You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/09/17 08:03:43 UTC
[3/3] git commit: SENTRY-443: Show roles regressed after Sentry-417.
(Sravya Tirukkovalur via Prasad Mujumdar)
SENTRY-443: Show roles regressed after Sentry-417. (Sravya Tirukkovalur via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/b8f0622f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/b8f0622f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/b8f0622f
Branch: refs/heads/master
Commit: b8f0622ff6a73af2b4764f43165e105442965d3b
Parents: dbcdb6d
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Tue Sep 16 23:03:24 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Tue Sep 16 23:03:24 2014 -0700
----------------------------------------------------------------------
.../db/service/thrift/SentryPolicyStoreProcessor.java | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b8f0622f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 5b829a8..b05d71b 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -344,11 +344,14 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
checkAllGroups = true;
} else {
- if (!inAdminGroups(groups)) {
- // non-admin can only list roles for their own group
- if (!groups.contains(request.getGroupName())) {
- throw new SentryAccessDeniedException("Access denied to " + subject);
- }
+ boolean admin = inAdminGroups(groups);
+ //Only admin users can list all roles in the system ( groupname = null)
+ //Non admin users are only allowed to list only groups which they belong to
+ if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
+ throw new SentryAccessDeniedException("Access denied to " + subject);
+ }else {
+ groups.clear();
+ groups.add(request.getGroupName());
}
}
roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups);