You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/05/10 00:14:28 UTC
[19/51] [partial] sentry git commit: SENTRY-2206: Refactor out sentry
api from sentry-provider-db to own module (Steve Moist,
reviewed by Sergio Pena)
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
deleted file mode 100644
index 3488e11..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
+++ /dev/null
@@ -1,316 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.TimeUnit;
-
-import com.google.common.base.Preconditions;
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import static org.apache.hadoop.hive.conf.HiveConf.ConfVars.METASTOREURIS;
-import static org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars.AUTHZ_SYNC_ALTER_WITH_POLICY_STORE;
-import static org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars.AUTHZ_SYNC_CREATE_WITH_POLICY_STORE;
-import static org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars.AUTHZ_SYNC_DROP_WITH_POLICY_STORE;
-
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.sentry.core.common.exception.SentryInvalidInputException;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-
-import com.google.common.collect.Lists;
-import org.slf4j.Logger;
-
-public final class SentryServiceUtil {
-
- private static boolean firstCallHDFSSyncEnabled = true;
- private static boolean hdfsSyncEnabled = false;
-
- // parse the privilege in String and get the TSentryPrivilege as result
- public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) {
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue tempKV = new KeyValue(authorizable);
- String key = tempKV.getKey();
- String value = tempKV.getValue();
-
- if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setServerName(value);
- } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setDbName(value);
- } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setTableName(value);
- } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setColumnName(value);
- } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setURI(value);
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
- TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
- : TSentryGrantOption.FALSE;
- tSentryPrivilege.setGrantOption(grantOption);
- }
- }
- tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
- return tSentryPrivilege;
- }
-
- /**
- * Parse the object path from string to map.
- * @param objectPath the string format as db=db1->table=tbl1
- * @return Map
- */
- public static Map<String, String> parseObjectPath(String objectPath) {
- Map<String, String> objectMap = new HashMap<String, String>();
- if (StringUtils.isEmpty(objectPath)) {
- return objectMap;
- }
- for (String kvStr : SentryConstants.AUTHORIZABLE_SPLITTER.split(objectPath)) {
- KeyValue kv = new KeyValue(kvStr);
- String key = kv.getKey();
- String value = kv.getValue();
-
- if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
- objectMap.put(PolicyFileConstants.PRIVILEGE_DATABASE_NAME, value);
- } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
- objectMap.put(PolicyFileConstants.PRIVILEGE_TABLE_NAME, value);
- }
- }
- return objectMap;
- }
-
- // for the different hierarchy for hive:
- // 1: server->url
- // 2: server->database->table->column
- // if both of them are found in the privilege string, the privilege scope will be set as
- // PrivilegeScope.URI
- public static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
- PrivilegeScope privilegeScope = PrivilegeScope.SERVER;
- if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
- privilegeScope = PrivilegeScope.URI;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
- privilegeScope = PrivilegeScope.COLUMN;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
- privilegeScope = PrivilegeScope.TABLE;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
- privilegeScope = PrivilegeScope.DATABASE;
- }
- return privilegeScope.toString();
- }
-
- // convert TSentryPrivilege to privilege in string
- public static String convertTSentryPrivilegeToStr(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- String serverName = tSentryPrivilege.getServerName();
- String dbName = tSentryPrivilege.getDbName();
- String tableName = tSentryPrivilege.getTableName();
- String columnName = tSentryPrivilege.getColumnName();
- String uri = tSentryPrivilege.getURI();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
- if (!StringUtils.isEmpty(serverName)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
- serverName));
- if (!StringUtils.isEmpty(uri)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
- uri));
- } else if (!StringUtils.isEmpty(dbName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
- if (!StringUtils.isEmpty(tableName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
- if (!StringUtils.isEmpty(columnName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
- }
- }
- }
- if (!StringUtils.isEmpty(action)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
- }
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- /**
- * Gracefully shut down an Executor service.
- * <p>
- * This code is based on the Javadoc example for the Executor service.
- * <p>
- * First call shutdown to reject incoming tasks, and then call
- * shutdownNow, if necessary, to cancel any lingering tasks.
- *
- * @param pool the executor service to shut down
- * @param poolName the name of the executor service to shut down to make it easy for debugging
- * @param timeout the timeout interval to wait for its termination
- * @param unit the unit of the timeout
- * @param logger the logger to log the error message if it cannot terminate. It could be null
- */
- public static void shutdownAndAwaitTermination(ExecutorService pool, String poolName,
- long timeout, TimeUnit unit, Logger logger) {
- Preconditions.checkNotNull(pool);
-
- pool.shutdown(); // Disable new tasks from being submitted
- try {
- // Wait a while for existing tasks to terminate
- if (!pool.awaitTermination(timeout, unit)) {
- pool.shutdownNow(); // Cancel currently executing tasks
- // Wait a while for tasks to respond to being cancelled
- if ((!pool.awaitTermination(timeout, unit)) && (logger != null)) {
- logger.error("Executor service {} did not terminate",
- StringUtils.defaultIfBlank(poolName, "null"));
- }
- }
- } catch (InterruptedException ignored) {
- // (Re-)Cancel if current thread also interrupted
- pool.shutdownNow();
- // Preserve interrupt status
- Thread.currentThread().interrupt();
- }
- }
-
- /**
- * Check if Sentry is configured with HDFS sync enabled. Cache the result
- *
- * @param conf The Configuration object where HDFS sync configurations are set.
- * @return True if enabled; False otherwise.
- */
- public static boolean isHDFSSyncEnabled(Configuration conf) {
- if (firstCallHDFSSyncEnabled) {
- List<String> processorFactories =
- Arrays.asList(conf.get(ServiceConstants.ServerConfig.PROCESSOR_FACTORIES, "").split(","));
-
- List<String> policyStorePlugins =
- Arrays.asList(
- conf.get(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "").split(","));
-
- hdfsSyncEnabled =
- processorFactories.contains("org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory")
- && policyStorePlugins.contains("org.apache.sentry.hdfs.SentryPlugin");
- firstCallHDFSSyncEnabled = false;
- }
-
- return hdfsSyncEnabled;
- }
-
- /**
- * Check if Sentry is configured with HDFS sync enabled without caching the result
- *
- * @param conf The Configuration object where HDFS sync configurations are set.
- * @return True if enabled; False otherwise.
- */
- public static boolean isHDFSSyncEnabledNoCache(Configuration conf) {
-
- List<String> processorFactories =
- Arrays.asList(conf.get(ServiceConstants.ServerConfig.PROCESSOR_FACTORIES, "").split(","));
-
- List<String> policyStorePlugins =
- Arrays.asList(
- conf.get(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "").split(","));
-
- hdfsSyncEnabled =
- processorFactories.contains("org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory")
- && policyStorePlugins.contains("org.apache.sentry.hdfs.SentryPlugin");
-
-
- return hdfsSyncEnabled;
- }
-
- /**
- * Check if Sentry is configured with policy store sync enabled
- * @param conf
- * @return True if enabled; False otherwise
- */
- public static boolean isSyncPolicyStoreEnabled(Configuration conf) {
- boolean syncStoreOnCreate;
- boolean syncStoreOnDrop;
- boolean syncStoreOnAlter;
-
- syncStoreOnCreate = Boolean
- .parseBoolean(conf.get(AUTHZ_SYNC_CREATE_WITH_POLICY_STORE.getVar(),
- AUTHZ_SYNC_CREATE_WITH_POLICY_STORE.getDefault()));
- syncStoreOnDrop = Boolean.parseBoolean(conf.get(AUTHZ_SYNC_DROP_WITH_POLICY_STORE.getVar(),
- AUTHZ_SYNC_DROP_WITH_POLICY_STORE.getDefault()));
- syncStoreOnAlter = Boolean.parseBoolean(conf.get(AUTHZ_SYNC_ALTER_WITH_POLICY_STORE.getVar(),
- AUTHZ_SYNC_ALTER_WITH_POLICY_STORE.getDefault()));
-
- return syncStoreOnCreate || syncStoreOnDrop || syncStoreOnAlter;
- }
-
- static String getHiveMetastoreURI() {
- HiveConf hiveConf = new HiveConf();
- return hiveConf.get(METASTOREURIS.varname);
- }
-
- /**
- * Derives object name from database and table names by concatenating them
- *
- * @param authorizable for which is name is to be derived
- * @return authorizable name
- * @throws SentryInvalidInputException if argument provided does not have all the
- * required fields set.
- */
- public static String getAuthzObj(TSentryAuthorizable authorizable)
- throws SentryInvalidInputException {
- return getAuthzObj(authorizable.getDb(), authorizable.getTable());
- }
-
- /**
- * Derives object name from database and table names by concatenating them
- *
- * @param dbName
- * @param tblName
- * @return authorizable name
- * @throws SentryInvalidInputException if argument provided does not have all the
- * required fields set.
- */
- public static String getAuthzObj(String dbName, String tblName)
- throws SentryInvalidInputException {
- if (SentryStore.isNULL(dbName)) {
- throw new SentryInvalidInputException("Invalif input, DB name is missing");
- }
- return SentryStore.isNULL(tblName) ? dbName.toLowerCase() :
- (dbName + "." + tblName).toLowerCase();
- }
-
- private SentryServiceUtil() {
- // Make constructor private to avoid instantiation
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
deleted file mode 100644
index a66d91e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ /dev/null
@@ -1,316 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.security.sasl.Sasl;
-
-import com.google.common.base.Splitter;
-import com.google.common.collect.ImmutableMap;
-import org.apache.sentry.provider.db.service.thrift.SentryMetrics;
-
-public class ServiceConstants {
-
- private static final ImmutableMap<String, String> SASL_PROPERTIES;
-
- static {
- Map<String, String> saslProps = new HashMap<String, String>();
- saslProps.put(Sasl.SERVER_AUTH, "true");
- saslProps.put(Sasl.QOP, "auth-conf");
- SASL_PROPERTIES = ImmutableMap.copyOf(saslProps);
- }
-
- public static class ConfUtilties {
- public static final Splitter CLASS_SPLITTER = Splitter.onPattern("[\\s,]")
- .trimResults().omitEmptyStrings();
- }
- public static class ServiceArgs {
- public static final String CONFIG_FILE_SHORT = "c";
- public static final String CONFIG_FILE_LONG = "conffile";
- }
-
- public static class ServerConfig {
- public static final ImmutableMap<String, String> SASL_PROPERTIES = ServiceConstants.SASL_PROPERTIES;
- /**
- * This configuration parameter is only meant to be used for testing purposes.
- */
- public static final String SECURITY_MODE = "sentry.service.security.mode";
- public static final String SECURITY_MODE_KERBEROS = "kerberos";
- public static final String SECURITY_MODE_NONE = "none";
- public static final String SECURITY_USE_UGI_TRANSPORT = "sentry.service.security.use.ugi";
- public static final String ADMIN_GROUPS = "sentry.service.admin.group";
- public static final String PRINCIPAL = "sentry.service.server.principal";
- public static final String KEY_TAB = "sentry.service.server.keytab";
- public static final String RPC_PORT = "sentry.service.server.rpc-port";
- public static final int RPC_PORT_DEFAULT = 8038;
- public static final String RPC_ADDRESS = "sentry.service.server.rpc-address";
- public static final String RPC_ADDRESS_DEFAULT = "0.0.0.0"; //NOPMD
- public static final String RPC_MAX_THREADS = "sentry.service.server-max-threads";
- public static final int RPC_MAX_THREADS_DEFAULT = 500;
- public static final String RPC_MIN_THREADS = "sentry.service.server-min-threads";
- public static final int RPC_MIN_THREADS_DEFAULT = 10;
- public static final String ALLOW_CONNECT = "sentry.service.allow.connect";
-
- public static final String SENTRY_POLICY_STORE_PLUGINS = "sentry.policy.store.plugins";
- public static final String SENTRY_POLICY_STORE_PLUGINS_DEFAULT = "";
-
- public static final String SENTRY_METASTORE_PLUGINS = "sentry.metastore.plugins";
- public static final String SENTRY_METASTORE_PLUGINS_DEFAULT = "";
-
- public static final String PROCESSOR_FACTORIES = "sentry.service.processor.factories";
- public static final String PROCESSOR_FACTORIES_DEFAULT =
- "org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessorFactory" +
- ",org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorFactory";
- public static final String SENTRY_STORE_JDBC_URL = "sentry.store.jdbc.url";
- public static final String SENTRY_STORE_JDBC_USER = "sentry.store.jdbc.user";
- public static final String SENTRY_STORE_JDBC_USER_DEFAULT = "Sentry";
- public static final String SENTRY_STORE_JDBC_PASS = "sentry.store.jdbc.password";
- public static final String SENTRY_STORE_JDBC_DRIVER = "sentry.store.jdbc.driver";
- public static final String SENTRY_STORE_JDBC_DRIVER_DEFAULT = "org.apache.derby.jdbc.EmbeddedDriver";
- // The configuration for the maximum number of retries per db transaction,
- // the default value is 3 times
- public static final String SENTRY_STORE_TRANSACTION_RETRY = "sentry.store.transaction.retry";
- public static final int SENTRY_STORE_TRANSACTION_RETRY_DEFAULT = 10;
- // The configuration for the delay (in milliseconds) between retries,
- // the default value is 500 ms
- public static final String SENTRY_STORE_TRANSACTION_RETRY_WAIT_TIME_MILLIS =
- "sentry.store.transaction.retry.wait.time.millis";
- public static final int SENTRY_STORE_TRANSACTION_RETRY_WAIT_TIME_MILLIS_DEFAULT = 250;
-
- public static final String JAVAX_JDO_URL = "javax.jdo.option.ConnectionURL";
- public static final String JAVAX_JDO_USER = "javax.jdo.option.ConnectionUserName";
- public static final String JAVAX_JDO_PASS = "javax.jdo.option.ConnectionPassword";
- public static final String JAVAX_JDO_DRIVER_NAME = "javax.jdo.option.ConnectionDriverName";
-
- public static final String DATANUCLEUS_ISOLATION_LEVEL = "datanucleus.transactionIsolation";
- public static final String DATANUCLEUS_REPEATABLE_READ = "repeatable-read";
-
- public static final String SENTRY_DB_PROPERTY_PREFIX = "sentry.";
- public static final String SENTRY_JAVAX_JDO_PROPERTY_PREFIX = SENTRY_DB_PROPERTY_PREFIX + "javax.jdo";
- public static final String SENTRY_DATANUCLEUS_PROPERTY_PREFIX = SENTRY_DB_PROPERTY_PREFIX + "datanucleus";
-
- public static final String SENTRY_VERIFY_SCHEM_VERSION = "sentry.verify.schema.version";
- public static final String SENTRY_VERIFY_SCHEM_VERSION_DEFAULT = "true";
-
- public static final String SENTRY_SERVICE_NAME = "sentry.service.name";
- public static final String SENTRY_SERVICE_NAME_DEFAULT = "Sentry-Service";
-
- public static final String SENTRY_STORE_GROUP_MAPPING = "sentry.store.group.mapping";
- public static final String SENTRY_STORE_GROUP_MAPPING_RESOURCE = "sentry.store.group.mapping.resource";
- public static final String SENTRY_STORE_HADOOP_GROUP_MAPPING = "org.apache.sentry.provider.common.HadoopGroupMappingService";
- public static final String SENTRY_STORE_LOCAL_GROUP_MAPPING = "org.apache.sentry.provider.file.LocalGroupMappingService";
- public static final String SENTRY_STORE_GROUP_MAPPING_DEFAULT = SENTRY_STORE_HADOOP_GROUP_MAPPING;
-
- public static final String SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL = "sentry.store.orphaned.privilege.removal";
- public static final String SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL_DEFAULT = "false";
- public static final String SENTRY_STORE_CLEAN_PERIOD_SECONDS =
- "sentry.store.clean.period.seconds";
- public static final long SENTRY_STORE_CLEAN_PERIOD_SECONDS_DEFAULT = 43200; // 12 hours.
- public static final String SENTRY_HA_ZK_PROPERTY_PREFIX = "sentry.ha.zookeeper.";
- public static final String SENTRY_HA_ZOOKEEPER_SECURITY = SENTRY_HA_ZK_PROPERTY_PREFIX + "security";
- public static final boolean SENTRY_HA_ZOOKEEPER_SECURITY_DEFAULT = false;
- public static final String SENTRY_HA_ZOOKEEPER_QUORUM = SENTRY_HA_ZK_PROPERTY_PREFIX + "quorum";
- public static final String SENTRY_HA_ZOOKEEPER_RETRIES_MAX_COUNT = SENTRY_HA_ZK_PROPERTY_PREFIX + "session.retries.max.count";
- public static final int SENTRY_HA_ZOOKEEPER_RETRIES_MAX_COUNT_DEFAULT = 3;
- public static final String SENTRY_HA_ZOOKEEPER_SLEEP_BETWEEN_RETRIES_MS = SENTRY_HA_ZK_PROPERTY_PREFIX + "session.sleep.between.retries.ms";
- public static final int SENTRY_HA_ZOOKEEPER_SLEEP_BETWEEN_RETRIES_MS_DEFAULT = 100;
- public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE = SENTRY_HA_ZK_PROPERTY_PREFIX + "namespace";
- public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE_DEFAULT = "sentry";
- // principal and keytab for client to be able to connect to secure ZK. Needed for Sentry HA with secure ZK
- public static final String SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL = "sentry.zookeeper.client.principal";
- public static final String SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB = "sentry.zookeeper.client.keytab";
- public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE = "sentry.zookeeper.client.ticketcache";
- public static final String SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT = "false";
- public static final String SERVER_HA_STANDBY_SIG = "sentry.ha.standby.signal";
-
- // Timeout value in seconds for HMS notificationID synchronization
- // Should match the value for RPC timeout in HMS client config
- public static final String SENTRY_NOTIFICATION_SYNC_TIMEOUT_MS = "sentry.notification.sync.timeout.ms";
- public static final int SENTRY_NOTIFICATION_SYNC_TIMEOUT_DEFAULT = 200000;
-
- public static final ImmutableMap<String, String> SENTRY_STORE_DEFAULTS =
- ImmutableMap.<String, String>builder()
- .put("datanucleus.connectionPoolingType", "BoneCP")
- .put("datanucleus.schema.validateTables", "false")
- .put("datanucleus.schema.validateColumns", "false")
- .put("datanucleus.schema.validateConstraints", "false")
- .put("datanucleus.storeManagerType", "rdbms")
- .put("datanucleus.schema.autoCreateAll", "false")
- .put("datanucleus.autoStartMechanismMode", "checked")
- .put(DATANUCLEUS_ISOLATION_LEVEL, DATANUCLEUS_REPEATABLE_READ)
- .put("datanucleus.cache.level2", "false")
- .put("datanucleus.cache.level2.type", "none")
- .put("datanucleus.query.sql.allowAll", "true")
- .put("datanucleus.identifierFactory", "datanucleus1")
- .put("datanucleus.rdbms.useLegacyNativeValueStrategy", "true")
- .put("datanucleus.plugin.pluginRegistryBundleCheck", "LOG")
- .put("javax.jdo.PersistenceManagerFactoryClass",
- "org.datanucleus.api.jdo.JDOPersistenceManagerFactory")
- .put("javax.jdo.option.DetachAllOnCommit", "true")
- .put("javax.jdo.option.NonTransactionalRead", "false")
- .put("javax.jdo.option.NonTransactionalWrite", "false")
- .put("javax.jdo.option.Multithreaded", "true")
- .build();
-
- // InitialDelay and period time for HMSFollower thread.
- public static final String SENTRY_HMSFOLLOWER_INIT_DELAY_MILLS = "sentry.hmsfollower.init.delay.mills";
- public static final long SENTRY_HMSFOLLOWER_INIT_DELAY_MILLS_DEFAULT = 0;
- public static final String SENTRY_HMSFOLLOWER_INTERVAL_MILLS = "sentry.hmsfollower.interval.mills";
- public static final long SENTRY_HMSFOLLOWER_INTERVAL_MILLS_DEFAULT = 500;
-
- public static final String SENTRY_WEB_ENABLE = "sentry.service.web.enable";
- public static final Boolean SENTRY_WEB_ENABLE_DEFAULT = false;
- public static final String SENTRY_WEB_PORT = "sentry.service.web.port";
- public static final int SENTRY_WEB_PORT_DEFAULT = 29000;
- // Reporter is either "console", "log" or "jmx"
- public static final String SENTRY_REPORTER = "sentry.service.reporter";
- public static final String SENTRY_REPORTER_JMX = SentryMetrics.Reporting.JMX.name(); //case insensitive
- public static final String SENTRY_REPORTER_CONSOLE = SentryMetrics.Reporting.CONSOLE.name();//case insensitive
-
- // for console reporter, reporting interval in seconds
- public static final String SENTRY_REPORTER_INTERVAL_SEC =
- "sentry.service.reporter.interval.sec";
- public static final String SENTRY_JSON_REPORTER_FILE = "sentry.service.reporter.file";
- public static final String SENTRY_JSON_REPORTER_FILE_DEFAULT = "/tmp/sentry-metrics.json";
-
- // Report every 5 minutes by default
- public static final int SENTRY_REPORTER_INTERVAL_DEFAULT = 300;
-
- // Web SSL
- public static final String SENTRY_WEB_USE_SSL = "sentry.web.use.ssl";
- public static final String SENTRY_WEB_SSL_KEYSTORE_PATH = "sentry.web.ssl.keystore.path";
- public static final String SENTRY_WEB_SSL_KEYSTORE_PASSWORD = "sentry.web.ssl.keystore.password";
- public static final String SENTRY_SSL_PROTOCOL_BLACKLIST = "sentry.ssl.protocol.blacklist";
- // Blacklist SSL protocols that are not secure (e.g., POODLE vulnerability)
- public static final String[] SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT = {"SSLv2", "SSLv2Hello", "SSLv3"};
-
- // Web Security
- public static final String SENTRY_WEB_SECURITY_PREFIX = "sentry.service.web.authentication";
- public static final String SENTRY_WEB_SECURITY_TYPE = SENTRY_WEB_SECURITY_PREFIX + ".type";
- public static final String SENTRY_WEB_SECURITY_TYPE_NONE = "NONE";
- public static final String SENTRY_WEB_SECURITY_TYPE_KERBEROS = "KERBEROS";
- public static final String SENTRY_WEB_SECURITY_PRINCIPAL = SENTRY_WEB_SECURITY_PREFIX + ".kerberos.principal";
- public static final String SENTRY_WEB_SECURITY_KEYTAB = SENTRY_WEB_SECURITY_PREFIX + ".kerberos.keytab";
- public static final String SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS = SENTRY_WEB_SECURITY_PREFIX + ".allow.connect.users";
-
- // Flag to enable admin servlet
- public static final String SENTRY_WEB_ADMIN_SERVLET_ENABLED = "sentry.web.admin.servlet.enabled";
- public static final boolean SENTRY_WEB_ADMIN_SERVLET_ENABLED_DEFAULT = false;
-
- public static final String SENTRY_WEB_PUBSUB_SERVLET_ENABLED = "sentry.web.pubsub.servlet.enabled";
- public static final boolean SENTRY_WEB_PUBSUB_SERVLET_ENABLED_DEFAULT = false;
-
- // max message size for thrift messages
- public static final String SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE = "sentry.policy.server.thrift.max.message.size";
- public static final long SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE_DEFAULT = 100 * 1024 * 1024;
-
- // action factories for external components
- public static final String SENTRY_COMPONENT_ACTION_FACTORY_FORMAT = "sentry.%s.action.factory";
-
- // Sentry is never a client to other Kerberos Services, it should not be required to renew the TGT
- @Deprecated
- public static final String SENTRY_KERBEROS_TGT_AUTORENEW = "sentry.service.kerberos.tgt.autorenew";
- @Deprecated
- public static final Boolean SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT = false;
-
- /**
- * Number of path/priv deltas to keep around during cleaning
- * The value which is too small may cause unnecessary full snapshots sent to the Name Node
- * A value which is too large may cause slowdown due to too many deltas lying around in the DB.
- */
- public static final String SENTRY_DELTA_KEEP_COUNT = "sentry.server.delta.keep.count";
- public static final int SENTRY_DELTA_KEEP_COUNT_DEFAULT = 200;
-
- /**
- * Number of notification id's to keep around during cleaning
- */
- public static final String SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT = "sentry.server.delta.keep.count";
- public static final int SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT = 100;
- }
-
- public static class ClientConfig {
- public static final String SERVER_RPC_PORT = "sentry.service.client.server.rpc-port";
- public static final int SERVER_RPC_PORT_DEFAULT = ServerConfig.RPC_PORT_DEFAULT;
- public static final String SERVER_RPC_ADDRESS = "sentry.service.client.server.rpc-addresses";
- public static final String SERVER_RPC_CONN_TIMEOUT = "sentry.service.client.server.rpc-connection-timeout";
-
- // HA configuration
- public static final String SENTRY_HA_ZOOKEEPER_QUORUM = ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM;
- public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE = ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE;
- public static final String SERVER_HA_ZOOKEEPER_NAMESPACE_DEFAULT = ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE_DEFAULT;
-
- // connection pool configuration
- public static final String SENTRY_POOL_ENABLED = "sentry.service.client.connection.pool.enabled";
- public static final boolean SENTRY_POOL_ENABLED_DEFAULT = false;
-
- // commons-pool configuration for pool size
- public static final String SENTRY_POOL_MAX_TOTAL = "sentry.service.client.connection.pool.max-total";
- public static final int SENTRY_POOL_MAX_TOTAL_DEFAULT = 8;
- public static final String SENTRY_POOL_MAX_IDLE = "sentry.service.client.connection.pool.max-idle";
- public static final int SENTRY_POOL_MAX_IDLE_DEFAULT = 8;
- public static final String SENTRY_POOL_MIN_IDLE = "sentry.service.client.connection.pool.min-idle";
- public static final int SENTRY_POOL_MIN_IDLE_DEFAULT = 0;
-
- // retry num for getting the connection from connection pool
- public static final String SENTRY_POOL_RETRY_TOTAL = "sentry.service.client.connection.pool.retry-total";
- public static final int SENTRY_POOL_RETRY_TOTAL_DEFAULT = 3;
-
- // max message size for thrift messages
- public static final String SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE = "sentry.policy.client.thrift.max.message.size";
- public static final long SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT = 100 * 1024 * 1024;
-
- // client retry settings
- public static final String RETRY_COUNT_CONF = "sentry.provider.backend.db.retry.count";
- public static final int RETRY_COUNT_DEFAULT = 3;
- public static final String RETRY_INTERVAL_SEC_CONF = "sentry.provider.backend.db.retry.interval.seconds";
- public static final int RETRY_INTERVAL_SEC_DEFAULT = 30;
-
- // provider backend cache settings
- public static final String ENABLE_CACHING = "sentry.provider.backend.generic.cache.enabled";
- public static final boolean ENABLE_CACHING_DEFAULT = false;
- public static final String CACHE_TTL_MS = "sentry.provider.backend.generic.cache.ttl.ms";
- public static final long CACHING_TTL_MS_DEFAULT = 30000;
- public static final String CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE = "sentry.provider.backend.generic.cache.update.failures.count";
- public static final int CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE_DEFAULT = 3;
- public static final String PRIVILEGE_CONVERTER = "sentry.provider.backend.generic.privilege.converter";
-
- public static final String COMPONENT_TYPE = "sentry.provider.backend.generic.component-type";
- public static final String SERVICE_NAME = "sentry.provider.backend.generic.service-name";
- }
-
- /**
- * Thrift generates terrible constant class names
- */
- public static class ThriftConstants extends org.apache.sentry.service.thrift.sentry_common_serviceConstants {
- public static final int TSENTRY_SERVICE_VERSION_CURRENT = TSENTRY_SERVICE_V2;
- }
-
- /* Privilege operation scope */
- public enum PrivilegeScope {
- SERVER,
- URI,
- DATABASE,
- TABLE,
- COLUMN
- }
-
- public static final String SENTRY_ZK_JAAS_NAME = "Sentry";
- public static final String CURRENT_INCARNATION_ID_KEY = "current.incarnation.key";
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
deleted file mode 100644
index e9cc411..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
+++ /dev/null
@@ -1,132 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.io.PrintWriter;
-import java.io.StringWriter;
-
-import javax.annotation.Nullable;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryInvalidInputException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
-import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
-
-/**
- * Simple factory to make returning TSentryStatus objects easy
- */
-public enum Status {
- OK(ThriftConstants.TSENTRY_STATUS_OK),
- ALREADY_EXISTS(ThriftConstants.TSENTRY_STATUS_ALREADY_EXISTS),
- NO_SUCH_OBJECT(ThriftConstants.TSENTRY_STATUS_NO_SUCH_OBJECT),
- RUNTIME_ERROR(ThriftConstants.TSENTRY_STATUS_RUNTIME_ERROR),
- INVALID_INPUT(ThriftConstants.TSENTRY_STATUS_INVALID_INPUT),
- ACCESS_DENIED(ThriftConstants.TSENTRY_STATUS_ACCESS_DENIED),
- THRIFT_VERSION_MISMATCH(ThriftConstants.TSENTRY_STATUS_THRIFT_VERSION_MISMATCH),
- UNKNOWN(-1)
- ;
- private int code;
- private Status(int code) {
- this.code = code;
- }
- public int getCode() {
- return code;
- }
- public static Status fromCode(int code) {
- for (Status status : Status.values()) {
- if (status.getCode() == code) {
- return status;
- }
- }
- return Status.UNKNOWN;
- }
- public static TSentryResponseStatus OK() {
- return Create(Status.OK, "");
- }
- public static TSentryResponseStatus AccessDenied(String message, Throwable t) {
- return Create(Status.ACCESS_DENIED, message, t);
- }
- public static TSentryResponseStatus AlreadyExists(String message, Throwable t) {
- return Create(Status.ALREADY_EXISTS, message, t);
- }
- public static TSentryResponseStatus NoSuchObject(String message, Throwable t) {
- return Create(Status.NO_SUCH_OBJECT, message, t);
- }
- public static TSentryResponseStatus RuntimeError(String message, Throwable t) {
- return Create(Status.RUNTIME_ERROR, message, t);
- }
- public static TSentryResponseStatus Create(Status value, String message) {
- return Create(value, message, null);
- }
- public static TSentryResponseStatus InvalidInput(String message, Throwable t) {
- return Create(Status.INVALID_INPUT, message, t);
- }
- public static TSentryResponseStatus THRIFT_VERSION_MISMATCH(String message, Throwable t) {
- return Create(Status.THRIFT_VERSION_MISMATCH, message, t);
- }
- public static TSentryResponseStatus Create(Status value, String message, @Nullable Throwable t) {
- TSentryResponseStatus status = new TSentryResponseStatus();
- status.setValue(value.getCode());
- status.setMessage(message);
- if (t != null) {
- StringWriter stringWriter = new StringWriter();
- PrintWriter printWriter = new PrintWriter(stringWriter);
- t.printStackTrace(printWriter);
- printWriter.close();
- status.setStack(stringWriter.toString());
- }
- return status;
- }
- public static void throwIfNotOk(TSentryResponseStatus thriftStatus)
- throws SentryUserException {
- Status status = Status.fromCode(thriftStatus.getValue());
- switch(status) {
- case OK:
- break;
- case ALREADY_EXISTS:
- throw new SentryAlreadyExistsException(serverErrorToString(thriftStatus), thriftStatus.getMessage());
- case NO_SUCH_OBJECT:
- throw new SentryNoSuchObjectException(serverErrorToString(thriftStatus), thriftStatus.getMessage());
- case RUNTIME_ERROR:
- throw new RuntimeException(serverErrorToString(thriftStatus));
- case INVALID_INPUT:
- throw new SentryInvalidInputException(serverErrorToString(thriftStatus), thriftStatus.getMessage());
- case ACCESS_DENIED:
- throw new SentryAccessDeniedException(serverErrorToString(thriftStatus), thriftStatus.getMessage());
- case THRIFT_VERSION_MISMATCH:
- throw new SentryThriftAPIMismatchException(serverErrorToString(thriftStatus), thriftStatus.getMessage());
- case UNKNOWN:
- throw new AssertionError(serverErrorToString(thriftStatus));
- default:
- throw new AssertionError("Unknown status code: " + status + ". Msg: " +
- serverErrorToString(thriftStatus));
- }
- }
-
- private static String serverErrorToString(TSentryResponseStatus thriftStatus) {
- String msg = thriftStatus.getMessage();
- String stack = thriftStatus.getStack();
- if (stack == null) {
- return msg;
- }
- return msg + ". Server Stacktrace: " + stack;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
deleted file mode 100644
index 2a92c97..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_common_service.thrift
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/local/bin/thrift -java
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-namespace java org.apache.sentry.service.thrift
-namespace php sentry.service.thrift
-namespace cpp Apache.Sentry.Service.Thrift
-
-const i32 TSENTRY_SERVICE_V1 = 1;
-// Made a backward incompatible change when adding column level privileges.
-// We also added generalized model in this version
-const i32 TSENTRY_SERVICE_V2 = 2;
-
-const i32 TSENTRY_STATUS_OK = 0;
-const i32 TSENTRY_STATUS_ALREADY_EXISTS = 1;
-const i32 TSENTRY_STATUS_NO_SUCH_OBJECT = 2;
-const i32 TSENTRY_STATUS_RUNTIME_ERROR = 3;
-const i32 TSENTRY_STATUS_INVALID_INPUT = 4;
-const i32 TSENTRY_STATUS_ACCESS_DENIED = 5;
-const i32 TSENTRY_STATUS_THRIFT_VERSION_MISMATCH = 6;
-
-struct TSentryResponseStatus {
-1: required i32 value,
-// message will be set to empty string when status is OK
-2: required string message
-3: optional string stack
-}
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift
deleted file mode 100644
index c56522f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift
+++ /dev/null
@@ -1,278 +0,0 @@
-#!/usr/local/bin/thrift -java
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#
-# Thrift Service that the MetaStore is built on
-#
-
-include "sentry_common_service.thrift"
-include "sentry_policy_service.thrift"
-
-namespace java org.apache.sentry.provider.db.generic.service.thrift
-namespace php sentry.provider.db.service.db.generic.serivce.thrift
-namespace cpp Apache.Sentry.Provider.Db.Generic.Service.Thrift
-
-typedef sentry_common_service.TSentryResponseStatus TSentryResponseStatus
-
-# Represents a new generic model privilege for solr or other component in transport
-# from the client to the server
-enum TSentryGrantOption {
- TRUE = 1,
- FALSE = 0,
- UNSET = -1
-}
-
-# Represents a authorizable resource in the privilege
-# like DATABASE=db1 in the hive, COLLECTION=collection1 in the solr
-struct TAuthorizable {
-1: required string type,
-2: required string name
-}
-
-struct TSentryPrivilege {
-1: required string component,
-2: required string serviceName,
-3: required list<TAuthorizable> authorizables,
-4: required string action,
-5: optional i64 createTime, # Set on server side
-6: optional string grantorPrincipal, # Set on server side
-7: optional TSentryGrantOption grantOption = sentry_policy_service.TSentryGrantOption.FALSE
-}
-
-# CREATE ROLE r1
-struct TCreateSentryRoleRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required string component # The request is issued to which component
-}
-
-struct TCreateSentryRoleResponse {
-1: required TSentryResponseStatus status
-}
-
-# DROP ROLE r1
-struct TDropSentryRoleRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required string component # The request is issued to which component
-}
-
-struct TDropSentryRoleResponse {
-1: required TSentryResponseStatus status
-}
-
-# GRANT ROLE r1 TO GROUP g1
-struct TAlterSentryRoleAddGroupsRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required string component, # The request is issued to which component
-5: required set<string> groups
-}
-struct TAlterSentryRoleAddGroupsResponse {
-1: required TSentryResponseStatus status
-}
-
-# REVOLE ROLE r1 FROM GROUP g1
-struct TAlterSentryRoleDeleteGroupsRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required string component, # The request is issued to which component
-5: required set<string> groups
-}
-struct TAlterSentryRoleDeleteGroupsResponse {
-1: required TSentryResponseStatus status
-}
-
-# GRANT ... ON ... TO ROLE ...
-struct TAlterSentryRoleGrantPrivilegeRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required string component, # The request is issued to which component
-5: required TSentryPrivilege privilege
-}
-struct TAlterSentryRoleGrantPrivilegeResponse {
-1: required TSentryResponseStatus status
-}
-
-# REVOKE ... ON ... FROM ROLE ...
-struct TAlterSentryRoleRevokePrivilegeRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required string component, # The request is issued to which component
-5: required TSentryPrivilege privilege
-}
-struct TAlterSentryRoleRevokePrivilegeResponse {
-1: required TSentryResponseStatus status
-}
-
-# SHOW ROLE GRANT
-struct TListSentryRolesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: optional string groupName, # for this group, or all roles for all groups if null
-4: required string component # The request is issued to which component
-}
-# used only for TListSentryRolesResponse
-struct TSentryRole {
-1: required string roleName,
-2: required set<string> groups
-}
-
-struct TListSentryRolesResponse {
-1: required TSentryResponseStatus status
-2: optional set<TSentryRole> roles
-}
-# SHOW GRANT
-struct TListSentryPrivilegesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName, # get privileges assigned for this role
-4: required string component, # The request is issued to which component
-5: required string serviceName, # The privilege belongs to which service
-6: optional list<TAuthorizable> authorizables # get privileges assigned for this authorizable hierarchys
-}
-
-struct TListSentryPrivilegesResponse {
-1: required TSentryResponseStatus status
-2: optional set<TSentryPrivilege> privileges
-}
-
-# Drop privilege
-struct TDropPrivilegesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required TSentryPrivilege privilege
-4: required string component, # The request is issued to which component
-}
-
-struct TDropPrivilegesResponse {
-1: required TSentryResponseStatus status
-}
-
-# Rename privilege
-struct TRenamePrivilegesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string component, # The request is issued to which component
-4: required string serviceName, # The privilege belongs to which service
-5: required list<TAuthorizable> oldAuthorizables, # get old privileges assigned for this authorizable hierarchys
-6: required list<TAuthorizable> newAuthorizables # change to new authorizable hierarchys
-}
-
-struct TRenamePrivilegesResponse {
-1: required TSentryResponseStatus status
-}
-
-# This API was created specifically for ProviderBackend.getPrivileges
-# and is not mean for general purpose privilege retrieval.
-# This request/response pair are created specifically so we can
-# efficiently obtain the specific privilges for a user query
-struct TSentryActiveRoleSet {
-1: required bool all,
-2: required set<string> roles,
-}
-
-struct TListSentryPrivilegesForProviderRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string component, # The request is issued to which component
-3: required string serviceName, # The privilege belongs to which service
-4: required set<string> groups,
-5: required TSentryActiveRoleSet roleSet,
-6: optional list<TAuthorizable> authorizables # authorizable hierarchys
-}
-
-struct TListSentryPrivilegesForProviderResponse {
-1: required TSentryResponseStatus status
-2: required set<string> privileges
-}
-
-# Map of role:set<privileges> for the given authorizable
-# Optionally use the set of groups to filter the roles
-struct TSentryPrivilegeMap {
-1: required map<string, set<TSentryPrivilege>> privilegeMap
-}
-
-struct TListSentryPrivilegesByAuthRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-
-# User on whose behalf the request is issued
-2: required string requestorUserName,
-
-# The request is issued to which component
-3: required string component,
-
-# The privilege belongs to which service
-4: required string serviceName,
-
-# The authorizable hierarchys, it is represented as a string. e.g
-# resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3
-5: required set<string> authorizablesSet,
-
-# The requested groups. For admin, the requested groups can be empty, if so it is
-# treated as a wildcard query. Otherwise, it is a query on this specifc groups.
-# For non-admin user, the requested groups must be the groups they are part of.
-6: optional set<string> groups,
-
-# The active role set.
-7: optional TSentryActiveRoleSet roleSet
-}
-
-struct TListSentryPrivilegesByAuthResponse {
-1: required sentry_common_service.TSentryResponseStatus status,
-
-# Will not be set in case of an error. Otherwise it will be a
-# <Authorizables, <Role, Set<Privileges>>> mapping. For non-admin
-# requestor, the roles are intersection of active roles and granted roles.
-# For admin requestor, the roles are filtered based on the active roles
-# and requested group from TListSentryPrivilegesByAuthRequest.
-# The authorizable hierarchys is represented as a string in the form
-# of the request.
-2: optional map<string, TSentryPrivilegeMap> privilegesMapByAuth
-}
-
-service SentryGenericPolicyService
-{
- TCreateSentryRoleResponse create_sentry_role(1:TCreateSentryRoleRequest request)
- TDropSentryRoleResponse drop_sentry_role(1:TDropSentryRoleRequest request)
-
- TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(1:TAlterSentryRoleGrantPrivilegeRequest request)
- TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(1:TAlterSentryRoleRevokePrivilegeRequest request)
-
- TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(1:TAlterSentryRoleAddGroupsRequest request)
- TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request)
-
- TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request)
-
- TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request)
-
- TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request)
-
- TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(1:TListSentryPrivilegesByAuthRequest request);
-
- TDropPrivilegesResponse drop_sentry_privilege(1:TDropPrivilegesRequest request);
-
- TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request);
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
deleted file mode 100644
index 98fefab..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
+++ /dev/null
@@ -1,364 +0,0 @@
-#!/usr/local/bin/thrift -java
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#
-# Thrift Service that the MetaStore is built on
-#
-
-include "sentry_common_service.thrift"
-
-namespace java org.apache.sentry.provider.db.service.thrift
-namespace php sentry.provider.db.service.thrift
-namespace cpp Apache.Sentry.Provider.Db.Service.Thrift
-
-enum TSentryGrantOption {
- TRUE = 1,
- FALSE = 0,
- # UNSET is used for revoke privilege, the component like 'hive'
- # didn't support getting grant option, so use UNSET is stand
- # for revoke both privileges with grant option and without grant
- # option.
- UNSET = -1
-}
-
-# Represents a Privilege in transport from the client to the server
-struct TSentryPrivilege {
-1: required string privilegeScope, # Valid values are SERVER, DATABASE, TABLE, COLUMN, URI
-3: required string serverName,
-4: optional string dbName = "",
-5: optional string tableName = "",
-6: optional string URI = "",
-7: required string action = "",
-8: optional i64 createTime, # Set on server side
-9: optional TSentryGrantOption grantOption = TSentryGrantOption.FALSE
-10: optional string columnName = "",
-}
-
-# TODO can this be deleted? it's not adding value to TAlterSentryRoleAddGroupsRequest
-struct TSentryGroup {
-1: required string groupName
-}
-
-# CREATE ROLE r1
-struct TCreateSentryRoleRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName, # TSentryRole is not required for this request
-}
-struct TCreateSentryRoleResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# DROP ROLE r1
-struct TDropSentryRoleRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName # role to drop
-}
-struct TDropSentryRoleResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# GRANT ROLE r1 TO GROUP g1
-struct TAlterSentryRoleAddGroupsRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-5: required set<TSentryGroup> groups
-}
-
-struct TAlterSentryRoleAddGroupsResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# GRANT ROLE r1 TO USER u1
-struct TAlterSentryRoleAddUsersRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required set<string> users
-}
-
-struct TAlterSentryRoleAddUsersResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# REVOKE ROLE r1 FROM GROUP g1
-struct TAlterSentryRoleDeleteGroupsRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-5: required set<TSentryGroup> groups
-}
-struct TAlterSentryRoleDeleteGroupsResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# REVOKE ROLE r1 FROM USER u1
-struct TAlterSentryRoleDeleteUsersRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-4: required set<string> users
-}
-struct TAlterSentryRoleDeleteUsersResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# GRANT ... ON ... TO ROLE ...
-struct TAlterSentryRoleGrantPrivilegeRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-5: optional TSentryPrivilege privilege,
-6: optional set<TSentryPrivilege> privileges
-}
-struct TAlterSentryRoleGrantPrivilegeResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-2: optional TSentryPrivilege privilege
-3: optional set<TSentryPrivilege> privileges
-}
-
-# REVOKE ... ON ... FROM ROLE ...
-struct TAlterSentryRoleRevokePrivilegeRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName,
-5: optional TSentryPrivilege privilege,
-6: optional set<TSentryPrivilege> privileges
-}
-struct TAlterSentryRoleRevokePrivilegeResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# SHOW ROLE GRANT
-struct TListSentryRolesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: optional string groupName # for this group, or all roles for all groups if null
-}
-
-struct TListSentryRolesForUserRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string userName
-}
-
-# used only for TListSentryRolesResponse
-struct TSentryRole {
-1: required string roleName,
-2: required set<TSentryGroup> groups,
-3: required string grantorPrincipal #Deprecated
-}
-struct TListSentryRolesResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-2: optional set<TSentryRole> roles
-}
-
-struct TSentryAuthorizable {
-1: required string server,
-2: optional string uri,
-3: optional string db,
-4: optional string table,
-5: optional string column,
-}
-
-# SHOW GRANT
-struct TListSentryPrivilegesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-4: required string roleName, # get privileges assigned for this role
-5: optional TSentryAuthorizable authorizableHierarchy # get privileges assigned for this role
-}
-struct TListSentryPrivilegesResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-2: optional set<TSentryPrivilege> privileges
-}
-
-# Drop privilege
-struct TDropPrivilegesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required TSentryAuthorizable authorizable
-}
-
-struct TDropPrivilegesResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-struct TRenamePrivilegesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required TSentryAuthorizable oldAuthorizable
-4: required TSentryAuthorizable newAuthorizable
-}
-
-struct TRenamePrivilegesResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-# This API was created specifically for ProviderBackend.getPrivileges
-# and is not mean for general purpose privilege retrieval.
-# This request/response pair are created specifically so we can
-# efficiently obtain the specific privilges for a user query
-struct TSentryActiveRoleSet {
-1: required bool all,
-2: required set<string> roles,
-}
-struct TListSentryPrivilegesForProviderRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required set<string> groups,
-3: required TSentryActiveRoleSet roleSet,
-4: optional TSentryAuthorizable authorizableHierarchy,
-5: optional set<string> users
-}
-struct TListSentryPrivilegesForProviderResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-2: required set<string> privileges
-}
-
-# List role:set<privileges> for the given authorizable
-# Optionally use the set of groups to filter the roles
-struct TSentryPrivilegeMap {
-1: required map<string, set<TSentryPrivilege>> privilegeMap
-}
-struct TListSentryPrivilegesByAuthRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required set<TSentryAuthorizable> authorizableSet,
-4: optional set<string> groups,
-5: optional TSentryActiveRoleSet roleSet
-}
-struct TListSentryPrivilegesByAuthResponse {
-1: required sentry_common_service.TSentryResponseStatus status,
-2: optional map<TSentryAuthorizable, TSentryPrivilegeMap> privilegesMapByAuth # will not be set in case of an error
-}
-
-# Obtain a config value from the Sentry service
-struct TSentryConfigValueRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required string propertyName, # Config attribute to obtain
-3: optional string defaultValue # Value if propertyName not found
-}
-struct TSentryConfigValueResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-2: optional string value
-}
-
-# struct for the mapping data like group to role, role to privilege
-struct TSentryMappingData {
-1: optional map<string, set<string>> groupRolesMap, # for the groupName -> role mapping
-2: optional map<string, set<TSentryPrivilege>> rolePrivilegesMap, # for the roleName -> privilege mapping
-3: optional map<string, set<string>> userRolesMap # for the userName -> role mapping
-}
-
-struct TSentryExportMappingDataRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: optional string objectPath # for specific auth object
-}
-
-struct TSentryExportMappingDataResponse {
-1: required sentry_common_service.TSentryResponseStatus status,
-2: required TSentryMappingData mappingData
-}
-
-struct TSentryImportMappingDataRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: required bool overwriteRole = false, # if overwrite the exist role with the imported privileges, default is false
-4: required TSentryMappingData mappingData
-}
-
-struct TSentryImportMappingDataResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-}
-
-/*
- * API for synchronizing between HMS notification events and Sentry.
- *
- * When Sentry gets updates from HMS using HMS Notifications, HMS should
- * should wait after each notification event is generated until the notification
- * is handled by Sentry This preserves the synchronous semantics of DDL statements.
- *
- * The notification synchronization API is private between HMS and Sentry and should
- * not be used by anything else.
- *
- * The API should be used in the following way:
- *
- * 1) HMS creates a notification and stores its ID in the persistent storage
- * 2) HMS sends ID to Sentry
- * 3) Sentry blocks the response until the specified ID is processed by Sentry
- * 4) Sentry responds with the most recent processed ID.
- *
- * Note that the important part is blocking in Sentry until the specified ID
- * is processed. The returned most recent processed ID is intended for debugging
- * purposes only, but may be used in HMS for performance optimizations.
- */
-
-struct TSentrySyncIDRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
-2: required i64 id // Requested ID
-}
-
-struct TSentrySyncIDResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-2: required i64 id // Most recent processed ID
-}
-
-service SentryPolicyService
-{
- TCreateSentryRoleResponse create_sentry_role(1:TCreateSentryRoleRequest request)
- TDropSentryRoleResponse drop_sentry_role(1:TDropSentryRoleRequest request)
-
- TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(1:TAlterSentryRoleGrantPrivilegeRequest request)
- TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(1:TAlterSentryRoleRevokePrivilegeRequest request)
-
- TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(1:TAlterSentryRoleAddGroupsRequest request)
- TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request)
-
- TAlterSentryRoleAddUsersResponse alter_sentry_role_add_users(1:TAlterSentryRoleAddUsersRequest request)
- TAlterSentryRoleDeleteUsersResponse alter_sentry_role_delete_users(1:TAlterSentryRoleDeleteUsersRequest request)
-
- TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request)
- TListSentryRolesResponse list_sentry_roles_by_user(1:TListSentryRolesForUserRequest request)
-
- TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request)
-
- # For use with ProviderBackend.getPrivileges only
- TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request)
-
- TDropPrivilegesResponse drop_sentry_privilege(1:TDropPrivilegesRequest request);
-
- TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request);
-
- TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(1:TListSentryPrivilegesByAuthRequest request);
-
- TSentryConfigValueResponse get_sentry_config_value(1:TSentryConfigValueRequest request);
-
- # export the mapping data in sentry
- TSentryExportMappingDataResponse export_sentry_mapping_data(1:TSentryExportMappingDataRequest request);
-
- # import the mapping data in sentry
- TSentryImportMappingDataResponse import_sentry_mapping_data(1:TSentryImportMappingDataRequest request);
-
- # Synchronize between HMS notifications and Sentry
- TSentrySyncIDResponse sentry_sync_notifications(1:TSentrySyncIDRequest request);
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java
new file mode 100644
index 0000000..a26f4f7
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/SentryGenericServiceIntegrationBase.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.generic.thrift;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.Set;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SentryGenericServiceIntegrationBase extends SentryServiceIntegrationBase {
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericServiceIntegrationBase.class);
+ protected static final String SOLR = "SOLR";
+ protected SentryGenericServiceClient client;
+
+ /**
+ * use the generic client to connect sentry service
+ */
+ @Override
+ public void connectToSentryService() throws Exception {
+ // The client should already be logged in when running in solr
+ // therefore we must manually login in the integration tests
+ if (kerberos) {
+ this.client = clientUgi.doAs( new PrivilegedExceptionAction<SentryGenericServiceClient>() {
+ @Override
+ public SentryGenericServiceClient run() throws Exception {
+ return SentryGenericServiceClientFactory.create(conf);
+ }
+ });
+ } else {
+ this.client = SentryGenericServiceClientFactory.create(conf);
+ }
+ }
+
+ @After
+ public void after() {
+ try {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Set<TSentryRole> tRoles = client.listAllRoles(ADMIN_USER, SOLR);
+ for (TSentryRole tRole : tRoles) {
+ client.dropRole(ADMIN_USER, tRole.getRoleName(), SOLR);
+ }
+ if(client != null) {
+ client.close();
+ }
+ }
+ });
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ } finally {
+ policyFilePath.delete();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java
new file mode 100644
index 0000000..dea6152
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestAuditLogForSentryGenericService.java
@@ -0,0 +1,296 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.generic.thrift;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestAuditLogForSentryGenericService extends SentryServiceIntegrationBase {
+
+ private SentryGenericServiceClient client;
+ private static final String COMPONENT = "SQOOP";
+ private static final org.slf4j.Logger LOGGER = LoggerFactory
+ .getLogger(TestAuditLogForSentryGenericService.class);
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.setup();
+ Logger logger = Logger.getLogger("sentry.generic.authorization.ddl.logger");
+ AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
+ logger.addAppender(testAppender);
+ logger.setLevel(Level.INFO);
+ }
+
+ @Override
+ @After
+ public void after() {
+ try {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Set<TSentryRole> tRoles = client.listAllRoles(ADMIN_USER, COMPONENT);
+ for (TSentryRole tRole : tRoles) {
+ client.dropRole(ADMIN_USER, tRole.getRoleName(), COMPONENT);
+ }
+ if (client != null) {
+ client.close();
+ }
+ }
+ });
+ } catch (Exception e) {
+ // log the exception
+ LOGGER.warn("Exception happened after test case.", e);
+ } finally {
+ policyFilePath.delete();
+ }
+ }
+
+ /**
+ * use the generic client to connect sentry service
+ */
+ @Override
+ public void connectToSentryService() throws Exception {
+ if (kerberos) {
+ this.client = clientUgi.doAs(new PrivilegedExceptionAction<SentryGenericServiceClient>() {
+ @Override
+ public SentryGenericServiceClient run() throws Exception {
+ return SentryGenericServiceClientFactory.create(conf);
+ }
+ });
+ } else {
+ this.client = SentryGenericServiceClientFactory.create(conf);
+ }
+ }
+
+ @Test
+ public void testAuditLogForGenericModel() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r";
+ String testGroupName = "g1";
+ String action = "all";
+ String service = "sentryService";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ // test the audit log for create role, success
+ client.createRole(requestorUserName, roleName, COMPONENT);
+ Map<String, String> fieldValueMap = new HashMap<String, String>();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for create role, failed
+ try {
+ client.createRole(requestorUserName, roleName, COMPONENT);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for add role to group, success
+ client.grantRoleToGroups(requestorUserName, roleName, COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
+ + " TO GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for add role to group, failed
+ try {
+ client.grantRoleToGroups(requestorUserName, "invalidRole", COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE invalidRole TO GROUP "
+ + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for grant privilege, success
+ TSentryPrivilege privilege = new TSentryPrivilege(COMPONENT, service, Lists.newArrayList(
+ new TAuthorizable("resourceType1", "resourceName1"), new TAuthorizable("resourceType2",
+ "resourceName2")), action);
+ client.grantPrivilege(requestorUserName, roleName, COMPONENT, privilege);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "GRANT ALL ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE "
+ + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ TSentryPrivilege invalidPrivilege = new TSentryPrivilege(COMPONENT, service,
+ Lists.newArrayList(new TAuthorizable("resourceType1", "resourceName1")),
+ "invalidAction");
+ // test the audit log for grant privilege, failed
+ try {
+ client.grantPrivilege(requestorUserName, roleName, COMPONENT, invalidPrivilege);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "GRANT INVALIDACTION ON resourceType1 resourceName1 TO ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for revoke privilege, success
+ client.revokePrivilege(requestorUserName, roleName, COMPONENT, privilege);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE ALL ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE "
+ + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for revoke privilege, failed
+ try {
+ client.revokePrivilege(requestorUserName, "invalidRole", COMPONENT, invalidPrivilege);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE INVALIDACTION ON resourceType1 resourceName1 FROM ROLE invalidRole");
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for delete role from group, success
+ client.revokeRoleFromGroups(requestorUserName, roleName, COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+ + " FROM GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ // test the audit log for delete role from group, failed
+ try {
+ client.revokeRoleFromGroups(requestorUserName, "invalidRole", COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE ROLE invalidRole FROM GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ // test the audit log for drop role, success
+ client.dropRole(requestorUserName, roleName, COMPONENT);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ // test the audit log for drop role, failed
+ try {
+ client.dropRole(requestorUserName, roleName, COMPONENT);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ }
+ });
+ }
+
+ private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
+ assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+ JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
+ if (fieldValueMap != null) {
+ for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
+ String entryKey = entry.getKey();
+ if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+ assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+ } else {
+ assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+ }
+ }
+ }
+ }
+}