KUDU-428: Sentry integration scaffolding In preparation for KUDU-428 (Sentry integration), this commit introduces some basic module and build-system scaffolding, including a new 'sentry' module, as well as the Sentry service thrift definition files. This is heavily based on the HMS integration equivalents.
Change-Id: I51e68299b97f74f6844bfa9f8aba4c0bd4246c11 Reviewed-on: http://gerrit.cloudera.org:8080/11292 Reviewed-by: Adar Dembo <a...@cloudera.com> Tested-by: Kudu Jenkins Project: http://git-wip-us.apache.org/repos/asf/kudu/repo Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/846eb7f9 Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/846eb7f9 Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/846eb7f9 Branch: refs/heads/master Commit: 846eb7f9705812515fadffe1eacb69bf60ad5a9b Parents: 81ab99b Author: Dan Burkert <danburk...@apache.org> Authored: Fri Aug 17 12:05:53 2018 -0700 Committer: Dan Burkert <danburk...@apache.org> Committed: Tue Aug 28 23:34:17 2018 +0000 ---------------------------------------------------------------------- CMakeLists.txt | 3 +- cmake_modules/FindThrift.cmake | 14 +- src/kudu/hms/CMakeLists.txt | 16 +- src/kudu/mini-cluster/CMakeLists.txt | 2 +- src/kudu/sentry/CMakeLists.txt | 67 ++++ src/kudu/sentry/mini_sentry.cc | 23 ++ src/kudu/sentry/mini_sentry.h | 28 ++ src/kudu/sentry/sentry_client-test.cc | 39 +++ src/kudu/sentry/sentry_client.cc | 23 ++ src/kudu/sentry/sentry_client.h | 28 ++ src/kudu/sentry/sentry_common_service.thrift | 50 +++ src/kudu/sentry/sentry_policy_service.thrift | 370 ++++++++++++++++++++++ src/kudu/sentry/thrift_operators.cc | 62 ++++ 13 files changed, 717 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/CMakeLists.txt ---------------------------------------------------------------------- diff --git a/CMakeLists.txt b/CMakeLists.txt index 7029a4a..0cd6bc1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1374,7 +1374,7 @@ endif (UNIX) ############################################################ if (UNIX) add_custom_target(iwyu-generated-headers - DEPENDS pb-gen krpc-gen hms_thrift) + DEPENDS pb-gen krpc-gen hms_thrift sentry_thrift) add_custom_target(iwyu ${BUILD_SUPPORT_DIR}/iwyu.py --from-git DEPENDS iwyu-generated-headers) add_custom_target(iwyu-fix ${BUILD_SUPPORT_DIR}/iwyu.py --fix --from-git @@ -1474,6 +1474,7 @@ add_subdirectory(src/kudu/master) add_subdirectory(src/kudu/mini-cluster) add_subdirectory(src/kudu/rpc) add_subdirectory(src/kudu/security) +add_subdirectory(src/kudu/sentry) add_subdirectory(src/kudu/server) add_subdirectory(src/kudu/tablet) add_subdirectory(src/kudu/tools) http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/cmake_modules/FindThrift.cmake ---------------------------------------------------------------------- diff --git a/cmake_modules/FindThrift.cmake b/cmake_modules/FindThrift.cmake index 834bbfd..3b9b217 100644 --- a/cmake_modules/FindThrift.cmake +++ b/cmake_modules/FindThrift.cmake @@ -51,6 +51,8 @@ # custom targets; if SRCS/HDRS need to be used in multiple # libraries, those libraries should depend on these targets # in order to "serialize" the thrift invocations +# FB303 = Option which determines if the Thrift definitions depend on the +# FB303 support library. # ==================================================================== function(THRIFT_GENERATE_CPP SRCS HDRS TGTS) @@ -59,7 +61,7 @@ function(THRIFT_GENERATE_CPP SRCS HDRS TGTS) return() endif(NOT ARGN) - set(options) + set(options FB303) set(one_value_args SOURCE_ROOT BINARY_ROOT) set(multi_value_args EXTRA_THRIFT_PATHS THRIFT_FILES) cmake_parse_arguments(ARG "${options}" "${one_value_args}" "${multi_value_args}" ${ARGN}) @@ -102,9 +104,13 @@ function(THRIFT_GENERATE_CPP SRCS HDRS TGTS) list(APPEND THRIFT_CC_OUT "${ARG_BINARY_ROOT}/${SERVICE}.cpp") endforeach() - # TODO(dan): Add the fb303 files manually. This is a complete hack. - list(APPEND ${SRCS} "${THRIFT_CC_OUT}" "fb303_types.cpp" "fb303_constants.cpp" "FacebookService.cpp") - list(APPEND ${HDRS} "${THRIFT_H_OUT}" "fb303_types.h" "fb303_constants.h" "FacebookService.h") + list(APPEND ${SRCS} "${THRIFT_CC_OUT}") + list(APPEND ${HDRS} "${THRIFT_H_OUT}") + + if(ARG_FB303) + list(APPEND ${SRCS} fb303_types.cpp fb303_constants.cpp FacebookService.cpp) + list(APPEND ${HDRS} fb303_types.h fb303_constants.h FacebookService.h) + endif() add_custom_command( OUTPUT ${THRIFT_CC_OUT} ${THRIFT_H_OUT} http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/hms/CMakeLists.txt ---------------------------------------------------------------------- diff --git a/src/kudu/hms/CMakeLists.txt b/src/kudu/hms/CMakeLists.txt index 432a2c7..90794a6 100644 --- a/src/kudu/hms/CMakeLists.txt +++ b/src/kudu/hms/CMakeLists.txt @@ -15,14 +15,23 @@ # specific language governing permissions and limitations # under the License. +############################## +# hms_thrift +############################## + THRIFT_GENERATE_CPP( HMS_THRIFT_SRCS HMS_THRIFT_HDRS HMS_THRIFT_TGTS - THRIFT_FILES hive_metastore.thrift) + THRIFT_FILES hive_metastore.thrift + FB303) add_library(hms_thrift ${HMS_THRIFT_SRCS}) target_link_libraries(hms_thrift thrift) add_dependencies(hms_thrift ${HMS_THRIFT_TGTS}) +############################## +# kudu_hms +############################## + set(HMS_SRCS hms_catalog.cc hms_client.cc @@ -72,7 +81,10 @@ target_link_libraries(mini_hms kudu_util) add_dependencies(mini_hms hms-plugin) -# Tests +############################## +# hms tests +############################## + if (NOT NO_TESTS) SET_KUDU_TEST_LINK_LIBS( kudu_hms http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/mini-cluster/CMakeLists.txt ---------------------------------------------------------------------- diff --git a/src/kudu/mini-cluster/CMakeLists.txt b/src/kudu/mini-cluster/CMakeLists.txt index 78cee7c..d5cc44a 100644 --- a/src/kudu/mini-cluster/CMakeLists.txt +++ b/src/kudu/mini-cluster/CMakeLists.txt @@ -48,5 +48,5 @@ add_dependencies(mini_cluster kudu-master) # Tests -SET_KUDU_TEST_LINK_LIBS(mini_cluster kudu_hms) +SET_KUDU_TEST_LINK_LIBS(mini_cluster kudu_hms kudu_sentry) ADD_KUDU_TEST(external_mini_cluster-test PROCESSORS 3) http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/CMakeLists.txt ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/CMakeLists.txt b/src/kudu/sentry/CMakeLists.txt new file mode 100644 index 0000000..8c75614 --- /dev/null +++ b/src/kudu/sentry/CMakeLists.txt @@ -0,0 +1,67 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +############################## +# sentry_thrift +############################## + +THRIFT_GENERATE_CPP( + SENTRY_THRIFT_SRCS SENTRY_THRIFT_HDRS SENTRY_THRIFT_TGTS + THRIFT_FILES sentry_common_service.thrift sentry_policy_service.thrift) + +add_library(sentry_thrift ${SENTRY_THRIFT_SRCS} thrift_operators.cc) +target_link_libraries(sentry_thrift thrift) +add_dependencies(sentry_thrift ${SENTRY_THRIFT_TGTS}) + +############################## +# kudu_sentry +############################## + +set(SENTRY_SRCS + sentry_client.cc) +set(SENTRY_DEPS + kudu_common + kudu_util + sentry_thrift) + +add_library(kudu_sentry ${SENTRY_SRCS}) +target_link_libraries(kudu_sentry ${SENTRY_DEPS}) + +############################## +# mini_sentry +############################## + +set(MINI_SENTRY_SRCS + mini_sentry.cc) + +add_library(mini_sentry ${MINI_SENTRY_SRCS}) +target_link_libraries(mini_sentry + gutil + kudu_test_util + kudu_util) + +############################## +# sentry tests +############################## + +if (NOT NO_TESTS) + SET_KUDU_TEST_LINK_LIBS( + kudu_sentry + mini_sentry) + + ADD_KUDU_TEST(sentry_client-test) +endif() http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/mini_sentry.cc ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/mini_sentry.cc b/src/kudu/sentry/mini_sentry.cc new file mode 100644 index 0000000..1b00099 --- /dev/null +++ b/src/kudu/sentry/mini_sentry.cc @@ -0,0 +1,23 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include "kudu/sentry/mini_sentry.h" + +namespace kudu { +namespace sentry { +} // namespace sentry +} // namespace kudu http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/mini_sentry.h ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/mini_sentry.h b/src/kudu/sentry/mini_sentry.h new file mode 100644 index 0000000..adc081d --- /dev/null +++ b/src/kudu/sentry/mini_sentry.h @@ -0,0 +1,28 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#pragma once + +namespace kudu { +namespace sentry { + +class MiniSentry { + public: +}; + +} // namespace sentry +} // namespace kudu http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/sentry_client-test.cc ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/sentry_client-test.cc b/src/kudu/sentry/sentry_client-test.cc new file mode 100644 index 0000000..6293ac1 --- /dev/null +++ b/src/kudu/sentry/sentry_client-test.cc @@ -0,0 +1,39 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include "kudu/sentry/sentry_client.h" + +#include <utility> + +#include <gtest/gtest.h> + +#include "kudu/util/test_util.h" + +namespace kudu { +namespace sentry { + +class SentryClientTest : public KuduTest { + public: +}; + +TEST_F(SentryClientTest, ItWorks) { + SentryClient client; + std::move(client); +} + +} // namespace sentry +} // namespace kudu http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/sentry_client.cc ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/sentry_client.cc b/src/kudu/sentry/sentry_client.cc new file mode 100644 index 0000000..53d7928 --- /dev/null +++ b/src/kudu/sentry/sentry_client.cc @@ -0,0 +1,23 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include "kudu/sentry/sentry_client.h" + +namespace kudu { +namespace sentry { +} // namespace sentry +} // namespace kudu http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/sentry_client.h ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/sentry_client.h b/src/kudu/sentry/sentry_client.h new file mode 100644 index 0000000..09d7916 --- /dev/null +++ b/src/kudu/sentry/sentry_client.h @@ -0,0 +1,28 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#pragma once + +namespace kudu { +namespace sentry { + +class SentryClient { + public: +}; + +} // namespace sentry +} // namespace kudu http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/sentry_common_service.thrift ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/sentry_common_service.thrift b/src/kudu/sentry/sentry_common_service.thrift new file mode 100644 index 0000000..e37f4f6 --- /dev/null +++ b/src/kudu/sentry/sentry_common_service.thrift @@ -0,0 +1,50 @@ +#!/usr/local/bin/thrift -java + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# DO NOT MODIFY! Copied from +# https://raw.githubusercontent.com/apache/sentry/release-2.0.1/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift +# +# With edits: +# - Change cpp namespace to 'sentry' to match the Kudu codebase style. + +namespace java org.apache.sentry.service.thrift +namespace php sentry.service.thrift +namespace cpp sentry + +const i32 TSENTRY_SERVICE_V1 = 1; +// Made a backward incompatible change when adding column level privileges. +// We also added generalized model in this version +const i32 TSENTRY_SERVICE_V2 = 2; + +const i32 TSENTRY_STATUS_OK = 0; +const i32 TSENTRY_STATUS_ALREADY_EXISTS = 1; +const i32 TSENTRY_STATUS_NO_SUCH_OBJECT = 2; +const i32 TSENTRY_STATUS_RUNTIME_ERROR = 3; +const i32 TSENTRY_STATUS_INVALID_INPUT = 4; +const i32 TSENTRY_STATUS_ACCESS_DENIED = 5; +const i32 TSENTRY_STATUS_THRIFT_VERSION_MISMATCH = 6; + +struct TSentryResponseStatus { +1: required i32 value, +// message will be set to empty string when status is OK +2: required string message +3: optional string stack +} + http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/sentry_policy_service.thrift b/src/kudu/sentry/sentry_policy_service.thrift new file mode 100644 index 0000000..a11872b --- /dev/null +++ b/src/kudu/sentry/sentry_policy_service.thrift @@ -0,0 +1,370 @@ +#!/usr/local/bin/thrift -java + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# DO NOT MODIFY! Copied from +# https://raw.githubusercontent.com/apache/sentry/release-2.0.1/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +# +# With edits: +# - Change cpp namespace to 'sentry' to match the Kudu codebase style. + +# +# Thrift Service that the MetaStore is built on +# + +include "sentry_common_service.thrift" + +namespace java org.apache.sentry.provider.db.service.thrift +namespace php sentry.provider.db.service.thrift +namespace cpp sentry + +enum TSentryGrantOption { + TRUE = 1, + FALSE = 0, + # UNSET is used for revoke privilege, the component like 'hive' + # didn't support getting grant option, so use UNSET is stand + # for revoke both privileges with grant option and without grant + # option. + UNSET = -1 +} + +# Represents a Privilege in transport from the client to the server +struct TSentryPrivilege { +1: required string privilegeScope, # Valid values are SERVER, DATABASE, TABLE, COLUMN, URI +3: required string serverName, +4: optional string dbName = "", +5: optional string tableName = "", +6: optional string URI = "", +7: required string action = "", +8: optional i64 createTime, # Set on server side +9: optional TSentryGrantOption grantOption = TSentryGrantOption.FALSE +10: optional string columnName = "", +} + +# TODO can this be deleted? it's not adding value to TAlterSentryRoleAddGroupsRequest +struct TSentryGroup { +1: required string groupName +} + +# CREATE ROLE r1 +struct TCreateSentryRoleRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName, # TSentryRole is not required for this request +} +struct TCreateSentryRoleResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# DROP ROLE r1 +struct TDropSentryRoleRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName # role to drop +} +struct TDropSentryRoleResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# GRANT ROLE r1 TO GROUP g1 +struct TAlterSentryRoleAddGroupsRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName, +5: required set<TSentryGroup> groups +} + +struct TAlterSentryRoleAddGroupsResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# GRANT ROLE r1 TO USER u1 +struct TAlterSentryRoleAddUsersRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName, +4: required set<string> users +} + +struct TAlterSentryRoleAddUsersResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# REVOKE ROLE r1 FROM GROUP g1 +struct TAlterSentryRoleDeleteGroupsRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName, +5: required set<TSentryGroup> groups +} +struct TAlterSentryRoleDeleteGroupsResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# REVOKE ROLE r1 FROM USER u1 +struct TAlterSentryRoleDeleteUsersRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName, +4: required set<string> users +} +struct TAlterSentryRoleDeleteUsersResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# GRANT ... ON ... TO ROLE ... +struct TAlterSentryRoleGrantPrivilegeRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName, +5: optional TSentryPrivilege privilege, +6: optional set<TSentryPrivilege> privileges +} +struct TAlterSentryRoleGrantPrivilegeResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: optional TSentryPrivilege privilege +3: optional set<TSentryPrivilege> privileges +} + +# REVOKE ... ON ... FROM ROLE ... +struct TAlterSentryRoleRevokePrivilegeRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string roleName, +5: optional TSentryPrivilege privilege, +6: optional set<TSentryPrivilege> privileges +} +struct TAlterSentryRoleRevokePrivilegeResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# SHOW ROLE GRANT +struct TListSentryRolesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: optional string groupName # for this group, or all roles for all groups if null +} + +struct TListSentryRolesForUserRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required string userName +} + +# used only for TListSentryRolesResponse +struct TSentryRole { +1: required string roleName, +2: required set<TSentryGroup> groups, +3: required string grantorPrincipal #Deprecated +} +struct TListSentryRolesResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: optional set<TSentryRole> roles +} + +struct TSentryAuthorizable { +1: required string server, +2: optional string uri, +3: optional string db, +4: optional string table, +5: optional string column, +} + +# SHOW GRANT +struct TListSentryPrivilegesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +4: required string roleName, # get privileges assigned for this role +5: optional TSentryAuthorizable authorizableHierarchy # get privileges assigned for this role +} +struct TListSentryPrivilegesResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: optional set<TSentryPrivilege> privileges +} + +# Drop privilege +struct TDropPrivilegesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required TSentryAuthorizable authorizable +} + +struct TDropPrivilegesResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +struct TRenamePrivilegesRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required TSentryAuthorizable oldAuthorizable +4: required TSentryAuthorizable newAuthorizable +} + +struct TRenamePrivilegesResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +# This API was created specifically for ProviderBackend.getPrivileges +# and is not mean for general purpose privilege retrieval. +# This request/response pair are created specifically so we can +# efficiently obtain the specific privilges for a user query +struct TSentryActiveRoleSet { +1: required bool all, +2: required set<string> roles, +} +struct TListSentryPrivilegesForProviderRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required set<string> groups, +3: required TSentryActiveRoleSet roleSet, +4: optional TSentryAuthorizable authorizableHierarchy, +5: optional set<string> users +} +struct TListSentryPrivilegesForProviderResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: required set<string> privileges +} + +# List role:set<privileges> for the given authorizable +# Optionally use the set of groups to filter the roles +struct TSentryPrivilegeMap { +1: required map<string, set<TSentryPrivilege>> privilegeMap +} +struct TListSentryPrivilegesByAuthRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required set<TSentryAuthorizable> authorizableSet, +4: optional set<string> groups, +5: optional TSentryActiveRoleSet roleSet +} +struct TListSentryPrivilegesByAuthResponse { +1: required sentry_common_service.TSentryResponseStatus status, +2: optional map<TSentryAuthorizable, TSentryPrivilegeMap> privilegesMapByAuth # will not be set in case of an error +} + +# Obtain a config value from the Sentry service +struct TSentryConfigValueRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required string propertyName, # Config attribute to obtain +3: optional string defaultValue # Value if propertyName not found +} +struct TSentryConfigValueResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: optional string value +} + +# struct for the mapping data like group to role, role to privilege +struct TSentryMappingData { +1: optional map<string, set<string>> groupRolesMap, # for the groupName -> role mapping +2: optional map<string, set<TSentryPrivilege>> rolePrivilegesMap, # for the roleName -> privilege mapping +3: optional map<string, set<string>> userRolesMap # for the userName -> role mapping +} + +struct TSentryExportMappingDataRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: optional string objectPath # for specific auth object +} + +struct TSentryExportMappingDataResponse { +1: required sentry_common_service.TSentryResponseStatus status, +2: required TSentryMappingData mappingData +} + +struct TSentryImportMappingDataRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, +2: required string requestorUserName, # user on whose behalf the request is issued +3: required bool overwriteRole = false, # if overwrite the exist role with the imported privileges, default is false +4: required TSentryMappingData mappingData +} + +struct TSentryImportMappingDataResponse { +1: required sentry_common_service.TSentryResponseStatus status +} + +/* + * API for synchronizing between HMS notification events and Sentry. + * + * When Sentry gets updates from HMS using HMS Notifications, HMS should + * should wait after each notification event is generated until the notification + * is handled by Sentry This preserves the synchronous semantics of DDL statements. + * + * The notification synchronization API is private between HMS and Sentry and should + * not be used by anything else. + * + * The API should be used in the following way: + * + * 1) HMS creates a notification and stores its ID in the persistent storage + * 2) HMS sends ID to Sentry + * 3) Sentry blocks the response until the specified ID is processed by Sentry + * 4) Sentry responds with the most recent processed ID. + * + * Note that the important part is blocking in Sentry until the specified ID + * is processed. The returned most recent processed ID is intended for debugging + * purposes only, but may be used in HMS for performance optimizations. + */ + +struct TSentrySyncIDRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, +2: required i64 id // Requested ID +} + +struct TSentrySyncIDResponse { +1: required sentry_common_service.TSentryResponseStatus status +2: required i64 id // Most recent processed ID +} + +service SentryPolicyService +{ + TCreateSentryRoleResponse create_sentry_role(1:TCreateSentryRoleRequest request) + TDropSentryRoleResponse drop_sentry_role(1:TDropSentryRoleRequest request) + + TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(1:TAlterSentryRoleGrantPrivilegeRequest request) + TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(1:TAlterSentryRoleRevokePrivilegeRequest request) + + TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(1:TAlterSentryRoleAddGroupsRequest request) + TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request) + + TAlterSentryRoleAddUsersResponse alter_sentry_role_add_users(1:TAlterSentryRoleAddUsersRequest request) + TAlterSentryRoleDeleteUsersResponse alter_sentry_role_delete_users(1:TAlterSentryRoleDeleteUsersRequest request) + + TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request) + TListSentryRolesResponse list_sentry_roles_by_user(1:TListSentryRolesForUserRequest request) + + TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request) + + # For use with ProviderBackend.getPrivileges only + TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request) + + TDropPrivilegesResponse drop_sentry_privilege(1:TDropPrivilegesRequest request); + + TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request); + + TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(1:TListSentryPrivilegesByAuthRequest request); + + TSentryConfigValueResponse get_sentry_config_value(1:TSentryConfigValueRequest request); + + # export the mapping data in sentry + TSentryExportMappingDataResponse export_sentry_mapping_data(1:TSentryExportMappingDataRequest request); + + # import the mapping data in sentry + TSentryImportMappingDataResponse import_sentry_mapping_data(1:TSentryImportMappingDataRequest request); + + # Synchronize between HMS notifications and Sentry + TSentrySyncIDResponse sentry_sync_notifications(1:TSentrySyncIDRequest request); +} http://git-wip-us.apache.org/repos/asf/kudu/blob/846eb7f9/src/kudu/sentry/thrift_operators.cc ---------------------------------------------------------------------- diff --git a/src/kudu/sentry/thrift_operators.cc b/src/kudu/sentry/thrift_operators.cc new file mode 100644 index 0000000..83122b7 --- /dev/null +++ b/src/kudu/sentry/thrift_operators.cc @@ -0,0 +1,62 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include <set> +#include <string> + +#include "kudu/sentry/sentry_policy_service_types.h" + +// Thrift does not automatically generate operator< definitions for generated +// classes, however it will happily translate a Thrift set in to a C++ set, +// which requires the key type to implement operator<. Since Sentry uses Thrift +// types as map keys and set items, we must provide our own definition. See +// http://mail-archives.apache.org/mod_mbox/thrift-user/201311.mbox/%3cbay407-eas7268c0adcda8f02d874f8eb1...@phx.gbl%3e +// for more discussion. + +namespace sentry { + +bool TSentryRole::operator<(const TSentryRole& other) const { + return this->roleName < other.roleName + && this->groups < other.groups + && this->grantorPrincipal < other.grantorPrincipal; +} + +bool TSentryGroup::operator<(const TSentryGroup& other) const { + return this->groupName < other.groupName; +} + +bool TSentryPrivilege::operator<(const TSentryPrivilege& other) const { + return this->privilegeScope < other.privilegeScope + && this->serverName < other.serverName + && this->dbName < other.dbName + && this->tableName < other.tableName + && this->URI < other.URI + && this->action < other.action + && this->createTime < other.createTime + && this->grantOption < other.grantOption + && this->columnName < other.columnName; +} + +bool TSentryAuthorizable::operator<(const TSentryAuthorizable& other) const { + return this->server < other.server + && this->uri < other.uri + && this->db < other.db + && this->table < other.table + && this->column < other.column; +} + +} // namespace sentry