You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2015/11/09 23:07:33 UTC

incubator-sentry git commit: SENTRY-944: Setting HDFS rules on Sentry managed hdfs paths should not affect original hdfs rules ( Hao Hao, Reviewed by: Sravya Tirukkovalur)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master f0aebaa94 -> 17a4c97f7


SENTRY-944: Setting HDFS rules on Sentry managed hdfs paths should not affect original hdfs rules ( Hao Hao, Reviewed by: Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/17a4c97f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/17a4c97f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/17a4c97f

Branch: refs/heads/master
Commit: 17a4c97f760fe3795a17505409b6cec67767d0a0
Parents: f0aebaa
Author: Sravya Tirukkovalur <sr...@cloudera.com>
Authored: Mon Nov 9 14:07:02 2015 -0800
Committer: Sravya Tirukkovalur <sr...@cloudera.com>
Committed: Mon Nov 9 14:07:02 2015 -0800

----------------------------------------------------------------------
 .../hdfs/SentryAuthorizationProvider.java       | 54 +++++++++++++++++---
 .../hdfs/TestSentryAuthorizationProvider.java   | 44 ++++++++++++++++
 2 files changed, 92 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/17a4c97f/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
index 419ab68..4d03ba3 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
@@ -195,7 +195,18 @@ public class SentryAuthorizationProvider
 
   @Override
   public void setUser(INodeAuthorizationInfo node, String user) {
-    defaultAuthzProvider.setUser(node, user);
+    String[] pathElements = getPathElements(node);
+
+    // For the non sentry managed paths, set the user based on
+    // the requests. Otherwise should be a no op.
+    if (!authzInfo.isManaged(pathElements)
+            || !authzInfo.doesBelongToAuthzObject(pathElements)) {
+      defaultAuthzProvider.setUser(node, user);
+    } else {
+      if (LOG.isErrorEnabled()) {
+        LOG.error("### setUser is a no op for the sentry managed path.\n");
+      }
+    }
   }
 
   @Override
@@ -214,7 +225,18 @@ public class SentryAuthorizationProvider
 
   @Override
   public void setGroup(INodeAuthorizationInfo node, String group) {
-    defaultAuthzProvider.setGroup(node, group);
+    String[] pathElements = getPathElements(node);
+
+    // For the non sentry managed paths, set the group based on
+    // the requests. Otherwise should be a no op.
+    if (!authzInfo.isManaged(pathElements)
+            || !authzInfo.doesBelongToAuthzObject(pathElements)) {
+      defaultAuthzProvider.setGroup(node, group);
+    } else {
+      if (LOG.isErrorEnabled()) {
+        LOG.error("### setGroup is a no op for the sentry managed path.\n");
+      }
+    }
   }
 
   @Override
@@ -232,9 +254,19 @@ public class SentryAuthorizationProvider
   }
 
   @Override
-  public void setPermission(INodeAuthorizationInfo node,
-      FsPermission permission) {
-    defaultAuthzProvider.setPermission(node, permission);
+  public void setPermission(INodeAuthorizationInfo node, FsPermission permission) {
+    String[] pathElements = getPathElements(node);
+
+    // For the non sentry managed paths, set the permission based on
+    // the requests. Otherwise should be a no op.
+    if (!authzInfo.isManaged(pathElements)
+            || !authzInfo.doesBelongToAuthzObject(pathElements)) {
+      defaultAuthzProvider.setPermission(node, permission);
+    } else {
+      if (LOG.isErrorEnabled()) {
+        LOG.error("### setPermission is a no op for the sentry managed path.\n");
+      }
+    }
   }
 
   @Override
@@ -375,8 +407,18 @@ public class SentryAuthorizationProvider
   @Override
   public void removeAclFeature(INodeAuthorizationInfo node) {
     AclFeature aclFeature = node.getAclFeature(CURRENT_STATE_ID);
-    if (aclFeature.getClass() != SentryAclFeature.class) {
+    String[] pathElements = getPathElements(node);
+
+    // For non sentry managed paths, remove the ACLs based on
+    // the requests. Otherwise should be a no op.
+    if (aclFeature.getClass() != SentryAclFeature.class
+            && !authzInfo.isManaged(pathElements)) {
       defaultAuthzProvider.removeAclFeature(node);
+    } else {
+      if (LOG.isErrorEnabled()) {
+        LOG.error("### removeAclFeature is a no op for " +
+                "the path under prefix.\n");
+      }
     }
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/17a4c97f/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
index fd5146f..5da0dc2 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
@@ -169,6 +169,50 @@ public class TestSentryAuthorizationProvider {
         Assert.assertEquals(new FsPermission((short) 0755), status.getPermission());
         Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty());
 
+        // setPermission sets the permission for dir outside of prefix.
+        // setUser/setGroup sets the user/group for dir outside of prefix.
+        Path pathOutside = new Path("/user/xxx");
+
+        fs.setPermission(pathOutside, new FsPermission((short) 0000));
+        Assert.assertEquals(new FsPermission((short) 0000), fs.getFileStatus(pathOutside).getPermission());
+        fs.setOwner(pathOutside, sysUser, "supergroup");
+        Assert.assertEquals(sysUser, fs.getFileStatus(pathOutside).getOwner());
+        Assert.assertEquals("supergroup", fs.getFileStatus(pathOutside).getGroup());
+
+        // removeAcl removes the ACL entries for dir outside of prefix.
+        List<AclEntry> aclsOutside = new ArrayList<AclEntry>(baseAclList);
+        List<AclEntry> acl = new ArrayList<AclEntry>();
+        acl.add(new AclEntry.Builder().setName("supergroup").setType(AclEntryType.GROUP).setScope(AclEntryScope.ACCESS).
+                setPermission(FsAction.READ_EXECUTE).build());
+        aclsOutside.addAll(acl);
+        fs.setAcl(pathOutside, aclsOutside);
+        fs.removeAclEntries(pathOutside, acl);
+        Assert.assertFalse(fs.getAclStatus(pathOutside).getEntries().containsAll(acl));
+
+        // setPermission sets the permission for dir inside of prefix but not a hive obj.
+        // setUser/setGroup sets the user/group for dir inside of prefix but not a hive obj.
+        Path pathInside = new Path("/user/authz/xxx");
+
+        fs.setPermission(pathInside, new FsPermission((short) 0000));
+        Assert.assertEquals(new FsPermission((short) 0000), fs.getFileStatus(pathInside).getPermission());
+        fs.setOwner(pathInside, sysUser, "supergroup");
+        Assert.assertEquals(sysUser, fs.getFileStatus(pathInside).getOwner());
+        Assert.assertEquals("supergroup", fs.getFileStatus(pathInside).getGroup());
+
+        // removeAcl is a no op for dir inside of prefix.
+        Assert.assertTrue(fs.getAclStatus(pathInside).getEntries().isEmpty());
+        fs.removeAclEntries(pathInside, acl);
+        Assert.assertTrue(fs.getAclStatus(pathInside).getEntries().isEmpty());
+
+        // setPermission/setUser/setGroup is a no op for dir inside of prefix, and is a hive obj.
+        Path pathInsideAndHive = new Path("/user/authz/obj");
+
+        fs.setPermission(pathInsideAndHive, new FsPermission((short) 0000));
+        Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(pathInsideAndHive).getPermission());
+        fs.setOwner(pathInsideAndHive, sysUser, "supergroup");
+        Assert.assertEquals("hive", fs.getFileStatus(pathInsideAndHive).getOwner());
+        Assert.assertEquals("hive", fs.getFileStatus(pathInsideAndHive).getGroup());
+
         return null;
       }
     });