You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/09/17 08:03:43 UTC

[3/3] git commit: SENTRY-443: Show roles regressed after Sentry-417. (Sravya Tirukkovalur via Prasad Mujumdar)

SENTRY-443: Show roles regressed after Sentry-417. (Sravya Tirukkovalur via Prasad Mujumdar)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/b8f0622f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/b8f0622f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/b8f0622f

Branch: refs/heads/master
Commit: b8f0622ff6a73af2b4764f43165e105442965d3b
Parents: dbcdb6d
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Tue Sep 16 23:03:24 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Tue Sep 16 23:03:24 2014 -0700

----------------------------------------------------------------------
 .../db/service/thrift/SentryPolicyStoreProcessor.java  | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b8f0622f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 5b829a8..b05d71b 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -344,11 +344,14 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
         checkAllGroups = true;
       } else {
-        if (!inAdminGroups(groups)) {
-          // non-admin can only list roles for their own group
-          if (!groups.contains(request.getGroupName())) {
-            throw new SentryAccessDeniedException("Access denied to " + subject);
-          }
+        boolean admin = inAdminGroups(groups);
+        //Only admin users can list all roles in the system ( groupname = null)
+        //Non admin users are only allowed to list only groups which they belong to
+        if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
+          throw new SentryAccessDeniedException("Access denied to " + subject);
+        }else {
+          groups.clear();
+          groups.add(request.getGroupName());
         }
       }
       roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups);