), UNKNOWN(-1) ; private int code; @@ -77,6 +79,9 @@ public enum Status { public static TSentryResponseStatus InvalidInput(String message, Throwable t) { return Create(Status.INVALID_INPUT, message, t); } + public static TSentryResponseStatus THRIFT_VERSION_MISMATCH(String message, Throwable t) { + return Create(Status.THRIFT_VERSION_MISMATCH, message, t); + } public static TSentryResponseStatus Create(Status value, String message, @Nullable Throwable t) { TSentryResponseStatus status = new TSentryResponseStatus(); status.setValue(value.getCode()); @@ -106,6 +111,8 @@ public enum Status { throw new SentryInvalidInputException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case ACCESS_DENIED: throw new SentryAccessDeniedException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); + case THRIFT_VERSION_MISMATCH: + throw new SentryThriftAPIMismatchException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case UNKNOWN: throw new AssertionError(serverErrorToString(thriftStatus)); default: http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift index 956dabe..9d35faf 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift @@ -25,7 +25,7 @@ namespace php sentry.service.thrift namespace cpp Apache.Sentry.Service.Thrift const i32 TSENTRY_SERVICE_V1 = 1; -const i32 TSENTRY_SERVICE_V2 = 1; +const i32 TSENTRY_SERVICE_V2 = 2; const i32 TSENTRY_STATUS_OK = 0; const i32 TSENTRY_STATUS_ALREADY_EXISTS = 1; @@ -33,6 +33,7 @@ const i32 TSENTRY_STATUS_NO_SUCH_OBJECT = 2; const i32 TSENTRY_STATUS_RUNTIME_ERROR = 3; const i32 TSENTRY_STATUS_INVALID_INPUT = 4; const i32 TSENTRY_STATUS_ACCESS_DENIED = 5; +const i32 TSENTRY_STATUS_THRIFT_VERSION_MISMATCH = 6; struct TSentryResponseStatus { 1: required i32 value, http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0dc5aa49/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java index ea4e967..9ae6cb0 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java @@ -20,8 +20,9 @@ package org.apache.sentry.provider.db.service.thrift; import junit.framework.Assert; import org.apache.hadoop.conf.Configuration; +import org.apache.sentry.provider.db.SentryThriftAPIMismatchException; import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.apache.sentry.service.thrift.ServiceConstants; import org.junit.Before; import org.junit.Test; @@ -68,4 +69,12 @@ public class TestSentryPolicyStoreProcessor { super(config); } } + @Test(expected=SentryThriftAPIMismatchException.class) + public void testSentryThriftAPIMismatch() throws Exception { + SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1); + } + @Test + public void testSentryThriftAPIMatchVersion() throws Exception { + SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); + } }
