Repository: sentry Updated Branches: refs/heads/master 6e78a486f -> 912b1dbe8
SENTRY-2170: Update the Sentry-HDFS thrift for user level privileges. (Kalyan Kumar kalvagadda, reviewed-by Na Li and Sergio Pena) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/912b1dbe Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/912b1dbe Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/912b1dbe Branch: refs/heads/master Commit: 912b1dbe85fba5bbe7f7fa5c8eb9befc7a081c44 Parents: 6e78a48 Author: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Authored: Fri May 4 15:15:57 2018 -0500 Committer: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Committed: Fri May 4 15:15:57 2018 -0500 ---------------------------------------------------------------------- .../hdfs/service/thrift/TPrivilegeChanges.java | 110 ++-- .../hdfs/service/thrift/TPrivilegeEntity.java | 502 +++++++++++++++++++ .../service/thrift/TPrivilegeEntityType.java | 48 ++ .../apache/sentry/hdfs/PermissionsUpdate.java | 3 +- .../main/resources/sentry_hdfs_service.thrift | 19 +- .../sentry/hdfs/TestPermissionUpdate.java | 6 +- .../sentry/hdfs/UpdateableAuthzPermissions.java | 39 +- .../apache/sentry/hdfs/PermImageRetriever.java | 11 +- .../org/apache/sentry/hdfs/SentryPlugin.java | 19 +- .../hdfs/TestSentryHDFSServiceProcessor.java | 5 +- .../persistent/NotificationProcessor.java | 9 +- .../db/service/persistent/PermissionsImage.java | 12 +- .../db/service/persistent/SentryStore.java | 16 +- .../db/service/persistent/TestSentryStore.java | 19 +- 14 files changed, 723 insertions(+), 95 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeChanges.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeChanges.java b/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeChanges.java index dea21fa..abcf3ca 100644 --- a/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeChanges.java +++ b/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeChanges.java @@ -49,8 +49,8 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan } private String authzObj; // required - private Map<String,String> addPrivileges; // required - private Map<String,String> delPrivileges; // required + private Map<TPrivilegeEntity,String> addPrivileges; // required + private Map<TPrivilegeEntity,String> delPrivileges; // required /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { @@ -124,11 +124,11 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.ADD_PRIVILEGES, new org.apache.thrift.meta_data.FieldMetaData("addPrivileges", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP, - new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING), + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TPrivilegeEntity.class), new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)))); tmpMap.put(_Fields.DEL_PRIVILEGES, new org.apache.thrift.meta_data.FieldMetaData("delPrivileges", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP, - new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING), + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TPrivilegeEntity.class), new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)))); metaDataMap = Collections.unmodifiableMap(tmpMap); org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TPrivilegeChanges.class, metaDataMap); @@ -139,8 +139,8 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan public TPrivilegeChanges( String authzObj, - Map<String,String> addPrivileges, - Map<String,String> delPrivileges) + Map<TPrivilegeEntity,String> addPrivileges, + Map<TPrivilegeEntity,String> delPrivileges) { this(); this.authzObj = authzObj; @@ -156,11 +156,33 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan this.authzObj = other.authzObj; } if (other.isSetAddPrivileges()) { - Map<String,String> __this__addPrivileges = new HashMap<String,String>(other.addPrivileges); + Map<TPrivilegeEntity,String> __this__addPrivileges = new HashMap<TPrivilegeEntity,String>(other.addPrivileges.size()); + for (Map.Entry<TPrivilegeEntity, String> other_element : other.addPrivileges.entrySet()) { + + TPrivilegeEntity other_element_key = other_element.getKey(); + String other_element_value = other_element.getValue(); + + TPrivilegeEntity __this__addPrivileges_copy_key = new TPrivilegeEntity(other_element_key); + + String __this__addPrivileges_copy_value = other_element_value; + + __this__addPrivileges.put(__this__addPrivileges_copy_key, __this__addPrivileges_copy_value); + } this.addPrivileges = __this__addPrivileges; } if (other.isSetDelPrivileges()) { - Map<String,String> __this__delPrivileges = new HashMap<String,String>(other.delPrivileges); + Map<TPrivilegeEntity,String> __this__delPrivileges = new HashMap<TPrivilegeEntity,String>(other.delPrivileges.size()); + for (Map.Entry<TPrivilegeEntity, String> other_element : other.delPrivileges.entrySet()) { + + TPrivilegeEntity other_element_key = other_element.getKey(); + String other_element_value = other_element.getValue(); + + TPrivilegeEntity __this__delPrivileges_copy_key = new TPrivilegeEntity(other_element_key); + + String __this__delPrivileges_copy_value = other_element_value; + + __this__delPrivileges.put(__this__delPrivileges_copy_key, __this__delPrivileges_copy_value); + } this.delPrivileges = __this__delPrivileges; } } @@ -203,18 +225,18 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan return (this.addPrivileges == null) ? 0 : this.addPrivileges.size(); } - public void putToAddPrivileges(String key, String val) { + public void putToAddPrivileges(TPrivilegeEntity key, String val) { if (this.addPrivileges == null) { - this.addPrivileges = new HashMap<String,String>(); + this.addPrivileges = new HashMap<TPrivilegeEntity,String>(); } this.addPrivileges.put(key, val); } - public Map<String,String> getAddPrivileges() { + public Map<TPrivilegeEntity,String> getAddPrivileges() { return this.addPrivileges; } - public void setAddPrivileges(Map<String,String> addPrivileges) { + public void setAddPrivileges(Map<TPrivilegeEntity,String> addPrivileges) { this.addPrivileges = addPrivileges; } @@ -237,18 +259,18 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan return (this.delPrivileges == null) ? 0 : this.delPrivileges.size(); } - public void putToDelPrivileges(String key, String val) { + public void putToDelPrivileges(TPrivilegeEntity key, String val) { if (this.delPrivileges == null) { - this.delPrivileges = new HashMap<String,String>(); + this.delPrivileges = new HashMap<TPrivilegeEntity,String>(); } this.delPrivileges.put(key, val); } - public Map<String,String> getDelPrivileges() { + public Map<TPrivilegeEntity,String> getDelPrivileges() { return this.delPrivileges; } - public void setDelPrivileges(Map<String,String> delPrivileges) { + public void setDelPrivileges(Map<TPrivilegeEntity,String> delPrivileges) { this.delPrivileges = delPrivileges; } @@ -281,7 +303,7 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan if (value == null) { unsetAddPrivileges(); } else { - setAddPrivileges((Map<String,String>)value); + setAddPrivileges((Map<TPrivilegeEntity,String>)value); } break; @@ -289,7 +311,7 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan if (value == null) { unsetDelPrivileges(); } else { - setDelPrivileges((Map<String,String>)value); + setDelPrivileges((Map<TPrivilegeEntity,String>)value); } break; @@ -541,12 +563,13 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan if (schemeField.type == org.apache.thrift.protocol.TType.MAP) { { org.apache.thrift.protocol.TMap _map74 = iprot.readMapBegin(); - struct.addPrivileges = new HashMap<String,String>(2*_map74.size); - String _key75; + struct.addPrivileges = new HashMap<TPrivilegeEntity,String>(2*_map74.size); + TPrivilegeEntity _key75; String _val76; for (int _i77 = 0; _i77 < _map74.size; ++_i77) { - _key75 = iprot.readString(); + _key75 = new TPrivilegeEntity(); + _key75.read(iprot); _val76 = iprot.readString(); struct.addPrivileges.put(_key75, _val76); } @@ -561,12 +584,13 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan if (schemeField.type == org.apache.thrift.protocol.TType.MAP) { { org.apache.thrift.protocol.TMap _map78 = iprot.readMapBegin(); - struct.delPrivileges = new HashMap<String,String>(2*_map78.size); - String _key79; + struct.delPrivileges = new HashMap<TPrivilegeEntity,String>(2*_map78.size); + TPrivilegeEntity _key79; String _val80; for (int _i81 = 0; _i81 < _map78.size; ++_i81) { - _key79 = iprot.readString(); + _key79 = new TPrivilegeEntity(); + _key79.read(iprot); _val80 = iprot.readString(); struct.delPrivileges.put(_key79, _val80); } @@ -598,10 +622,10 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan if (struct.addPrivileges != null) { oprot.writeFieldBegin(ADD_PRIVILEGES_FIELD_DESC); { - oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.STRING, struct.addPrivileges.size())); - for (Map.Entry<String, String> _iter82 : struct.addPrivileges.entrySet()) + oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.STRING, struct.addPrivileges.size())); + for (Map.Entry<TPrivilegeEntity, String> _iter82 : struct.addPrivileges.entrySet()) { - oprot.writeString(_iter82.getKey()); + _iter82.getKey().write(oprot); oprot.writeString(_iter82.getValue()); } oprot.writeMapEnd(); @@ -611,10 +635,10 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan if (struct.delPrivileges != null) { oprot.writeFieldBegin(DEL_PRIVILEGES_FIELD_DESC); { - oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.STRING, struct.delPrivileges.size())); - for (Map.Entry<String, String> _iter83 : struct.delPrivileges.entrySet()) + oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.STRING, struct.delPrivileges.size())); + for (Map.Entry<TPrivilegeEntity, String> _iter83 : struct.delPrivileges.entrySet()) { - oprot.writeString(_iter83.getKey()); + _iter83.getKey().write(oprot); oprot.writeString(_iter83.getValue()); } oprot.writeMapEnd(); @@ -641,17 +665,17 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan oprot.writeString(struct.authzObj); { oprot.writeI32(struct.addPrivileges.size()); - for (Map.Entry<String, String> _iter84 : struct.addPrivileges.entrySet()) + for (Map.Entry<TPrivilegeEntity, String> _iter84 : struct.addPrivileges.entrySet()) { - oprot.writeString(_iter84.getKey()); + _iter84.getKey().write(oprot); oprot.writeString(_iter84.getValue()); } } { oprot.writeI32(struct.delPrivileges.size()); - for (Map.Entry<String, String> _iter85 : struct.delPrivileges.entrySet()) + for (Map.Entry<TPrivilegeEntity, String> _iter85 : struct.delPrivileges.entrySet()) { - oprot.writeString(_iter85.getKey()); + _iter85.getKey().write(oprot); oprot.writeString(_iter85.getValue()); } } @@ -663,26 +687,28 @@ public class TPrivilegeChanges implements org.apache.thrift.TBase<TPrivilegeChan struct.authzObj = iprot.readString(); struct.setAuthzObjIsSet(true); { - org.apache.thrift.protocol.TMap _map86 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.STRING, iprot.readI32()); - struct.addPrivileges = new HashMap<String,String>(2*_map86.size); - String _key87; + org.apache.thrift.protocol.TMap _map86 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.STRING, iprot.readI32()); + struct.addPrivileges = new HashMap<TPrivilegeEntity,String>(2*_map86.size); + TPrivilegeEntity _key87; String _val88; for (int _i89 = 0; _i89 < _map86.size; ++_i89) { - _key87 = iprot.readString(); + _key87 = new TPrivilegeEntity(); + _key87.read(iprot); _val88 = iprot.readString(); struct.addPrivileges.put(_key87, _val88); } } struct.setAddPrivilegesIsSet(true); { - org.apache.thrift.protocol.TMap _map90 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.STRING, iprot.readI32()); - struct.delPrivileges = new HashMap<String,String>(2*_map90.size); - String _key91; + org.apache.thrift.protocol.TMap _map90 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.STRING, iprot.readI32()); + struct.delPrivileges = new HashMap<TPrivilegeEntity,String>(2*_map90.size); + TPrivilegeEntity _key91; String _val92; for (int _i93 = 0; _i93 < _map90.size; ++_i93) { - _key91 = iprot.readString(); + _key91 = new TPrivilegeEntity(); + _key91.read(iprot); _val92 = iprot.readString(); struct.delPrivileges.put(_key91, _val92); } http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntity.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntity.java b/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntity.java new file mode 100644 index 0000000..85f8147 --- /dev/null +++ b/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntity.java @@ -0,0 +1,502 @@ +/** + * Autogenerated by Thrift Compiler (0.9.3) + * + * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING + * @generated + */ +package org.apache.sentry.hdfs.service.thrift; + +import org.apache.thrift.scheme.IScheme; +import org.apache.thrift.scheme.SchemeFactory; +import org.apache.thrift.scheme.StandardScheme; + +import org.apache.thrift.scheme.TupleScheme; +import org.apache.thrift.protocol.TTupleProtocol; +import org.apache.thrift.protocol.TProtocolException; +import org.apache.thrift.EncodingUtils; +import org.apache.thrift.TException; +import org.apache.thrift.async.AsyncMethodCallback; +import org.apache.thrift.server.AbstractNonblockingServer.*; +import java.util.List; +import java.util.ArrayList; +import java.util.Map; +import java.util.HashMap; +import java.util.EnumMap; +import java.util.Set; +import java.util.HashSet; +import java.util.EnumSet; +import java.util.Collections; +import java.util.BitSet; +import java.nio.ByteBuffer; +import java.util.Arrays; +import javax.annotation.Generated; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@SuppressWarnings({"cast", "rawtypes", "serial", "unchecked"}) +@Generated(value = "Autogenerated by Thrift Compiler (0.9.3)") +public class TPrivilegeEntity implements org.apache.thrift.TBase<TPrivilegeEntity, TPrivilegeEntity._Fields>, java.io.Serializable, Cloneable, Comparable<TPrivilegeEntity> { + private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TPrivilegeEntity"); + + private static final org.apache.thrift.protocol.TField TYPE_FIELD_DESC = new org.apache.thrift.protocol.TField("type", org.apache.thrift.protocol.TType.I32, (short)1); + private static final org.apache.thrift.protocol.TField VALUE_FIELD_DESC = new org.apache.thrift.protocol.TField("value", org.apache.thrift.protocol.TType.STRING, (short)2); + + private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); + static { + schemes.put(StandardScheme.class, new TPrivilegeEntityStandardSchemeFactory()); + schemes.put(TupleScheme.class, new TPrivilegeEntityTupleSchemeFactory()); + } + + private TPrivilegeEntityType type; // required + private String value; // required + + /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ + public enum _Fields implements org.apache.thrift.TFieldIdEnum { + /** + * + * @see TPrivilegeEntityType + */ + TYPE((short)1, "type"), + VALUE((short)2, "value"); + + private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); + + static { + for (_Fields field : EnumSet.allOf(_Fields.class)) { + byName.put(field.getFieldName(), field); + } + } + + /** + * Find the _Fields constant that matches fieldId, or null if its not found. + */ + public static _Fields findByThriftId(int fieldId) { + switch(fieldId) { + case 1: // TYPE + return TYPE; + case 2: // VALUE + return VALUE; + default: + return null; + } + } + + /** + * Find the _Fields constant that matches fieldId, throwing an exception + * if it is not found. + */ + public static _Fields findByThriftIdOrThrow(int fieldId) { + _Fields fields = findByThriftId(fieldId); + if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!"); + return fields; + } + + /** + * Find the _Fields constant that matches name, or null if its not found. + */ + public static _Fields findByName(String name) { + return byName.get(name); + } + + private final short _thriftId; + private final String _fieldName; + + _Fields(short thriftId, String fieldName) { + _thriftId = thriftId; + _fieldName = fieldName; + } + + public short getThriftFieldId() { + return _thriftId; + } + + public String getFieldName() { + return _fieldName; + } + } + + // isset id assignments + public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; + static { + Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); + tmpMap.put(_Fields.TYPE, new org.apache.thrift.meta_data.FieldMetaData("type", org.apache.thrift.TFieldRequirementType.REQUIRED, + new org.apache.thrift.meta_data.EnumMetaData(org.apache.thrift.protocol.TType.ENUM, TPrivilegeEntityType.class))); + tmpMap.put(_Fields.VALUE, new org.apache.thrift.meta_data.FieldMetaData("value", org.apache.thrift.TFieldRequirementType.REQUIRED, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); + metaDataMap = Collections.unmodifiableMap(tmpMap); + org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TPrivilegeEntity.class, metaDataMap); + } + + public TPrivilegeEntity() { + } + + public TPrivilegeEntity( + TPrivilegeEntityType type, + String value) + { + this(); + this.type = type; + this.value = value; + } + + /** + * Performs a deep copy on <i>other</i>. + */ + public TPrivilegeEntity(TPrivilegeEntity other) { + if (other.isSetType()) { + this.type = other.type; + } + if (other.isSetValue()) { + this.value = other.value; + } + } + + public TPrivilegeEntity deepCopy() { + return new TPrivilegeEntity(this); + } + + @Override + public void clear() { + this.type = null; + this.value = null; + } + + /** + * + * @see TPrivilegeEntityType + */ + public TPrivilegeEntityType getType() { + return this.type; + } + + /** + * + * @see TPrivilegeEntityType + */ + public void setType(TPrivilegeEntityType type) { + this.type = type; + } + + public void unsetType() { + this.type = null; + } + + /** Returns true if field type is set (has been assigned a value) and false otherwise */ + public boolean isSetType() { + return this.type != null; + } + + public void setTypeIsSet(boolean value) { + if (!value) { + this.type = null; + } + } + + public String getValue() { + return this.value; + } + + public void setValue(String value) { + this.value = value; + } + + public void unsetValue() { + this.value = null; + } + + /** Returns true if field value is set (has been assigned a value) and false otherwise */ + public boolean isSetValue() { + return this.value != null; + } + + public void setValueIsSet(boolean value) { + if (!value) { + this.value = null; + } + } + + public void setFieldValue(_Fields field, Object value) { + switch (field) { + case TYPE: + if (value == null) { + unsetType(); + } else { + setType((TPrivilegeEntityType)value); + } + break; + + case VALUE: + if (value == null) { + unsetValue(); + } else { + setValue((String)value); + } + break; + + } + } + + public Object getFieldValue(_Fields field) { + switch (field) { + case TYPE: + return getType(); + + case VALUE: + return getValue(); + + } + throw new IllegalStateException(); + } + + /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */ + public boolean isSet(_Fields field) { + if (field == null) { + throw new IllegalArgumentException(); + } + + switch (field) { + case TYPE: + return isSetType(); + case VALUE: + return isSetValue(); + } + throw new IllegalStateException(); + } + + @Override + public boolean equals(Object that) { + if (that == null) + return false; + if (that instanceof TPrivilegeEntity) + return this.equals((TPrivilegeEntity)that); + return false; + } + + public boolean equals(TPrivilegeEntity that) { + if (that == null) + return false; + + boolean this_present_type = true && this.isSetType(); + boolean that_present_type = true && that.isSetType(); + if (this_present_type || that_present_type) { + if (!(this_present_type && that_present_type)) + return false; + if (!this.type.equals(that.type)) + return false; + } + + boolean this_present_value = true && this.isSetValue(); + boolean that_present_value = true && that.isSetValue(); + if (this_present_value || that_present_value) { + if (!(this_present_value && that_present_value)) + return false; + if (!this.value.equals(that.value)) + return false; + } + + return true; + } + + @Override + public int hashCode() { + List<Object> list = new ArrayList<Object>(); + + boolean present_type = true && (isSetType()); + list.add(present_type); + if (present_type) + list.add(type.getValue()); + + boolean present_value = true && (isSetValue()); + list.add(present_value); + if (present_value) + list.add(value); + + return list.hashCode(); + } + + @Override + public int compareTo(TPrivilegeEntity other) { + if (!getClass().equals(other.getClass())) { + return getClass().getName().compareTo(other.getClass().getName()); + } + + int lastComparison = 0; + + lastComparison = Boolean.valueOf(isSetType()).compareTo(other.isSetType()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetType()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.type, other.type); + if (lastComparison != 0) { + return lastComparison; + } + } + lastComparison = Boolean.valueOf(isSetValue()).compareTo(other.isSetValue()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetValue()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.value, other.value); + if (lastComparison != 0) { + return lastComparison; + } + } + return 0; + } + + public _Fields fieldForId(int fieldId) { + return _Fields.findByThriftId(fieldId); + } + + public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException { + schemes.get(iprot.getScheme()).getScheme().read(iprot, this); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException { + schemes.get(oprot.getScheme()).getScheme().write(oprot, this); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("TPrivilegeEntity("); + boolean first = true; + + sb.append("type:"); + if (this.type == null) { + sb.append("null"); + } else { + sb.append(this.type); + } + first = false; + if (!first) sb.append(", "); + sb.append("value:"); + if (this.value == null) { + sb.append("null"); + } else { + sb.append(this.value); + } + first = false; + sb.append(")"); + return sb.toString(); + } + + public void validate() throws org.apache.thrift.TException { + // check for required fields + if (!isSetType()) { + throw new org.apache.thrift.protocol.TProtocolException("Required field 'type' is unset! Struct:" + toString()); + } + + if (!isSetValue()) { + throw new org.apache.thrift.protocol.TProtocolException("Required field 'value' is unset! Struct:" + toString()); + } + + // check for sub-struct validity + } + + private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException { + try { + write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException { + try { + read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private static class TPrivilegeEntityStandardSchemeFactory implements SchemeFactory { + public TPrivilegeEntityStandardScheme getScheme() { + return new TPrivilegeEntityStandardScheme(); + } + } + + private static class TPrivilegeEntityStandardScheme extends StandardScheme<TPrivilegeEntity> { + + public void read(org.apache.thrift.protocol.TProtocol iprot, TPrivilegeEntity struct) throws org.apache.thrift.TException { + org.apache.thrift.protocol.TField schemeField; + iprot.readStructBegin(); + while (true) + { + schemeField = iprot.readFieldBegin(); + if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { + break; + } + switch (schemeField.id) { + case 1: // TYPE + if (schemeField.type == org.apache.thrift.protocol.TType.I32) { + struct.type = org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType.findByValue(iprot.readI32()); + struct.setTypeIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + case 2: // VALUE + if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { + struct.value = iprot.readString(); + struct.setValueIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + default: + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + iprot.readFieldEnd(); + } + iprot.readStructEnd(); + struct.validate(); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot, TPrivilegeEntity struct) throws org.apache.thrift.TException { + struct.validate(); + + oprot.writeStructBegin(STRUCT_DESC); + if (struct.type != null) { + oprot.writeFieldBegin(TYPE_FIELD_DESC); + oprot.writeI32(struct.type.getValue()); + oprot.writeFieldEnd(); + } + if (struct.value != null) { + oprot.writeFieldBegin(VALUE_FIELD_DESC); + oprot.writeString(struct.value); + oprot.writeFieldEnd(); + } + oprot.writeFieldStop(); + oprot.writeStructEnd(); + } + + } + + private static class TPrivilegeEntityTupleSchemeFactory implements SchemeFactory { + public TPrivilegeEntityTupleScheme getScheme() { + return new TPrivilegeEntityTupleScheme(); + } + } + + private static class TPrivilegeEntityTupleScheme extends TupleScheme<TPrivilegeEntity> { + + @Override + public void write(org.apache.thrift.protocol.TProtocol prot, TPrivilegeEntity struct) throws org.apache.thrift.TException { + TTupleProtocol oprot = (TTupleProtocol) prot; + oprot.writeI32(struct.type.getValue()); + oprot.writeString(struct.value); + } + + @Override + public void read(org.apache.thrift.protocol.TProtocol prot, TPrivilegeEntity struct) throws org.apache.thrift.TException { + TTupleProtocol iprot = (TTupleProtocol) prot; + struct.type = org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType.findByValue(iprot.readI32()); + struct.setTypeIsSet(true); + struct.value = iprot.readString(); + struct.setValueIsSet(true); + } + } + +} + http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntityType.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntityType.java b/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntityType.java new file mode 100644 index 0000000..ac44c1f --- /dev/null +++ b/sentry-hdfs/sentry-hdfs-common/src/gen/thrift/gen-javabean/org/apache/sentry/hdfs/service/thrift/TPrivilegeEntityType.java @@ -0,0 +1,48 @@ +/** + * Autogenerated by Thrift Compiler (0.9.3) + * + * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING + * @generated + */ +package org.apache.sentry.hdfs.service.thrift; + + +import java.util.Map; +import java.util.HashMap; +import org.apache.thrift.TEnum; + +public enum TPrivilegeEntityType implements org.apache.thrift.TEnum { + ROLE(0), + USER(1), + AUTHZ_OBJ(2); + + private final int value; + + private TPrivilegeEntityType(int value) { + this.value = value; + } + + /** + * Get the integer value of this enum value, as defined in the Thrift IDL. + */ + public int getValue() { + return value; + } + + /** + * Find a the enum type by its integer value, as defined in the Thrift IDL. + * @return null if the value is not found. + */ + public static TPrivilegeEntityType findByValue(int value) { + switch (value) { + case 0: + return ROLE; + case 1: + return USER; + case 2: + return AUTHZ_OBJ; + default: + return null; + } + } +} http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/PermissionsUpdate.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/PermissionsUpdate.java b/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/PermissionsUpdate.java index 0272396..5691933 100644 --- a/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/PermissionsUpdate.java +++ b/sentry-hdfs/sentry-hdfs-common/src/main/java/org/apache/sentry/hdfs/PermissionsUpdate.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; import org.apache.sentry.hdfs.service.thrift.TPermissionsUpdate; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; import org.apache.sentry.hdfs.service.thrift.TRoleChanges; @@ -82,7 +83,7 @@ public class PermissionsUpdate implements Updateable.Update { return tPermUpdate.getPrivilegeChanges().get(authzObj); } TPrivilegeChanges privUpdate = new TPrivilegeChanges(authzObj, - new HashMap<String, String>(), new HashMap<String, String>()); + new HashMap<TPrivilegeEntity, String>(), new HashMap<TPrivilegeEntity, String>()); tPermUpdate.getPrivilegeChanges().put(authzObj, privUpdate); return privUpdate; } http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-common/src/main/resources/sentry_hdfs_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/src/main/resources/sentry_hdfs_service.thrift b/sentry-hdfs/sentry-hdfs-common/src/main/resources/sentry_hdfs_service.thrift index 465b421..61582cd 100644 --- a/sentry-hdfs/sentry-hdfs-common/src/main/resources/sentry_hdfs_service.thrift +++ b/sentry-hdfs/sentry-hdfs-common/src/main/resources/sentry_hdfs_service.thrift @@ -26,6 +26,21 @@ namespace java org.apache.sentry.hdfs.service.thrift namespace php sentry.hdfs.thrift namespace cpp Apache.Sentry.HDFS.Thrift +enum TPrivilegeEntityType { + ROLE, + USER, + AUTHZ_OBJ +} + +struct TPrivilegeEntity { + +# Type of the privilege entity +1: required TPrivilegeEntityType type; + +# Value of entity +2: required string value; +} + struct TPathChanges { # The authorizable object that needs to be updated. @@ -79,11 +94,11 @@ struct TPrivilegeChanges { # The privileges that needs to be added to # the authorizable object. -2: required map<string, string> addPrivileges; +2: required map<TPrivilegeEntity, string> addPrivileges; # The privileges that needs to be deleted to # the authorizable object. -3: required map<string, string> delPrivileges; +3: required map<TPrivilegeEntity, string> delPrivileges; } struct TRoleChanges { http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestPermissionUpdate.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestPermissionUpdate.java b/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestPermissionUpdate.java index 11d3a2a..8bd9d43 100644 --- a/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestPermissionUpdate.java +++ b/sentry-hdfs/sentry-hdfs-common/src/test/java/org/apache/sentry/hdfs/TestPermissionUpdate.java @@ -21,6 +21,8 @@ package org.apache.sentry.hdfs; import junit.framework.Assert; import org.apache.sentry.hdfs.service.thrift.TPermissionsUpdate; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; import org.apache.thrift.TException; import org.junit.Test; @@ -30,8 +32,8 @@ public class TestPermissionUpdate { public void testSerializeDeserializeInJSON() throws TException { PermissionsUpdate update = new PermissionsUpdate(0, false); TPrivilegeChanges privUpdate = update.addPrivilegeUpdate(PermissionsUpdate.RENAME_PRIVS); - privUpdate.putToAddPrivileges("newAuthz", "newAuthz"); - privUpdate.putToDelPrivileges("oldAuthz", "oldAuthz"); + privUpdate.putToAddPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, "newAuthz"), "newAuthz"); + privUpdate.putToDelPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, "oldAuthz"), "oldAuthz"); // Serialize and deserialize the PermssionUpdate object should equals to the original one. TPermissionsUpdate before = update.toThrift(); http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java index 1505513..2ad7440 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java @@ -29,6 +29,8 @@ import org.apache.hadoop.fs.permission.AclEntry; import org.apache.hadoop.fs.permission.FsAction; import org.apache.sentry.hdfs.SentryPermissions.PrivilegeInfo; import org.apache.sentry.hdfs.SentryPermissions.RoleInfo; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; import org.apache.sentry.hdfs.service.thrift.TRoleChanges; import org.apache.sentry.hdfs.service.thrift.sentry_hdfs_serviceConstants; @@ -122,10 +124,20 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< } private void applyPrivilegeUpdates(PermissionsUpdate update) { + TPrivilegeEntity addPrivEntity, delPrivEntity; for (TPrivilegeChanges pUpdate : update.getPrivilegeUpdates()) { if (pUpdate.getAuthzObj().equals(PermissionsUpdate.RENAME_PRIVS)) { - String newAuthzObj = pUpdate.getAddPrivileges().keySet().iterator().next(); - String oldAuthzObj = pUpdate.getDelPrivileges().keySet().iterator().next(); + addPrivEntity = pUpdate.getAddPrivileges().keySet().iterator().next(); + delPrivEntity = pUpdate.getDelPrivileges().keySet().iterator().next(); + if(addPrivEntity.getType() != TPrivilegeEntityType.AUTHZ_OBJ || + delPrivEntity.getType() != TPrivilegeEntityType.AUTHZ_OBJ) { + LOG.warn("Invalid Permission Update, Received Rename update with wrong data, (Add) Type: {}, Value:{} " + + "(Del) Type: {}, Value:{}", addPrivEntity.getType(), addPrivEntity.getValue(), + delPrivEntity.getType(), delPrivEntity.getValue()); + continue; + } + String newAuthzObj = addPrivEntity.getValue(); + String oldAuthzObj = delPrivEntity.getValue(); PrivilegeInfo privilegeInfo = perms.getPrivilegeInfo(oldAuthzObj); // The privilegeInfo object can be null if no explicit Privileges // have been granted on the object. For eg. If grants have been applied on @@ -146,30 +158,30 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< } if (pUpdate.getAuthzObj().equals(PermissionsUpdate.ALL_AUTHZ_OBJ)) { // Request to remove role from all Privileges - String roleToRemove = pUpdate.getDelPrivileges().keySet().iterator() - .next(); + delPrivEntity = pUpdate.getDelPrivileges().keySet().iterator().next(); + String roleToRemove = delPrivEntity.getValue(); for (PrivilegeInfo pInfo : perms.getAllPrivileges()) { pInfo.removePermission(roleToRemove); } } PrivilegeInfo pInfo = perms.getPrivilegeInfo(pUpdate.getAuthzObj()); - for (Map.Entry<String, String> aMap : pUpdate.getAddPrivileges().entrySet()) { + for (Map.Entry<TPrivilegeEntity, String> aMap : pUpdate.getAddPrivileges().entrySet()) { if (pInfo == null) { pInfo = new PrivilegeInfo(pUpdate.getAuthzObj()); } - FsAction fsAction = pInfo.getPermission(aMap.getKey()); + FsAction fsAction = pInfo.getPermission(aMap.getKey().getValue()); if (fsAction == null) { fsAction = getFAction(aMap.getValue()); } else { fsAction = fsAction.or(getFAction(aMap.getValue())); } - pInfo.setPermission(aMap.getKey(), fsAction); + pInfo.setPermission(aMap.getKey().getValue(), fsAction); } if (pInfo != null) { perms.addPrivilegeInfo(pInfo); perms.addParentChildMappings(pUpdate.getAuthzObj()); - for (Map.Entry<String, String> dMap : pUpdate.getDelPrivileges().entrySet()) { - if (dMap.getKey().equals(PermissionsUpdate.ALL_ROLES)) { + for (Map.Entry<TPrivilegeEntity, String> dMap : pUpdate.getDelPrivileges().entrySet()) { + if (dMap.getKey().getValue().equals(PermissionsUpdate.ALL_ROLES)) { // Remove all privileges perms.delPrivilegeInfo(pUpdate.getAuthzObj()); perms.removeParentChildMappings(pUpdate.getAuthzObj()); @@ -185,13 +197,13 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< } // recursive revoke for (PrivilegeInfo pInfo2 : parentAndChild) { - FsAction fsAction = pInfo2.getPermission(dMap.getKey()); + FsAction fsAction = pInfo2.getPermission(dMap.getKey().getValue()); if (fsAction != null) { fsAction = fsAction.and(getFAction(dMap.getValue()).not()); if (FsAction.NONE == fsAction) { - pInfo2.removePermission(dMap.getKey()); + pInfo2.removePermission(dMap.getKey().getValue()); } else { - pInfo2.setPermission(dMap.getKey(), fsAction); + pInfo2.setPermission(dMap.getKey().getValue(), fsAction); } } } @@ -233,7 +245,8 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< for (PrivilegeInfo pInfo : perms.getAllPrivileges()) { TPrivilegeChanges pUpdate = retVal.addPrivilegeUpdate(pInfo.getAuthzObj()); for (Map.Entry<String, FsAction> ent : pInfo.getAllPermissions().entrySet()) { - pUpdate.putToAddPrivileges(ent.getKey(), ent.getValue().SYMBOL); + pUpdate.putToAddPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, ent.getKey()), + ent.getValue().SYMBOL); } } for (RoleInfo rInfo : perms.getAllRoles()) { http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java index 53ce34f..10d52b4 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java +++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java @@ -18,6 +18,7 @@ package org.apache.sentry.hdfs; import com.codahale.metrics.Timer.Context; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; import org.apache.sentry.hdfs.service.thrift.TPermissionsUpdate; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; import org.apache.sentry.hdfs.service.thrift.TRoleChanges; @@ -56,13 +57,13 @@ public class PermImageRetriever implements ImageRetriever<PermissionsUpdate> { // with a corresponding delta change sequence number. PermissionsImage permImage = sentryStore.retrieveFullPermssionsImage(); long curSeqNum = permImage.getCurSeqNum(); - Map<String, Map<String, String>> privilegeImage = + Map<String, Map<TPrivilegeEntity, String>> privilegeImage = permImage.getPrivilegeImage(); Map<String, List<String>> roleImage = permImage.getRoleImage(); // Translates the complete Sentry permission snapshot into a PermissionsUpdate. - // Adds the <hiveObj, <role, privileges>> mapping and the <role, groups> mapping + // Adds permission mapping for user/roles <role, groups> mapping // to be included in the permission update. // And label it with the latest delta change sequence number for consumer // to be aware of the next delta change it should continue with. @@ -70,11 +71,11 @@ public class PermImageRetriever implements ImageRetriever<PermissionsUpdate> { new HashMap<String, TPrivilegeChanges>(), new HashMap<String, TRoleChanges>()); - for (Map.Entry<String, Map<String, String>> privEnt : privilegeImage.entrySet()) { + for (Map.Entry<String, Map<TPrivilegeEntity, String>> privEnt : privilegeImage.entrySet()) { String authzObj = privEnt.getKey(); - Map<String,String> privs = privEnt.getValue(); + Map<TPrivilegeEntity,String> privs = privEnt.getValue(); tPermUpdate.putToPrivilegeChanges(authzObj, new TPrivilegeChanges( - authzObj, privs, new HashMap<String, String>())); + authzObj, privs, new HashMap<TPrivilegeEntity, String>())); } for (Map.Entry<String, List<String>> privEnt : roleImage.entrySet()) { http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java index 8485ca3..50853c9 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java +++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/SentryPlugin.java @@ -28,6 +28,8 @@ import org.apache.sentry.core.common.utils.PubSub; import org.apache.sentry.core.common.utils.SigUtils; import org.apache.sentry.hdfs.ServiceConstants.ServerConfig; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; import org.apache.sentry.hdfs.service.thrift.TRoleChanges; import org.apache.sentry.provider.db.SentryPolicyStorePlugin; import org.apache.sentry.provider.db.service.persistent.SentryStore; @@ -280,8 +282,8 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen } PermissionsUpdate update = new PermissionsUpdate(); - update.addPrivilegeUpdate(authzObj).putToAddPrivileges( - roleName, privilege.getAction().toUpperCase()); + update.addPrivilegeUpdate(authzObj).putToAddPrivileges( new TPrivilegeEntity(TPrivilegeEntityType.ROLE, roleName), + privilege.getAction().toUpperCase()); LOGGER.debug(String.format("onAlterSentryRoleGrantPrivilegeCore, Authz Perm preUpdate [ %s ]", authzObj)); @@ -306,8 +308,8 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen } PermissionsUpdate update = new PermissionsUpdate(); TPrivilegeChanges privUpdate = update.addPrivilegeUpdate(PermissionsUpdate.RENAME_PRIVS); - privUpdate.putToAddPrivileges(newAuthz, newAuthz); - privUpdate.putToDelPrivileges(oldAuthz, oldAuthz); + privUpdate.putToAddPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.AUTHZ_OBJ, newAuthz), newAuthz); + privUpdate.putToDelPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.AUTHZ_OBJ,oldAuthz), oldAuthz); LOGGER.debug("onRenameSentryPrivilege, Authz Perm preUpdate [ {} ]", oldAuthz); if (LOGGER.isTraceEnabled()) { @@ -352,7 +354,8 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen PermissionsUpdate update = new PermissionsUpdate(); update.addPrivilegeUpdate(authzObj).putToDelPrivileges( - roleName, privilege.getAction().toUpperCase()); + new TPrivilegeEntity(TPrivilegeEntityType.ROLE,roleName), + privilege.getAction().toUpperCase()); LOGGER.debug("onAlterSentryRoleRevokePrivilegeCore, Authz Perm preUpdate [ {} ]", authzObj); return update; @@ -367,7 +370,8 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen } PermissionsUpdate update = new PermissionsUpdate(); update.addPrivilegeUpdate(PermissionsUpdate.ALL_AUTHZ_OBJ).putToDelPrivileges( - request.getRoleName(), PermissionsUpdate.ALL_AUTHZ_OBJ); + new TPrivilegeEntity(TPrivilegeEntityType.ROLE, request.getRoleName()), + PermissionsUpdate.ALL_AUTHZ_OBJ); update.addRoleUpdate(request.getRoleName()).addToDelGroups(PermissionsUpdate.ALL_GROUPS); LOGGER.debug("onDropSentryRole, Authz Perm preUpdate [ {} ]", request.getRoleName()); @@ -395,7 +399,8 @@ public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListen throw new SentryPluginException(failure.getMessage(), failure); } update.addPrivilegeUpdate(authzObj).putToDelPrivileges( - PermissionsUpdate.ALL_ROLES, PermissionsUpdate.ALL_ROLES); + new TPrivilegeEntity(TPrivilegeEntityType.ROLE,PermissionsUpdate.ALL_ROLES), + PermissionsUpdate.ALL_ROLES); LOGGER.debug("onDropSentryPrivilege, Authz Perm preUpdate [ {} ]", authzObj); if (LOGGER.isTraceEnabled()) { http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceProcessor.java b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceProcessor.java index 578757e..845c137 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceProcessor.java +++ b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestSentryHDFSServiceProcessor.java @@ -22,6 +22,7 @@ import org.apache.sentry.core.common.utils.PubSub; import org.apache.sentry.hdfs.ServiceConstants.ServerConfig; import org.apache.sentry.hdfs.service.thrift.TAuthzUpdateRequest; import org.apache.sentry.hdfs.service.thrift.TAuthzUpdateResponse; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; import org.apache.sentry.provider.db.SentryPolicyStorePlugin; import org.apache.sentry.provider.db.service.model.MSentryPathChange; import org.apache.sentry.provider.db.service.model.MSentryPermChange; @@ -64,7 +65,7 @@ public class TestSentryHDFSServiceProcessor { Mockito.when(sentryStoreMock.getLastProcessedPermChangeID()) .thenReturn(1L); Mockito.when(sentryStoreMock.retrieveFullPermssionsImage()) - .thenReturn(new PermissionsImage(new HashMap<String, List<String>>(), new HashMap<String, Map<String, String>>(), 1)); + .thenReturn(new PermissionsImage(new HashMap<String, List<String>>(), new HashMap<String, Map<TPrivilegeEntity, String>>(), 1)); TAuthzUpdateRequest updateRequest = new TAuthzUpdateRequest(1, 1, 0); TAuthzUpdateResponse sentryUpdates= serviceProcessor.get_authz_updates(updateRequest); @@ -91,7 +92,7 @@ public class TestSentryHDFSServiceProcessor { Mockito.when(sentryStoreMock.getLastProcessedPermChangeID()) .thenReturn(3L); Mockito.when(sentryStoreMock.retrieveFullPermssionsImage()) - .thenReturn(new PermissionsImage(new HashMap<String, List<String>>(), new HashMap<String, Map<String, String>>(), 3)); + .thenReturn(new PermissionsImage(new HashMap<String, List<String>>(), new HashMap<String, Map<TPrivilegeEntity, String>>(), 3)); TAuthzUpdateRequest updateRequest = new TAuthzUpdateRequest(2, 2, 1); TAuthzUpdateResponse sentryUpdates= serviceProcessor.get_authz_updates(updateRequest); http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/NotificationProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/NotificationProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/NotificationProcessor.java index 96fe413..6134778 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/NotificationProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/NotificationProcessor.java @@ -45,8 +45,10 @@ import org.apache.sentry.hdfs.SentryMalformedPathException; import org.apache.sentry.hdfs.UniquePathsUpdate; import org.apache.sentry.hdfs.Updateable.Update; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; import org.apache.sentry.provider.db.service.thrift.SentryMetrics; import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; import org.apache.sentry.service.thrift.SentryServiceUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -129,7 +131,8 @@ final class NotificationProcessor { PermissionsUpdate update = new PermissionsUpdate(SentryStore.INIT_CHANGE_ID, false); String authzObj = SentryServiceUtil.getAuthzObj(authorizable); update.addPrivilegeUpdate(authzObj) - .putToDelPrivileges(PermissionsUpdate.ALL_ROLES, PermissionsUpdate.ALL_ROLES); + .putToDelPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, PermissionsUpdate.ALL_ROLES), + PermissionsUpdate.ALL_ROLES); return update; } @@ -155,8 +158,8 @@ final class NotificationProcessor { String newAuthz = SentryServiceUtil.getAuthzObj(newAuthorizable); PermissionsUpdate update = new PermissionsUpdate(SentryStore.INIT_CHANGE_ID, false); TPrivilegeChanges privUpdate = update.addPrivilegeUpdate(PermissionsUpdate.RENAME_PRIVS); - privUpdate.putToAddPrivileges(newAuthz, newAuthz); - privUpdate.putToDelPrivileges(oldAuthz, oldAuthz); + privUpdate.putToAddPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.AUTHZ_OBJ, newAuthz), newAuthz); + privUpdate.putToDelPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.AUTHZ_OBJ, oldAuthz), oldAuthz); return update; } http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/PermissionsImage.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/PermissionsImage.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/PermissionsImage.java index 6c74e19..4a02db2 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/PermissionsImage.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/PermissionsImage.java @@ -18,13 +18,15 @@ package org.apache.sentry.provider.db.service.persistent; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; + import java.util.List; import java.util.Map; /** * A container for complete sentry permission snapshot. * <p> - * It is composed by a role to groups mapping, and hiveObj to < role, privileges > mapping. + * It is composed by a role to groups mapping, and hiveObj to < role/user, privileges > mapping. * It also has the sequence number/change ID of latest delta change that the snapshot maps to. */ public class PermissionsImage { @@ -32,12 +34,12 @@ public class PermissionsImage { // A full snapshot of sentry role to groups mapping. private final Map<String, List<String>> roleImage; - // A full snapshot of hiveObj to <role, privileges> mapping. - private final Map<String, Map<String, String>> privilegeImage; + // A full snapshot of hiveObj to <role/user, privileges> mapping. + private final Map<String, Map<TPrivilegeEntity, String>> privilegeImage; private final long curSeqNum; public PermissionsImage(Map<String, List<String>> roleImage, - Map<String, Map<String, String>> privilegeImage, long curSeqNum) { + Map<String, Map<TPrivilegeEntity, String>> privilegeImage, long curSeqNum) { this.roleImage = roleImage; this.privilegeImage = privilegeImage; this.curSeqNum = curSeqNum; @@ -47,7 +49,7 @@ public class PermissionsImage { return curSeqNum; } - public Map<String, Map<String, String>> getPrivilegeImage() { + public Map<String, Map<TPrivilegeEntity, String>> getPrivilegeImage() { return privilegeImage; } http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 8ac3c0d..ac5316c 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -56,6 +56,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; import org.apache.sentry.hdfs.PathsUpdate; import org.apache.sentry.hdfs.UniquePathsUpdate; import org.apache.sentry.hdfs.UpdateableAuthzPaths; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; import org.apache.sentry.provider.db.service.model.MAuthzPathsMapping; import org.apache.sentry.provider.db.service.model.MAuthzPathsSnapshotId; import org.apache.sentry.provider.db.service.model.MSentryChange; @@ -78,6 +79,7 @@ import org.apache.sentry.provider.db.service.thrift.TSentryMappingData; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege; import org.apache.sentry.provider.db.service.thrift.TSentryPrivilegeMap; import org.apache.sentry.provider.db.service.thrift.TSentryRole; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.datanucleus.store.rdbms.exceptions.MissingTableException; @@ -2471,7 +2473,7 @@ public class SentryStore { // enable SentryPlugin(HDFS Sync feature). long curChangeID = getLastProcessedChangeIDCore(pm, MSentryPermChange.class); Map<String, List<String>> roleImage = retrieveFullRoleImageCore(pm); - Map<String, Map<String, String>> privilegeMap = retrieveFullPrivilegeImageCore(pm); + Map<String, Map<TPrivilegeEntity, String>> privilegeMap = retrieveFullPrivilegeImageCore(pm); return new PermissionsImage(roleImage, privilegeMap, curChangeID); }); @@ -2485,11 +2487,11 @@ public class SentryStore { * @return a mapping of hiveObj to < role, privileges > * @throws Exception */ - private Map<String, Map<String, String>> retrieveFullPrivilegeImageCore(PersistenceManager pm) + private Map<String, Map<TPrivilegeEntity, String>> retrieveFullPrivilegeImageCore(PersistenceManager pm) throws Exception { pm.setDetachAllOnCommit(false); // No need to detach objects - Map<String, Map<String, String>> retVal = new HashMap<>(); + Map<String, Map<TPrivilegeEntity, String>> retVal = new HashMap<>(); Query query = pm.newQuery(MSentryPrivilege.class); query.addExtension(LOAD_RESULTS_AT_COMMIT, "false"); @@ -2508,7 +2510,7 @@ public class SentryStore { if (!isNULL(mPriv.getTableName())) { authzObj = authzObj + "." + mPriv.getTableName(); } - Map<String, String> pUpdate = retVal.get(authzObj); + Map<TPrivilegeEntity, String> pUpdate = retVal.get(authzObj); if (pUpdate == null) { pUpdate = new HashMap<>(); retVal.put(authzObj, pUpdate); @@ -2516,9 +2518,11 @@ public class SentryStore { for (MSentryRole mRole : mPriv.getRoles()) { String existingPriv = pUpdate.get(mRole.getRoleName()); if (existingPriv == null) { - pUpdate.put(mRole.getRoleName(), mPriv.getAction().toUpperCase()); + pUpdate.put(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, mRole.getRoleName()), + mPriv.getAction().toUpperCase()); } else { - pUpdate.put(mRole.getRoleName(), existingPriv + "," + mPriv.getAction().toUpperCase()); + pUpdate.put(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, mRole.getRoleName()), existingPriv + "," + + mPriv.getAction().toUpperCase()); } } } http://git-wip-us.apache.org/repos/asf/sentry/blob/912b1dbe/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index b410027..f5a777d 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -56,6 +56,8 @@ import org.apache.sentry.hdfs.service.thrift.TPathEntry; import org.apache.sentry.hdfs.service.thrift.TPathsDump; import org.apache.sentry.hdfs.service.thrift.TPathsUpdate; import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; import org.apache.sentry.hdfs.service.thrift.TRoleChanges; import org.apache.sentry.provider.db.service.model.MSentryPermChange; import org.apache.sentry.provider.db.service.model.MSentryPathChange; @@ -2440,7 +2442,7 @@ public class TestSentryStore extends org.junit.Assert { sentryStore.alterSentryRoleAddGroups(grantor, roleName2, groups); PermissionsImage permImage = sentryStore.retrieveFullPermssionsImage(); - Map<String, Map<String, String>> privs = permImage.getPrivilegeImage(); + Map<String, Map<TPrivilegeEntity, String>> privs = permImage.getPrivilegeImage(); Map<String, List<String>> roles = permImage.getRoleImage(); assertEquals(2, privs.get("db1.tbl1").size()); assertEquals(2, roles.size()); @@ -3084,7 +3086,7 @@ public class TestSentryStore extends org.junit.Assert { // Generate the permission add update authzObj "db1.tbl1" PermissionsUpdate addUpdate = new PermissionsUpdate(0, false); addUpdate.addPrivilegeUpdate(authzObj).putToAddPrivileges( - roleName, privilege.getAction().toUpperCase()); + new TPrivilegeEntity(TPrivilegeEntityType.ROLE, roleName), privilege.getAction().toUpperCase()); // Grant the privilege to role test-privilege and verify it has been persisted. Map<TSentryPrivilege, Updateable.Update> addPrivilegesUpdateMap = Maps.newHashMap(); @@ -3103,7 +3105,8 @@ public class TestSentryStore extends org.junit.Assert { // Generate the permission delete update authzObj "db1.tbl1" PermissionsUpdate delUpdate = new PermissionsUpdate(0, false); delUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges( - roleName, privilege.getAction().toUpperCase()); + new TPrivilegeEntity(TPrivilegeEntityType.ROLE, roleName), + privilege.getAction().toUpperCase()); // Revoke the same privilege and verify it has been removed. Map<TSentryPrivilege, Updateable.Update> delPrivilegesUpdateMap = Maps.newHashMap(); @@ -3184,7 +3187,8 @@ public class TestSentryStore extends org.junit.Assert { // Generate the permission del update for dropping role "test-drop-role" PermissionsUpdate delUpdate = new PermissionsUpdate(0, false); delUpdate.addPrivilegeUpdate(PermissionsUpdate.ALL_AUTHZ_OBJ).putToDelPrivileges( - roleName, PermissionsUpdate.ALL_AUTHZ_OBJ); + new TPrivilegeEntity(TPrivilegeEntityType.ROLE, roleName), + PermissionsUpdate.ALL_AUTHZ_OBJ); delUpdate.addRoleUpdate(roleName).addToDelGroups(PermissionsUpdate.ALL_GROUPS); // Drop the role and verify. @@ -3217,7 +3221,8 @@ public class TestSentryStore extends org.junit.Assert { // Generate the permission drop update for dropping privilege for "db1.tbl1" PermissionsUpdate dropUpdate = new PermissionsUpdate(0, false); - dropUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges(PermissionsUpdate.ALL_ROLES, + dropUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, + PermissionsUpdate.ALL_ROLES), PermissionsUpdate.ALL_ROLES); // Drop the privilege and verify. @@ -3254,8 +3259,8 @@ public class TestSentryStore extends org.junit.Assert { String newAuthz = "db1.tbl2"; PermissionsUpdate renameUpdate = new PermissionsUpdate(0, false); TPrivilegeChanges privUpdate = renameUpdate.addPrivilegeUpdate(PermissionsUpdate.RENAME_PRIVS); - privUpdate.putToAddPrivileges(newAuthz, newAuthz); - privUpdate.putToDelPrivileges(oldAuthz, oldAuthz); + privUpdate.putToAddPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.AUTHZ_OBJ, newAuthz), newAuthz); + privUpdate.putToDelPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.AUTHZ_OBJ, oldAuthz), oldAuthz); // Rename the privilege and verify. TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);