Repository: incubator-sentry Updated Branches: refs/heads/master f0714a244 -> 3d53d254a
SENTRY-841: Revoke on SERVER scope breaks Client API, allows any string to be passed in (Ryan P via Dapeng Sun, Reviewed by Colin Ma) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/3d53d254 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/3d53d254 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/3d53d254 Branch: refs/heads/master Commit: 3d53d254ac1c569e339515db4e8a04491bc27309 Parents: f0714a2 Author: Sun Dapeng <s...@apache.org> Authored: Sun Sep 6 09:15:49 2015 +0800 Committer: Sun Dapeng <s...@apache.org> Committed: Sun Sep 6 09:16:42 2015 +0800 ---------------------------------------------------------------------- .../thrift/SentryPolicyServiceClient.java | 3 +++ .../SentryPolicyServiceClientDefaultImpl.java | 7 +++++ .../thrift/TestSentryServiceIntegration.java | 28 ++++++++++++++++++++ 3 files changed, 38 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3d53d254/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 3c2c7c6..cbc0aaf 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -113,6 +113,9 @@ public interface SentryPolicyServiceClient { public void revokeServerPrivilege(String requestorUserName, String roleName, String server, String action, Boolean grantOption) throws SentryUserException; + public void revokeServerPrivilege(String requestorUserName, String roleName, String server, + boolean grantOption) throws SentryUserException; + public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action) throws SentryUserException; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3d53d254/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java index 4afe1b4..fe2fef7 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java @@ -497,6 +497,13 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption); } + public void revokeServerPrivilege(String requestorUserName, + String roleName, String server, boolean grantOption) + throws SentryUserException { + revokePrivilege(requestorUserName, roleName, + PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption); + } + public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action) throws SentryUserException { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3d53d254/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java index 02c7535..0d35b7d 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java @@ -820,4 +820,32 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase { }}); } + + /* SENTRY-841 */ + @Test + public void testGranRevokePrivilegeOnServerForRole() throws Exception { + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String requestorUserName = ADMIN_USER; + Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorUserName, requestorUserGroupNames); + writePolicyFile(); + + String roleName1 = "admin_r1"; + + client.dropRoleIfExists(requestorUserName, roleName1); + client.createRole(requestorUserName, roleName1); + + client.grantServerPrivilege(requestorUserName, roleName1, "server", false); + + Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*")); + + client.revokeServerPrivilege(requestorUserName, roleName1, "server", false); + listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); + assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0); + + }}); + } }
