Repository: sentry Updated Branches: refs/heads/master 112cdcd4f -> 4f75cc1c4
SENTRY-2260: Update HDFS ACL's based on owner privileges. (Kalyan Kumar kalvagadda, reviewed-by Na Li) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/4f75cc1c Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/4f75cc1c Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/4f75cc1c Branch: refs/heads/master Commit: 4f75cc1c4be7e10f48abf42caeee6e500808cee8 Parents: 112cdcd Author: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Authored: Tue Jun 12 10:02:41 2018 -0500 Committer: Kalyan Kumar Kalvagadda <kkal...@cloudera.com> Committed: Tue Jun 12 10:02:41 2018 -0500 ---------------------------------------------------------------------- .../apache/sentry/hdfs/DBUpdateForwarder.java | 20 +++++++ .../apache/sentry/hdfs/PermDeltaRetriever.java | 6 +++ .../apache/sentry/hdfs/PermImageRetriever.java | 5 +- .../apache/sentry/hdfs/TestDeltaRetriever.java | 56 ++++++++++++++++++++ .../apache/sentry/hdfs/TestImageRetriever.java | 41 ++++++++++++++ 5 files changed, 126 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/4f75cc1c/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/DBUpdateForwarder.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/DBUpdateForwarder.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/DBUpdateForwarder.java index 71ef5f9..065adb7 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/DBUpdateForwarder.java +++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/DBUpdateForwarder.java @@ -22,7 +22,11 @@ import static org.apache.sentry.hdfs.ServiceConstants.SEQUENCE_NUMBER_FULL_UPDAT import java.util.Collections; import java.util.List; +import java.util.Map; import javax.annotation.concurrent.ThreadSafe; + +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; import org.apache.sentry.service.thrift.SentryServiceState; import org.apache.sentry.service.thrift.SentryStateBank; import org.slf4j.Logger; @@ -142,4 +146,20 @@ class DBUpdateForwarder<K extends Updateable.Update> { return Collections.singletonList(imageRetriever.retrieveFullImage()); } } + + /** + * Translate Owner Privilege + * @param privMap Collection of privileges on an privilege entity. + */ + public static void translateOwnerPrivileges(Map<TPrivilegeEntity,String> privMap) { + if(privMap == null) { + return; + } + for (Map.Entry<TPrivilegeEntity, String> priv : privMap.entrySet()) { + if (priv.getValue().equalsIgnoreCase(AccessConstants.OWNER)) { + //Translate owner privilege + priv.setValue(AccessConstants.ALL); + } + } + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/4f75cc1c/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermDeltaRetriever.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermDeltaRetriever.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermDeltaRetriever.java index 6974d37..7cd2c31 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermDeltaRetriever.java +++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermDeltaRetriever.java @@ -18,6 +18,7 @@ package org.apache.sentry.hdfs; import com.codahale.metrics.Timer.Context; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; import org.apache.sentry.provider.db.service.model.MSentryPermChange; import org.apache.sentry.provider.db.service.persistent.SentryStore; @@ -66,6 +67,11 @@ public class PermDeltaRetriever implements DeltaRetriever<PermissionsUpdate> { PermissionsUpdate permsUpdate = new PermissionsUpdate(); permsUpdate.JSONDeserialize(mSentryPermChange.getPermChange()); permsUpdate.setSeqNum(changeID); + Collection<TPrivilegeChanges> privChanges = permsUpdate.getPrivilegeUpdates(); + for(TPrivilegeChanges privChange : privChanges) { + DBUpdateForwarder.translateOwnerPrivileges(privChange.getAddPrivileges()); + DBUpdateForwarder.translateOwnerPrivileges(privChange.getDelPrivileges()); + } updates.add(permsUpdate); } return updates; http://git-wip-us.apache.org/repos/asf/sentry/blob/4f75cc1c/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java index 10d52b4..ef0203f 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java +++ b/sentry-hdfs/sentry-hdfs-service/src/main/java/org/apache/sentry/hdfs/PermImageRetriever.java @@ -73,9 +73,10 @@ public class PermImageRetriever implements ImageRetriever<PermissionsUpdate> { for (Map.Entry<String, Map<TPrivilegeEntity, String>> privEnt : privilegeImage.entrySet()) { String authzObj = privEnt.getKey(); - Map<TPrivilegeEntity,String> privs = privEnt.getValue(); + Map<TPrivilegeEntity,String> privMap = privEnt.getValue(); + DBUpdateForwarder.translateOwnerPrivileges(privMap); tPermUpdate.putToPrivilegeChanges(authzObj, new TPrivilegeChanges( - authzObj, privs, new HashMap<TPrivilegeEntity, String>())); + authzObj, privMap, new HashMap<TPrivilegeEntity, String>())); } for (Map.Entry<String, List<String>> privEnt : roleImage.entrySet()) { http://git-wip-us.apache.org/repos/asf/sentry/blob/4f75cc1c/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestDeltaRetriever.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestDeltaRetriever.java b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestDeltaRetriever.java index 60696cc..d7bc748 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestDeltaRetriever.java +++ b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestDeltaRetriever.java @@ -17,15 +17,24 @@ */ package org.apache.sentry.hdfs; +import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; import org.apache.sentry.provider.db.service.model.MSentryPathChange; +import org.apache.sentry.provider.db.service.model.MSentryPermChange; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.junit.Before; import org.junit.Test; import org.mockito.Mockito; +import org.mockito.invocation.InvocationOnMock; +import org.mockito.stubbing.Answer; import java.util.Arrays; import java.util.Collections; import java.util.List; +import java.util.ArrayList; +import java.util.Map; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; @@ -73,4 +82,51 @@ public class TestDeltaRetriever { assertEquals(false, pathsUpdates.get(1).hasFullImage()); assertEquals(3, pathsUpdates.get(1).getImgNum()); } + + @Test + public void testDeltaPermUpdatesRetrievedWhenOwnerPrivileges() throws Exception { + PermDeltaRetriever deltaRetriever; + List<PermissionsUpdate> permUpdates; + + Mockito.when(sentryStoreMock.getMSentryPermChanges(Mockito.anyLong())). + thenAnswer(new Answer() { + @Override + public List<MSentryPermChange> answer(InvocationOnMock invocation) + throws Throwable { + List<MSentryPermChange> permChanges = new ArrayList<>(); + PermissionsUpdate update = new PermissionsUpdate(); + update.addPrivilegeUpdate("obj1").putToAddPrivileges( new TPrivilegeEntity(TPrivilegeEntityType.ROLE, + "role1"), AccessConstants.OWNER); + MSentryPermChange perm1 = new MSentryPermChange(1,update); + permChanges.add(perm1); + update = new PermissionsUpdate(); + update.addPrivilegeUpdate("obj1").putToAddPrivileges( new TPrivilegeEntity(TPrivilegeEntityType.USER, + "user1"), AccessConstants.OWNER); + MSentryPermChange perm2 = new MSentryPermChange(2,update); + permChanges.add(perm2); + update = new PermissionsUpdate(); + update.addPrivilegeUpdate("obj1").putToDelPrivileges( new TPrivilegeEntity(TPrivilegeEntityType.ROLE, + "user1"), AccessConstants.OWNER); + MSentryPermChange perm3 = new MSentryPermChange(2,update); + permChanges.add(perm3); + return permChanges; + } + }); + + deltaRetriever = new PermDeltaRetriever(sentryStoreMock); + permUpdates = deltaRetriever.retrieveDelta(0, 3); + assertEquals(3, permUpdates.size()); + assertEquals(1, permUpdates.get(0).getSeqNum()); + + for(PermissionsUpdate update : permUpdates) { + for(TPrivilegeChanges priv : update.getPrivilegeUpdates()) { + for(Map.Entry<TPrivilegeEntity,String> privEntry : priv.getAddPrivileges().entrySet()) { + assertEquals(AccessConstants.ALL, privEntry.getValue()); + } + for(Map.Entry<TPrivilegeEntity,String> privEntry : priv.getDelPrivileges().entrySet()) { + assertEquals(AccessConstants.ALL, privEntry.getValue()); + } + } + } + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/4f75cc1c/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestImageRetriever.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestImageRetriever.java b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestImageRetriever.java index d2d5391..b86136d 100644 --- a/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestImageRetriever.java +++ b/sentry-hdfs/sentry-hdfs-service/src/test/java/org/apache/sentry/hdfs/TestImageRetriever.java @@ -18,13 +18,21 @@ package org.apache.sentry.hdfs; import com.google.common.collect.Sets; +import junit.framework.Assert; import org.apache.commons.lang.StringUtils; +import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.hdfs.service.thrift.TPathChanges; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntity; +import org.apache.sentry.hdfs.service.thrift.TPrivilegeEntityType; +import org.apache.sentry.provider.db.service.persistent.PermissionsImage; import org.apache.sentry.provider.db.service.persistent.SentryStore; import org.junit.Before; import org.junit.Ignore; import org.junit.Test; import org.mockito.Mockito; +import org.mockito.invocation.InvocationOnMock; +import org.mockito.stubbing.Answer; import java.util.Collection; import java.util.HashMap; @@ -65,6 +73,39 @@ public class TestImageRetriever { assertTrue(comparePaths(fullPathsImage, pathsUpdate.getPathChanges())); } + + @Test + public void testFullPermUpdatesRetrievedWithOwnerPrivileges() throws Exception { + PermImageRetriever imageRetriever; + PermissionsUpdate permUpdate; + + Mockito.when(sentryStoreMock.retrieveFullPermssionsImage()). + thenAnswer(new Answer() { + @Override + public PermissionsImage answer(InvocationOnMock invocation) + throws Throwable { + Map<String, Map<TPrivilegeEntity, String>> privilegeMap = new HashMap<>(); + Map<TPrivilegeEntity, String> privMap = new HashMap<>(); + privMap.put(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, "role1"), AccessConstants.OWNER); + privMap.put(new TPrivilegeEntity(TPrivilegeEntityType.USER, "user1"), AccessConstants.OWNER); + privilegeMap.put("obj1", privMap); + privilegeMap.put("obj2", privMap); + return new PermissionsImage(new HashMap<>(), privilegeMap, 1L); + } + }); + + imageRetriever = new PermImageRetriever(sentryStoreMock); + permUpdate = imageRetriever.retrieveFullImage(); + Assert.assertNotNull(permUpdate); + + assertEquals(2, permUpdate.getPrivilegeUpdates().size()); + for(TPrivilegeChanges privUpdate : permUpdate.getPrivilegeUpdates()) { + for(Map.Entry<TPrivilegeEntity,String> priv : privUpdate.getAddPrivileges().entrySet()) { + assertEquals(priv.getValue(), AccessConstants.ALL); + } + } + } + private boolean comparePaths(Map<String, Collection<String>> expected, List<TPathChanges> actual) { if (expected.size() != actual.size()) { return false;
