You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ha...@apache.org on 2019/06/12 06:13:29 UTC
[sentry] branch master updated: SENTRY-2523: Fix response of
list_sentry_privileges_by_authorizable_and_user API (Hao Hao reviewed by
Arjun Mishra)
This is an automated email from the ASF dual-hosted git repository.
hahao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sentry.git
The following commit(s) were added to refs/heads/master by this push:
new b71a78e SENTRY-2523: Fix response of list_sentry_privileges_by_authorizable_and_user API (Hao Hao reviewed by Arjun Mishra)
b71a78e is described below
commit b71a78ed960702536b35e1f048dc40dfc79992d4
Author: Hao Hao <ha...@cloudera.com>
AuthorDate: Mon Jun 10 22:43:28 2019 -0700
SENTRY-2523: Fix response of list_sentry_privileges_by_authorizable_and_user API (Hao Hao reviewed by Arjun Mishra)
Change-Id: Idba4cda1a78cf7468e1a0c9f6c1c3223984f00f2
---
.../TListSentryPrivilegesByAuthUserResponse.java | 111 +++++++++++----------
.../main/resources/sentry_policy_service.thrift | 2 +-
.../thrift/TestSentryPolicyStoreProcessor.java | 12 ++-
3 files changed, 72 insertions(+), 53 deletions(-)
diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java
index f9f0e64..9985be8 100644
--- a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java
+++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java
@@ -48,7 +48,7 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
}
private org.apache.sentry.service.thrift.TSentryResponseStatus status; // required
- private Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth; // required
+ private Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth; // optional
/** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
public enum _Fields implements org.apache.thrift.TFieldIdEnum {
@@ -112,12 +112,13 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
}
// isset id assignments
+ private static final _Fields optionals[] = {_Fields.PRIVILEGES_MAP_BY_AUTH};
public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
static {
Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
tmpMap.put(_Fields.STATUS, new org.apache.thrift.meta_data.FieldMetaData("status", org.apache.thrift.TFieldRequirementType.REQUIRED,
new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, org.apache.sentry.service.thrift.TSentryResponseStatus.class)));
- tmpMap.put(_Fields.PRIVILEGES_MAP_BY_AUTH, new org.apache.thrift.meta_data.FieldMetaData("privilegesMapByAuth", org.apache.thrift.TFieldRequirementType.REQUIRED,
+ tmpMap.put(_Fields.PRIVILEGES_MAP_BY_AUTH, new org.apache.thrift.meta_data.FieldMetaData("privilegesMapByAuth", org.apache.thrift.TFieldRequirementType.OPTIONAL,
new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP,
new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryAuthorizable.class),
new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET,
@@ -130,12 +131,10 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
}
public TListSentryPrivilegesByAuthUserResponse(
- org.apache.sentry.service.thrift.TSentryResponseStatus status,
- Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth)
+ org.apache.sentry.service.thrift.TSentryResponseStatus status)
{
this();
this.status = status;
- this.privilegesMapByAuth = privilegesMapByAuth;
}
/**
@@ -386,14 +385,16 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
sb.append(this.status);
}
first = false;
- if (!first) sb.append(", ");
- sb.append("privilegesMapByAuth:");
- if (this.privilegesMapByAuth == null) {
- sb.append("null");
- } else {
- sb.append(this.privilegesMapByAuth);
+ if (isSetPrivilegesMapByAuth()) {
+ if (!first) sb.append(", ");
+ sb.append("privilegesMapByAuth:");
+ if (this.privilegesMapByAuth == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.privilegesMapByAuth);
+ }
+ first = false;
}
- first = false;
sb.append(")");
return sb.toString();
}
@@ -404,10 +405,6 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
throw new org.apache.thrift.protocol.TProtocolException("Required field 'status' is unset! Struct:" + toString());
}
- if (!isSetPrivilegesMapByAuth()) {
- throw new org.apache.thrift.protocol.TProtocolException("Required field 'privilegesMapByAuth' is unset! Struct:" + toString());
- }
-
// check for sub-struct validity
if (status != null) {
status.validate();
@@ -508,24 +505,26 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
oprot.writeFieldEnd();
}
if (struct.privilegesMapByAuth != null) {
- oprot.writeFieldBegin(PRIVILEGES_MAP_BY_AUTH_FIELD_DESC);
- {
- oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, struct.privilegesMapByAuth.size()));
- for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter189 : struct.privilegesMapByAuth.entrySet())
+ if (struct.isSetPrivilegesMapByAuth()) {
+ oprot.writeFieldBegin(PRIVILEGES_MAP_BY_AUTH_FIELD_DESC);
{
- _iter189.getKey().write(oprot);
+ oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, struct.privilegesMapByAuth.size()));
+ for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter189 : struct.privilegesMapByAuth.entrySet())
{
- oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, _iter189.getValue().size()));
- for (TSentryPrivilege _iter190 : _iter189.getValue())
+ _iter189.getKey().write(oprot);
{
- _iter190.write(oprot);
+ oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, _iter189.getValue().size()));
+ for (TSentryPrivilege _iter190 : _iter189.getValue())
+ {
+ _iter190.write(oprot);
+ }
+ oprot.writeSetEnd();
}
- oprot.writeSetEnd();
}
+ oprot.writeMapEnd();
}
- oprot.writeMapEnd();
+ oprot.writeFieldEnd();
}
- oprot.writeFieldEnd();
}
oprot.writeFieldStop();
oprot.writeStructEnd();
@@ -545,16 +544,23 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
public void write(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthUserResponse struct) throws org.apache.thrift.TException {
TTupleProtocol oprot = (TTupleProtocol) prot;
struct.status.write(oprot);
- {
- oprot.writeI32(struct.privilegesMapByAuth.size());
- for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter191 : struct.privilegesMapByAuth.entrySet())
+ BitSet optionals = new BitSet();
+ if (struct.isSetPrivilegesMapByAuth()) {
+ optionals.set(0);
+ }
+ oprot.writeBitSet(optionals, 1);
+ if (struct.isSetPrivilegesMapByAuth()) {
{
- _iter191.getKey().write(oprot);
+ oprot.writeI32(struct.privilegesMapByAuth.size());
+ for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter191 : struct.privilegesMapByAuth.entrySet())
{
- oprot.writeI32(_iter191.getValue().size());
- for (TSentryPrivilege _iter192 : _iter191.getValue())
+ _iter191.getKey().write(oprot);
{
- _iter192.write(oprot);
+ oprot.writeI32(_iter191.getValue().size());
+ for (TSentryPrivilege _iter192 : _iter191.getValue())
+ {
+ _iter192.write(oprot);
+ }
}
}
}
@@ -567,30 +573,33 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif
struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus();
struct.status.read(iprot);
struct.setStatusIsSet(true);
- {
- org.apache.thrift.protocol.TMap _map193 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, iprot.readI32());
- struct.privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>(2*_map193.size);
- TSentryAuthorizable _key194;
- Set<TSentryPrivilege> _val195;
- for (int _i196 = 0; _i196 < _map193.size; ++_i196)
+ BitSet incoming = iprot.readBitSet(1);
+ if (incoming.get(0)) {
{
- _key194 = new TSentryAuthorizable();
- _key194.read(iprot);
+ org.apache.thrift.protocol.TMap _map193 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, iprot.readI32());
+ struct.privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>(2*_map193.size);
+ TSentryAuthorizable _key194;
+ Set<TSentryPrivilege> _val195;
+ for (int _i196 = 0; _i196 < _map193.size; ++_i196)
{
- org.apache.thrift.protocol.TSet _set197 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
- _val195 = new HashSet<TSentryPrivilege>(2*_set197.size);
- TSentryPrivilege _elem198;
- for (int _i199 = 0; _i199 < _set197.size; ++_i199)
+ _key194 = new TSentryAuthorizable();
+ _key194.read(iprot);
{
- _elem198 = new TSentryPrivilege();
- _elem198.read(iprot);
- _val195.add(_elem198);
+ org.apache.thrift.protocol.TSet _set197 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
+ _val195 = new HashSet<TSentryPrivilege>(2*_set197.size);
+ TSentryPrivilege _elem198;
+ for (int _i199 = 0; _i199 < _set197.size; ++_i199)
+ {
+ _elem198 = new TSentryPrivilege();
+ _elem198.read(iprot);
+ _val195.add(_elem198);
+ }
}
+ struct.privilegesMapByAuth.put(_key194, _val195);
}
- struct.privilegesMapByAuth.put(_key194, _val195);
}
+ struct.setPrivilegesMapByAuthIsSet(true);
}
- struct.setPrivilegesMapByAuthIsSet(true);
}
}
diff --git a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
index 953b96b..0656d4e 100644
--- a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
@@ -293,7 +293,7 @@ struct TListSentryPrivilegesByAuthUserRequest {
struct TListSentryPrivilegesByAuthUserResponse {
1: required sentry_common_service.TSentryResponseStatus status,
# Authorizable to set of privileges map
-2: required map<TSentryAuthorizable, set<TSentryPrivilege>> privilegesMapByAuth,
+2: optional map<TSentryAuthorizable, set<TSentryPrivilege>> privilegesMapByAuth,
}
# Obtain a config value from the Sentry service
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
index e593870..a5cf364 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -36,6 +36,7 @@ import org.apache.sentry.api.common.ApiConstants;
import org.apache.sentry.api.common.Status;
import org.apache.sentry.api.common.ThriftConstants;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.db.service.persistent.CounterWait;
@@ -372,7 +373,6 @@ public class TestSentryPolicyStoreProcessor {
Assert.assertEquals(expectedResp.getStatus().getValue(),
returnedResp.getStatus().getValue());
- // Prepare request for getting privileges for user1 based on the given authorizables
TSentryAuthorizable requestedAuthorizable = new TSentryAuthorizable();
requestedAuthorizable.setServer("server1");
requestedAuthorizable.setDb("db1");
@@ -384,6 +384,16 @@ public class TestSentryPolicyStoreProcessor {
Set<String> groups = new HashSet<>();
groups.add(g1);
+ // Request privileges when user is unknown throw an access denied exception.
+ returnedResp = policyStoreProcessor.list_sentry_privileges_by_authorizable_and_user(
+ newAuthRequest("unknown_user", requestedAuthorizables, user1));
+ expectedResp = new TListSentryPrivilegesByAuthUserResponse();
+ expectedResp.setStatus(Status.AccessDenied("Access denied to unknown_user",
+ new SentryAccessDeniedException("Access denied to unknown_user")));
+ Assert.assertEquals(expectedResp.getStatus().getValue(),
+ returnedResp.getStatus().getValue());
+
+ // Prepare request for getting privileges for user1 based on the given authorizables.
Set<TSentryPrivilege> user1Privileges = Sets.newHashSet(
newSentryPrivilege("database", "db1", "t1", "*"),
newSentryPrivilege("database", "db1", "t2", "*"));