Repository: sentry Updated Branches: refs/heads/master 135f764ba -> b23146826
SENTRY-2173: Extend PrivilegeInfo to hold user privileges. (Kalyan Kumar kalvagadda, reviewed-by Na Li and Sergio Pena) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/b2314682 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/b2314682 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/b2314682 Branch: refs/heads/master Commit: b2314682606cc36cd54138e3a8376d69e46895cf Parents: 135f764 Author: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Authored: Wed May 9 15:13:16 2018 -0500 Committer: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Committed: Wed May 9 15:13:16 2018 -0500 ---------------------------------------------------------------------- .../apache/sentry/hdfs/SentryPermissions.java | 30 ++++++++++++-------- .../sentry/hdfs/UpdateableAuthzPermissions.java | 21 +++++++------- 2 files changed, 28 insertions(+), 23 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/b2314682/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java index 3b3a82e..a88d8e2 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java @@ -23,35 +23,39 @@ import org.apache.hadoop.fs.permission.AclEntry; import org.apache.hadoop.fs.permission.AclEntryScope; import org.apache.hadoop.fs.permission.AclEntryType; import org.apache.hadoop.fs.permission.FsAction; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; public class SentryPermissions implements AuthzPermissions { public static class PrivilegeInfo { private final String authzObj; - private final Map<String, FsAction> roleToPermission = new HashMap<String, FsAction>(); + // It is safe to use TPrivilegeEntity as key as it implements the hashCode and equals API's. + // Equals() API would help in handling hash collisions. + private final Map<TPrivilegeEntity, FsAction> privilegeEntityFsActionMap = new HashMap<TPrivilegeEntity, FsAction>(); public PrivilegeInfo(String authzObj) { this.authzObj = authzObj; } - public PrivilegeInfo setPermission(String role, FsAction perm) { - roleToPermission.put(role, perm); + public PrivilegeInfo setPermission(TPrivilegeEntity privilegeEntity, FsAction perm) { + privilegeEntityFsActionMap.put(privilegeEntity, perm); return this; } - public PrivilegeInfo removePermission(String role) { - roleToPermission.remove(role); + public PrivilegeInfo removePermission(TPrivilegeEntity privilegeEntity) { + privilegeEntityFsActionMap.remove(privilegeEntity); return this; } - public FsAction getPermission(String role) { - return roleToPermission.get(role); + public FsAction getPermission(TPrivilegeEntity privilegeEntity) { + return privilegeEntityFsActionMap.get(privilegeEntity); } - public Map<String, FsAction> getAllPermissions() { - return roleToPermission; + public Map<TPrivilegeEntity, FsAction> getAllPermissions() { + return privilegeEntityFsActionMap; } public String getAuthzObj() { return authzObj; } @Override public String toString() { - return "PrivilegeInfo(" + authzObj + " --> " + roleToPermission + ")"; + return "PrivilegeInfo(" + authzObj + " --> " + privilegeEntityFsActionMap + ")"; } } @@ -134,9 +138,11 @@ public class SentryPermissions implements AuthzPermissions { PrivilegeInfo privilegeInfo = privileges.get(authzObj); if (privilegeInfo != null) { - for (Map.Entry<String, FsAction> privs : privilegeInfo + for (Map.Entry<TPrivilegeEntity, FsAction> privs : privilegeInfo .getAllPermissions().entrySet()) { - constructAclEntry(privs.getKey(), privs.getValue(), groupPerms); + if(privs.getKey().getType() == TPrivilegeEntityType.ROLE) { + constructAclEntry(privs.getKey().getValue(), privs.getValue(), groupPerms); + } } } return groupPerms; http://git-wip-us.apache.org/repos/asf/sentry/blob/b2314682/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java index 2ad7440..761c760 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/UpdateableAuthzPermissions.java @@ -144,11 +144,11 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< // Db, but no explicit grants on Table.. then the authzObject associated // with the table will never exist. if (privilegeInfo != null) { - Map<String, FsAction> allPermissions = privilegeInfo.getAllPermissions(); + Map<TPrivilegeEntity, FsAction> allPermissions = privilegeInfo.getAllPermissions(); perms.delPrivilegeInfo(oldAuthzObj); perms.removeParentChildMappings(oldAuthzObj); PrivilegeInfo newPrivilegeInfo = new PrivilegeInfo(newAuthzObj); - for (Map.Entry<String, FsAction> e : allPermissions.entrySet()) { + for (Map.Entry<TPrivilegeEntity, FsAction> e : allPermissions.entrySet()) { newPrivilegeInfo.setPermission(e.getKey(), e.getValue()); } perms.addPrivilegeInfo(newPrivilegeInfo); @@ -159,9 +159,8 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< if (pUpdate.getAuthzObj().equals(PermissionsUpdate.ALL_AUTHZ_OBJ)) { // Request to remove role from all Privileges delPrivEntity = pUpdate.getDelPrivileges().keySet().iterator().next(); - String roleToRemove = delPrivEntity.getValue(); for (PrivilegeInfo pInfo : perms.getAllPrivileges()) { - pInfo.removePermission(roleToRemove); + pInfo.removePermission(delPrivEntity); } } PrivilegeInfo pInfo = perms.getPrivilegeInfo(pUpdate.getAuthzObj()); @@ -169,13 +168,13 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< if (pInfo == null) { pInfo = new PrivilegeInfo(pUpdate.getAuthzObj()); } - FsAction fsAction = pInfo.getPermission(aMap.getKey().getValue()); + FsAction fsAction = pInfo.getPermission(aMap.getKey()); if (fsAction == null) { fsAction = getFAction(aMap.getValue()); } else { fsAction = fsAction.or(getFAction(aMap.getValue())); } - pInfo.setPermission(aMap.getKey().getValue(), fsAction); + pInfo.setPermission(aMap.getKey(), fsAction); } if (pInfo != null) { perms.addPrivilegeInfo(pInfo); @@ -197,13 +196,13 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< } // recursive revoke for (PrivilegeInfo pInfo2 : parentAndChild) { - FsAction fsAction = pInfo2.getPermission(dMap.getKey().getValue()); + FsAction fsAction = pInfo2.getPermission(dMap.getKey()); if (fsAction != null) { fsAction = fsAction.and(getFAction(dMap.getValue()).not()); if (FsAction.NONE == fsAction) { - pInfo2.removePermission(dMap.getKey().getValue()); + pInfo2.removePermission(dMap.getKey()); } else { - pInfo2.setPermission(dMap.getKey().getValue(), fsAction); + pInfo2.setPermission(dMap.getKey(), fsAction); } } } @@ -244,8 +243,8 @@ public class UpdateableAuthzPermissions implements AuthzPermissions, Updateable< PermissionsUpdate retVal = new PermissionsUpdate(currSeqNum, true); for (PrivilegeInfo pInfo : perms.getAllPrivileges()) { TPrivilegeChanges pUpdate = retVal.addPrivilegeUpdate(pInfo.getAuthzObj()); - for (Map.Entry<String, FsAction> ent : pInfo.getAllPermissions().entrySet()) { - pUpdate.putToAddPrivileges(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, ent.getKey()), + for (Map.Entry<TPrivilegeEntity, FsAction> ent : pInfo.getAllPermissions().entrySet()) { + pUpdate.putToAddPrivileges(new TPrivilegeEntity(ent.getKey()), ent.getValue().SYMBOL); } }