You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sh...@apache.org on 2014/03/13 22:21:28 UTC
[13/13] git commit: SENTRY-143: Merge db_policy_store branch into
master (Brock Noland via Shreepadma Venugopalan)
SENTRY-143: Merge db_policy_store branch into master (Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/644e8be3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/644e8be3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/644e8be3
Branch: refs/heads/master
Commit: 644e8be346a152e43fa435b9adbb47ce6b3e3e91
Parents: 0341d51
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Mar 13 14:20:19 2014 -0700
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Mar 13 14:20:19 2014 -0700
----------------------------------------------------------------------
.gitignore | 3 +-
bin/config-tool.sh | 25 -
bin/sentry | 59 +-
pom.xml | 123 +-
.../binding/hive/HiveAuthzBindingHook.java | 28 +-
.../hive/HiveAuthzBindingPreExecHook.java | 2 +-
.../hive/SentryOnFailureHookContext.java | 13 +-
.../hive/SentryOnFailureHookContextImpl.java | 13 +-
.../binding/hive/authz/HiveAuthzBinding.java | 40 +-
.../hive/authz/HiveAuthzPrivilegesMap.java | 1 -
.../binding/hive/authz/SentryConfigTool.java | 107 +-
.../binding/hive/MockUserToGroupMapping.java | 8 +-
.../sentry/binding/hive/TestHiveAuthzConf.java | 1 +
.../org/apache/sentry/binding/hive/TestURI.java | 1 -
.../authz/SentrySolrAuthorizationException.java | 2 +
.../binding/solr/authz/SolrAuthzBinding.java | 12 +-
.../sentry/binding/solr/conf/SolrAuthzConf.java | 4 -
.../binding/solr/TestSolrAuthzBinding.java | 39 +-
sentry-core/sentry-core-common/pom.xml | 4 +
.../main/java/org/apache/sentry/Command.java | 23 +
.../main/java/org/apache/sentry/SentryMain.java | 73 +
.../org/apache/sentry/SentryUserException.java | 28 +
.../sentry/core/common/ActiveRoleSet.java | 71 +
.../common/SentryConfigurationException.java | 1 +
.../sentry/core/common/utils/PathUtils.java | 4 +-
.../sentry/core/common/utils/TestPathUtils.java | 1 +
.../sentry/core/search/TestCollection.java | 3 +-
sentry-dist/pom.xml | 4 +
sentry-dist/src/main/assembly/src.xml | 1 -
.../sentry/policy/common/PermissionFactory.java | 26 -
.../sentry/policy/common/PolicyEngine.java | 39 +-
.../apache/sentry/policy/common/Privilege.java | 21 +
.../sentry/policy/common/PrivilegeFactory.java | 24 +
.../sentry/policy/common/PrivilegeUtils.java | 27 +
.../policy/common/PrivilegeValidator.java | 24 +
.../common/PrivilegeValidatorContext.java | 38 +
.../sentry/policy/common/RoleValidator.java | 26 -
.../policy/db/AbstractDBPrivilegeValidator.java | 50 +
.../policy/db/AbstractDBRoleValidator.java | 50 -
.../sentry/policy/db/DBWildcardPermission.java | 181 -
.../sentry/policy/db/DBWildcardPrivilege.java | 179 +
.../sentry/policy/db/DatabaseMustMatch.java | 11 +-
.../policy/db/DatabaseRequiredInPrivilege.java | 71 +
.../policy/db/DatabaseRequiredInRole.java | 70 -
.../sentry/policy/db/ServerNameMustMatch.java | 12 +-
.../sentry/policy/db/ServersAllIsInvalid.java | 12 +-
.../sentry/policy/db/SimpleDBPolicyEngine.java | 125 +-
.../db/AbstractTestSimplePolicyEngine.java | 27 +-
.../sentry/policy/db/DBPolicyFileBackend.java | 3 +-
.../policy/db/TestDBModelAuthorizables.java | 2 -
.../policy/db/TestDBWildcardPermission.java | 286 -
.../policy/db/TestDBWildcardPrivilege.java | 286 +
.../policy/db/TestDatabaseRequiredInRole.java | 13 +-
.../policy/db/TestPolicyParsingNegative.java | 94 +-
...sourceAuthorizationProviderGeneralCases.java | 8 +-
...sourceAuthorizationProviderSpecialCases.java | 19 +-
.../policy/db/TestSimpleDBPolicyEngineDFS.java | 24 +-
.../db/TestSimpleDBPolicyEngineLocalFS.java | 3 +-
.../AbstractSearchPrivilegeValidator.java | 51 +
.../search/AbstractSearchRoleValidator.java | 50 -
.../search/CollectionRequiredInPrivilege.java | 43 +
.../policy/search/CollectionRequiredInRole.java | 44 -
.../policy/search/SearchWildcardPermission.java | 152 -
.../policy/search/SearchWildcardPrivilege.java | 146 +
.../policy/search/SimpleSearchPolicyEngine.java | 88 +-
.../search/AbstractTestSearchPolicyEngine.java | 18 +-
.../policy/search/SearchPolicyFileBackend.java | 1 +
.../search/TestCollectionRequiredInRole.java | 19 +-
...SearchAuthorizationProviderGeneralCases.java | 6 +-
...SearchAuthorizationProviderSpecialCases.java | 5 +-
.../search/TestSearchModelAuthorizables.java | 2 -
.../search/TestSearchPolicyEngineDFS.java | 11 +-
.../policy/search/TestSearchPolicyNegative.java | 34 +-
.../search/TestSearchWildcardPermission.java | 206 -
.../search/TestSearchWildcardPrivilege.java | 205 +
sentry-provider/pom.xml | 1 +
.../provider/common/AuthorizationProvider.java | 19 +-
.../provider/common/GroupMappingService.java | 9 +-
.../common/NoAuthorizationProvider.java | 9 +-
.../provider/common/NoGroupMappingService.java | 8 +-
.../sentry/provider/common/ProviderBackend.java | 37 +-
.../provider/common/ProviderBackendContext.java | 50 +
.../apache/sentry/provider/common/Roles.java | 50 -
.../common/MockGroupMappingServiceProvider.java | 9 +-
.../common/TestNoAuthorizationProvider.java | 6 +-
sentry-provider/sentry-provider-db/.gitignore | 1 +
sentry-provider/sentry-provider-db/pom.xml | 243 +
.../db/service/thrift/SentryPolicyService.java | 6548 ++++++++++++++++++
.../TAlterSentryRoleAddGroupsRequest.java | 895 +++
.../TAlterSentryRoleAddGroupsResponse.java | 390 ++
.../TAlterSentryRoleDeleteGroupsRequest.java | 639 ++
.../TAlterSentryRoleDeleteGroupsResponse.java | 390 ++
.../TAlterSentryRoleGrantPrivilegeRequest.java | 846 +++
.../TAlterSentryRoleGrantPrivilegeResponse.java | 390 ++
.../TAlterSentryRoleRevokePrivilegeRequest.java | 846 +++
...TAlterSentryRoleRevokePrivilegeResponse.java | 390 ++
.../thrift/TCreateSentryRoleRequest.java | 745 ++
.../thrift/TCreateSentryRoleResponse.java | 390 ++
.../service/thrift/TDropSentryRoleRequest.java | 740 ++
.../service/thrift/TDropSentryRoleResponse.java | 390 ++
.../service/thrift/TListSentryRolesRequest.java | 850 +++
.../thrift/TListSentryRolesResponse.java | 545 ++
.../db/service/thrift/TSentryGroup.java | 385 +
.../db/service/thrift/TSentryPrivilege.java | 1224 ++++
.../provider/db/service/thrift/TSentryRole.java | 740 ++
.../service/thrift/TSentryResponseStatus.java | 594 ++
.../thrift/sentry_common_serviceConstants.java | 48 +
.../provider/db/service/model/MSentryGroup.java | 131 +
.../db/service/model/MSentryPrivilege.java | 247 +
.../provider/db/service/model/MSentryRole.java | 179 +
.../provider/db/service/model/package.jdo | 125 +
.../db/service/persistent/CommitContext.java | 42 +
.../SentryAlreadyExistsException.java | 27 +
.../persistent/SentryInvalidInputException.java | 27 +
.../persistent/SentryNoSuchObjectException.java | 27 +
.../db/service/persistent/SentryStore.java | 461 ++
.../db/service/thrift/NotificationHandler.java | 71 +
.../thrift/NotificationHandlerInvoker.java | 146 +
.../db/service/thrift/PolicyStoreConstants.java | 25 +
.../thrift/SentryConfigurationException.java | 30 +
.../thrift/SentryPolicyServiceClient.java | 110 +
.../thrift/SentryPolicyStoreProcessor.java | 344 +
.../SentryPolicyStoreProcessorFactory.java | 39 +
.../thrift/ConnectionDeniedException.java | 36 +
.../sentry/service/thrift/GSSCallback.java | 102 +
.../service/thrift/KerberosConfiguration.java | 78 +
.../sentry/service/thrift/ProcessorFactory.java | 30 +
.../sentry/service/thrift/SentryService.java | 272 +
.../thrift/SentryServiceClientFactory.java | 30 +
.../service/thrift/SentryServiceFactory.java | 29 +
.../sentry/service/thrift/ServiceConstants.java | 78 +
.../apache/sentry/service/thrift/Status.java | 84 +
.../src/main/resources/sentry-mysql-1.4.0.sql | 113 +
.../src/main/resources/sentry-oracle-1.4.0.sql | 101 +
.../main/resources/sentry-postgres-1.4.0.sql | 115 +
.../main/resources/sentry_common_service.thrift | 41 +
.../main/resources/sentry_policy_service.thrift | 150 +
.../db/service/persistent/TestSentryStore.java | 145 +
.../thrift/TestNotificationHandlerInvoker.java | 112 +
.../thrift/TestSentryPolicyStoreProcessor.java | 70 +
.../thrift/TestSentryServiceFailureCase.java | 45 +
.../thrift/TestSentryServiceIntegration.java | 170 +
.../thrift/SentryServiceIntegrationBase.java | 172 +
.../src/test/resources/log4j.properties | 34 +
.../file/HadoopGroupMappingService.java | 9 +-
...adoopGroupResourceAuthorizationProvider.java | 3 -
.../provider/file/LocalGroupMappingService.java | 14 +-
...LocalGroupResourceAuthorizationProvider.java | 4 +-
.../apache/sentry/provider/file/PolicyFile.java | 10 +-
.../sentry/provider/file/PolicyFiles.java | 2 +-
.../file/ResourceAuthorizationProvider.java | 76 +-
.../file/SimpleFileProviderBackend.java | 248 +-
.../provider/file/TestGetGroupMapping.java | 34 +-
.../sentry/provider/file/TestKeyValue.java | 1 -
.../provider/file/TestLocalGroupMapping.java | 22 +-
.../file/TestSimpleFileProvderBackend.java | 120 +
sentry-tests/sentry-tests-hive/.gitignore | 1 +
sentry-tests/sentry-tests-hive/pom.xml | 33 +-
.../AbstractTestWithStaticConfiguration.java | 10 +-
.../apache/sentry/tests/e2e/hive/Context.java | 1 -
.../sentry/tests/e2e/hive/TestConfigTool.java | 27 +-
.../tests/e2e/hive/TestPerDBConfiguration.java | 12 +-
.../e2e/hive/TestPrivilegesAtTableScope.java | 4 +-
.../hive/TestSentryOnFailureHookLoading.java | 21 +-
.../sentry/tests/e2e/hive/fs/AbstractDFS.java | 5 +-
.../sentry/tests/e2e/hive/fs/ClusterDFS.java | 7 +-
.../apache/sentry/tests/e2e/hive/fs/DFS.java | 2 -
.../sentry/tests/e2e/hive/fs/DFSFactory.java | 4 +-
.../sentry/tests/e2e/hive/fs/MiniDFS.java | 6 +-
.../e2e/hive/hiveserver/EmbeddedHiveServer.java | 6 +-
.../e2e/hive/hiveserver/HiveServerFactory.java | 2 +-
.../e2e/hive/hiveserver/InternalHiveServer.java | 1 +
.../hive/hiveserver/UnmanagedHiveServer.java | 12 +-
.../e2e/solr/AbstractSolrSentryTestBase.java | 3 -
.../sentry/tests/e2e/solr/HdfsTestUtil.java | 1 -
.../ModifiableUserAuthenticationFilter.java | 1 -
.../e2e/solr/TestCollAdminCoreOperations.java | 12 +-
.../tests/e2e/solr/TestQueryOperations.java | 11 +-
.../tests/e2e/solr/TestUpdateOperations.java | 11 +-
179 files changed, 24669 insertions(+), 2058 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index 06f9ff4..6a39d39 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,7 +6,8 @@ target/
.metadata
.idea/
*.iml
-**/derby.log
+derby.log
+datanucleus.log
**/TempStatsStore/
# Package Files #
*.jar
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/bin/config-tool.sh
----------------------------------------------------------------------
diff --git a/bin/config-tool.sh b/bin/config-tool.sh
deleted file mode 100755
index b286421..0000000
--- a/bin/config-tool.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-_CMD_JAR=sentry-binding-hive-*.jar
-_HIVE_CMD=${HIVE_HOME}/bin/hive
-for f in ${SENTRY_HOME}/lib/*.jar; do
- HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
-done
-
-${_HIVE_CMD} --service jar ${SENTRY_HOME}/lib/${_CMD_JAR} org.apache.sentry.binding.hive.authz.SentryConfigTool "$@"
-
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/bin/sentry
----------------------------------------------------------------------
diff --git a/bin/sentry b/bin/sentry
index 812fa12..81b4382 100755
--- a/bin/sentry
+++ b/bin/sentry
@@ -25,41 +25,40 @@ fi
_HIVE_CMD=hive
#check to see if the hive conf dir is given as an optional argument
+args=()
while [ $# -gt 0 ]; do # Until you run out of parameters . . .
case "$1" in
--hive-config)
- shift
- confdir=$1
- shift
- export HIVE_CONF_DIR=$confdir
- echo Using hive-conf-dir $HIVE_CONF_DIR
- ;;
+ shift
+ confdir=$1
+ shift
+ export HIVE_CONF_DIR=$confdir
+ echo Using hive-conf-dir $HIVE_CONF_DIR
+ ;;
--hive-home)
- shift
- homedir=$1
- shift
- export HIVE_HOME=$homedir
- echo Using hive-home $HIVE_HOME
- ;;
- --command)
- shift
- case "$1" in
- config-tool)
- shift
- $myhome/bin/config-tool.sh "$@"
- ;;
- *)
- echo Unknown option $1
- echo "Usage sentry --command <config-tool [config-tool-options]>"
- break
- ;;
- esac
- break
- ;;
+ shift
+ homedir=$1
+ shift
+ export HIVE_HOME=$homedir
+ echo Using hive-home $HIVE_HOME
+ ;;
*)
- echo "Usage sentry --command <config-tool [config-tool-options]>"
- break
- ;;
+ args+=($1)
+ shift
+ ;;
esac
done
+if [[ -z "$HIVE_HOME" ]]
+then
+ echo "HIVE_HOME must be defined either as an env variable or by the --hive-home argument"
+ exit 1
+fi
+
+_CMD_JAR=sentry-core-common-*.jar
+_HIVE_CMD=${HIVE_HOME}/bin/hive
+for f in ${SENTRY_HOME}/lib/*.jar; do
+ HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
+done
+export HADOOP_CLASSPATH
+${_HIVE_CMD} --service jar ${SENTRY_HOME}/lib/${_CMD_JAR} org.apache.sentry.SentryMain "${args[@]}"
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 5a8c32b..9725102 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,8 +50,8 @@ limitations under the License.
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <maven.compile.source>1.6</maven.compile.source>
- <maven.compile.target>1.6</maven.compile.target>
+ <maven.compile.source>1.7</maven.compile.source>
+ <maven.compile.target>1.7</maven.compile.target>
<!-- versions are in alphabetical order -->
<ant.contrib.version>1.0b3</ant.contrib.version>
<maven.antrun.plugin.version>1.7</maven.antrun.plugin.version>
@@ -63,7 +63,9 @@ limitations under the License.
<datanucleus-api-jdo.version>3.2.1</datanucleus-api-jdo.version>
<datanucleus-core.version>3.2.2</datanucleus-core.version>
<datanucleus-rdbms.version>3.2.1</datanucleus-rdbms.version>
+ <jdo-api.version>3.0.1</jdo-api.version>
<derby.version>10.4.2.0</derby.version>
+ <commons-cli.version>1.2</commons-cli.version>
<hive.version>0.12.0-cdh5.0.0-beta-2-SNAPSHOT</hive.version>
<hadoop.version>2.2.0-cdh5.0.0-beta-2-SNAPSHOT</hadoop.version>
<fest.reflect.version>1.4.1</fest.reflect.version>
@@ -72,6 +74,7 @@ limitations under the License.
<libthrift.version>0.9.0-cdh4-1</libthrift.version>
<libfb303.version>0.9.0</libfb303.version>
<log4j.version>1.2.16</log4j.version>
+ <mockito.version>1.8.5</mockito.version>
<shiro.version>1.2.1</shiro.version>
<slf4j.version>1.6.1</slf4j.version>
<solr.version>4.7.0</solr.version>
@@ -82,6 +85,16 @@ limitations under the License.
<dependencyManagement>
<dependencies>
<dependency>
+ <groupId>ant-contrib</groupId>
+ <artifactId>ant-contrib</artifactId>
+ <version>1.0b3</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ <version>${commons-cli.version}</version>
+ </dependency>
+ <dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>${commons.lang.version}</version>
@@ -264,6 +277,11 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-db</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
<artifactId>sentry-policy-common</artifactId>
<version>${project.version}</version>
</dependency>
@@ -282,6 +300,31 @@ limitations under the License.
<artifactId>sentry-dist</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
+ <groupId>javax.jdo</groupId>
+ <artifactId>jdo-api</artifactId>
+ <version>${jdo-api.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-core</artifactId>
+ <version>${datanucleus-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-api-jdo</artifactId>
+ <version>${datanucleus-api-jdo.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-rdbms</artifactId>
+ <version>${datanucleus-rdbms.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-all</artifactId>
+ <version>${mockito.version}</version>
+ </dependency>
</dependencies>
</dependencyManagement>
@@ -328,6 +371,24 @@ limitations under the License.
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-antrun-plugin</artifactId>
+ <version>${maven.antrun.plugin.version}</version>
+ <dependencies>
+ <dependency>
+ <groupId>ant-contrib</groupId>
+ <artifactId>ant-contrib</artifactId>
+ <version>${ant.contrib.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>ant</groupId>
+ <artifactId>ant</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ </dependencies>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.5.1</version>
<configuration>
@@ -336,6 +397,30 @@ limitations under the License.
</configuration>
</plugin>
<plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-enforcer-plugin</artifactId>
+ <version>${maven.enforcer.plugin.version}</version>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>2.4</version>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <version>2.16</version>
+ <configuration>
+ <forkMode>always</forkMode>
+ <environmentVariables>
+ <HADOOP_CLIENT_OPTS>-Xmx1000m -Dhive.log.dir=./target/</HADOOP_CLIENT_OPTS>
+ </environmentVariables>
+ <forkedProcessTimeoutInSeconds>900</forkedProcessTimeoutInSeconds>
+ <redirectTestOutputToFile>true</redirectTestOutputToFile>
+ <argLine>-Xms256m -Xmx1g</argLine>
+ </configuration>
+ </plugin>
+ <plugin>
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
<version>0.10</version>
@@ -368,31 +453,29 @@ limitations under the License.
<exclude>**/*.lck</exclude>
<!-- exclude generated solr config files -->
<exclude>**/solr/collection1/conf/**</exclude>
+ <!-- exclude generated thrift files -->
+ <exclude>**/gen/**</exclude>
</excludes>
</configuration>
</execution>
</executions>
</plugin>
-
<plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jar-plugin</artifactId>
- <version>2.4</version>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>build-helper-maven-plugin</artifactId>
+ <version>${build.helper.maven.plugin.version}</version>
</plugin>
-
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <version>2.16</version>
- <configuration>
- <forkMode>always</forkMode>
- <environmentVariables>
- <HADOOP_CLIENT_OPTS>-Xmx1000m -Dhive.log.dir=./target/</HADOOP_CLIENT_OPTS>
- </environmentVariables>
- <forkedProcessTimeoutInSeconds>900</forkedProcessTimeoutInSeconds>
- <redirectTestOutputToFile>true</redirectTestOutputToFile>
- <argLine>-Xms256m -Xmx1g</argLine>
- </configuration>
+ <plugin>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-maven-plugin</artifactId>
+ <version>${datanucleus.maven.plugin.version}</version>
+ <dependencies>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-core</artifactId>
+ <version>${datanucleus-core.version}</version>
+ </dependency>
+ </dependencies>
</plugin>
</plugins>
</pluginManagement>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index c719905..5ff7764 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -18,11 +18,9 @@ package org.apache.sentry.binding.hive;
import static org.apache.hadoop.hive.metastore.MetaStoreUtils.DEFAULT_DATABASE_NAME;
-import java.io.File;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URI;
-import java.net.URISyntaxException;
import java.net.URL;
import java.security.CodeSource;
import java.util.ArrayList;
@@ -44,8 +42,6 @@ import org.apache.hadoop.hive.ql.hooks.Hook;
import org.apache.hadoop.hive.ql.hooks.ReadEntity;
import org.apache.hadoop.hive.ql.hooks.WriteEntity;
import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-import org.apache.hadoop.hive.ql.metadata.Hive;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer;
@@ -60,14 +56,13 @@ import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationSco
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.common.utils.PathUtils;
import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.DBModelAction;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
+import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Table;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -284,7 +279,7 @@ implements HiveDriverFilterHook {
} catch (AuthorizationException e) {
executeOnFailureHooks(context, stmtOperation, e);
String permsRequired = "";
- for (String perm : hiveAuthzBinding.getLastQueryPermissionErrors()) {
+ for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) {
permsRequired += perm + ";";
}
context.getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired);
@@ -530,11 +525,13 @@ implements HiveDriverFilterHook {
conf.getVar(HiveConf.ConfVars.SCRATCHDIR)));
URI requestURI = new URI(PathUtils.parseDFSURI(warehouseDir,
writeEntity.getLocation().getPath()));
+ LOG.debug("scratchURI = " + scratchURI + ", requestURI = " + requestURI);
if (PathUtils.impliesURI(scratchURI, requestURI)) {
return true;
}
URI localScratchURI = new URI(PathUtils.parseLocalURI(conf.getVar(HiveConf.ConfVars.LOCALSCRATCHDIR)));
URI localRequestURI = new URI(PathUtils.parseLocalURI(writeEntity.getLocation().getPath()));
+ LOG.debug("localScratchURI = " + localScratchURI + ", localRequestURI = " + localRequestURI);
if (PathUtils.impliesURI(localScratchURI, localRequestURI)) {
return true;
}
@@ -711,22 +708,15 @@ implements HiveDriverFilterHook {
throws Exception {
List<T> hooks = new ArrayList<T>();
- String csHooks = authzConf.get(hookConfVar.getVar(), "");
- if (csHooks == null) {
+ String csHooks = authzConf.get(hookConfVar.getVar(), "").trim();
+ if (csHooks.isEmpty()) {
return hooks;
}
-
- csHooks = csHooks.trim();
- if (csHooks.equals("")) {
- return hooks;
- }
-
- String[] hookClasses = csHooks.split(",");
-
- for (String hookClass : hookClasses) {
+ for (String hookClass : Splitter.on(",").omitEmptyStrings().trimResults().split(csHooks)) {
try {
+ @SuppressWarnings("unchecked")
T hook =
- (T) Class.forName(hookClass.trim(), true, JavaUtils.getClassLoader()).newInstance();
+ (T) Class.forName(hookClass, true, JavaUtils.getClassLoader()).newInstance();
hooks.add(hook);
} catch (ClassNotFoundException e) {
LOG.error(hookConfVar.getVar() + " Class not found:" + e.getMessage());
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
index f120c77..bed7917 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
@@ -24,8 +24,8 @@ import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext;
import org.apache.hadoop.hive.ql.hooks.HookContext;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
-import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap;
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveExtendedOperation;
+import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.slf4j.Logger;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
index 2beacd0..a380651 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
@@ -18,19 +18,16 @@
package org.apache.sentry.binding.hive;
+import java.util.Set;
+
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.hooks.ReadEntity;
+import org.apache.hadoop.hive.ql.hooks.WriteEntity;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Table;
-import org.apache.hadoop.hive.ql.exec.Task;
-import org.apache.hadoop.hive.ql.hooks.ReadEntity;
-import org.apache.hadoop.hive.ql.hooks.WriteEntity;
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-
-import java.io.Serializable;
-import java.util.List;
-import java.util.Set;
/**
* Context information provided by Access to implementations
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
index d8ffe23..f97d7f3 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
@@ -18,19 +18,16 @@
package org.apache.sentry.binding.hive;
+import java.util.Set;
+
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.hooks.ReadEntity;
+import org.apache.hadoop.hive.ql.hooks.WriteEntity;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Table;
-import org.apache.hadoop.hive.ql.exec.Task;
-import org.apache.hadoop.hive.ql.hooks.ReadEntity;
-import org.apache.hadoop.hive.ql.hooks.WriteEntity;
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-
-import java.io.Serializable;
-import java.util.List;
-import java.util.Set;
public class SentryOnFailureHookContextImpl implements SentryOnFailureHookContext {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
index f6a1ecc..65854c3 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
@@ -32,7 +32,8 @@ import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
-import org.apache.sentry.core.common.Action;
+import org.apache.sentry.binding.hive.conf.InvalidConfigurationException;
+import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.db.DBModelAction;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
@@ -44,7 +45,6 @@ import org.apache.sentry.provider.common.NoAuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.sentry.binding.hive.conf.InvalidConfigurationException;
import com.google.common.base.Strings;
@@ -56,12 +56,10 @@ public class HiveAuthzBinding {
private static final AtomicInteger queryID = new AtomicInteger();
public static final String HIVE_BINDING_TAG = "hive.authz.bindings.tag";
- private final HiveAuthzConf authzConf;
private final Server authServer;
private final AuthorizationProvider authProvider;
public HiveAuthzBinding (HiveConf hiveConf, HiveAuthzConf authzConf) throws Exception {
- this.authzConf = authzConf;
this.authServer = new Server(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
this.authProvider = getAuthProvider(hiveConf, authzConf, authServer.getName());
}
@@ -130,27 +128,25 @@ public class HiveAuthzBinding {
String authProviderName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER.getVar());
String resourceName =
authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
- String providerBackendName =
- authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar());
- String policyEngineName =
- authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
+ String providerBackendName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar());
+ String policyEngineName = authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
LOG.debug("Using authorization provider " + authProviderName +
- " with resource " + resourceName + ", policy engine "
- + policyEngineName + ", provider backend " + providerBackendName);
- // load the provider backend class
- Constructor<?> providerBackendConstructor =
- Class.forName(providerBackendName).getDeclaredConstructor(String.class);
- providerBackendConstructor.setAccessible(true);
- ProviderBackend providerBackend =
- (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {resourceName});
+ " with resource " + resourceName + ", policy engine "
+ + policyEngineName + ", provider backend " + providerBackendName);
+ // load the provider backend class
+ Constructor<?> providerBackendConstructor =
+ Class.forName(providerBackendName).getDeclaredConstructor(String.class);
+ providerBackendConstructor.setAccessible(true);
+ ProviderBackend providerBackend = (ProviderBackend) providerBackendConstructor.
+ newInstance(new Object[] {resourceName});
// load the policy engine class
Constructor<?> policyConstructor =
Class.forName(policyEngineName).getDeclaredConstructor(String.class, ProviderBackend.class);
policyConstructor.setAccessible(true);
- PolicyEngine policyEngine =
- (PolicyEngine) policyConstructor.newInstance(new Object[] {serverName, providerBackend});
+ PolicyEngine policyEngine = (PolicyEngine) policyConstructor.
+ newInstance(new Object[] {serverName, providerBackend});
// load the authz provider class
@@ -200,7 +196,7 @@ public class HiveAuthzBinding {
if (requiredInputPrivileges.containsKey(getAuthzType(inputHierarchy))) {
EnumSet<DBModelAction> inputPrivSet =
requiredInputPrivileges.get(getAuthzType(inputHierarchy));
- if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet)) {
+ if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet, ActiveRoleSet.ALL)) {
throw new AuthorizationException("User " + subject.getName() +
" does not have privileges for " + hiveOp.name());
}
@@ -218,7 +214,7 @@ public class HiveAuthzBinding {
if (requiredOutputPrivileges.containsKey(getAuthzType(outputHierarchy))) {
EnumSet<DBModelAction> outputPrivSet =
requiredOutputPrivileges.get(getAuthzType(outputHierarchy));
- if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet)) {
+ if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet, ActiveRoleSet.ALL)) {
throw new AuthorizationException("User " + subject.getName() +
" does not have priviliedges for " + hiveOp.name());
}
@@ -234,7 +230,7 @@ public class HiveAuthzBinding {
return hierarchy.get(hierarchy.size() -1).getAuthzType();
}
- public List<String> getLastQueryPermissionErrors() {
- return authProvider.getLastFailedPermissions();
+ public List<String> getLastQueryPrivilegeErrors() {
+ return authProvider.getLastFailedPrivileges();
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index b20ec34..7d241d0 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -24,7 +24,6 @@ import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveExtendedOperation;
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope;
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
-import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.model.db.DBModelAction;
import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
index d7a518d..bc739ad 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
@@ -25,7 +25,6 @@ import java.sql.SQLException;
import java.sql.Statement;
import java.util.Set;
-import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.GnuParser;
import org.apache.commons.cli.HelpFormatter;
@@ -42,13 +41,15 @@ import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.log4j.Level;
import org.apache.log4j.LogManager;
+import org.apache.sentry.Command;
import org.apache.sentry.binding.hive.HiveAuthzBindingHook;
+import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
-import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.provider.common.AuthorizationProvider;
public class SentryConfigTool {
private String sentrySiteFile = null;
@@ -57,7 +58,7 @@ public class SentryConfigTool {
private String jdbcURL = null;
private String user = null;
private String passWord = null;
- private boolean listPerms = false;
+ private boolean listPrivs = false;
private boolean validate = false;
private HiveConf hiveConf = null;
private HiveAuthzConf authzConf = null;
@@ -147,12 +148,12 @@ public class SentryConfigTool {
this.passWord = passWord;
}
- public boolean isListPerms() {
- return listPerms;
+ public boolean isListPrivs() {
+ return listPrivs;
}
- public void setListPerms(boolean listPerms) {
- this.listPerms = listPerms;
+ public void setListPrivs(boolean listPrivs) {
+ this.listPrivs = listPrivs;
}
/**
@@ -229,10 +230,10 @@ public class SentryConfigTool {
}
// list permissions for given user
- public void listPerms() throws Exception {
+ public void listPrivs() throws Exception {
getSentryProvider().validateResource(true);
System.out.println("Available privileges for user " + getUser() + ":");
- Set<String> permList = getSentryProvider().listPermissionsForSubject(
+ Set<String> permList = getSentryProvider().listPrivilegesForSubject(
new Subject(getUser()));
for (String perms : permList) {
System.out.println("\t" + perms);
@@ -359,17 +360,18 @@ public class SentryConfigTool {
/**
* parse arguments
- *
- * -d,--debug enable debug output
- * -e,--query <arg> Query privilege verification, requires -u
- * -h,--help Print usage
- * -i,--policyIni <arg> Policy file path
- * -j,--jdbcURL <arg> JDBC URL
- * -l,--listPerms list permissions for given user, requires -u
- * -p,--password <arg> Password
- * -s,--sentry-site <arg> sentry-site file path
- * -u,--user <arg> user name
- * -v,--validate Validate policy file
+ * <pre>
+ * -d,--debug Enable debug output
+ * -e,--query <arg> Query privilege verification, requires -u
+ * -h,--help Print usage
+ * -i,--policyIni <arg> Policy file path
+ * -j,--jdbcURL <arg> JDBC URL
+ * -l,--listPrivs,--listPerms List privilges for given user, requires -u
+ * -p,--password <arg> Password
+ * -s,--sentry-site <arg> sentry-site file path
+ * -u,--user <arg> user name
+ * -v,--validate Validate policy file
+ * </pre>
* @param args
*/
private void parseArgs(String[] args) {
@@ -391,6 +393,9 @@ public class SentryConfigTool {
Option listPermsOpt = new Option("l", "listPerms", false,
"list permissions for given user, requires -u");
listPermsOpt.setRequired(false);
+ Option listPrivsOpt = new Option("listPrivs", false,
+ "list privileges for given user, requires -u");
+ listPrivsOpt.setRequired(false);
// required args
OptionGroup sentryOptGroup = new OptionGroup();
@@ -398,6 +403,7 @@ public class SentryConfigTool {
sentryOptGroup.addOption(validateOpt);
sentryOptGroup.addOption(queryOpt);
sentryOptGroup.addOption(listPermsOpt);
+ sentryOptGroup.addOption(listPrivsOpt);
sentryOptGroup.setRequired(true);
sentryOptions.addOptionGroup(sentryOptGroup);
@@ -445,8 +451,8 @@ public class SentryConfigTool {
setUser(opt.getValue());
} else if (opt.getOpt().equals("p")) {
setPassWord(opt.getValue());
- } else if (opt.getOpt().equals("l")) {
- setListPerms(true);
+ } else if (opt.getOpt().equals("l") || opt.getOpt().equals("listPrivs")) {
+ setListPrivs(true);
} else if (opt.getOpt().equals("v")) {
setValidate(true);
} else if (opt.getOpt().equals("h")) {
@@ -456,7 +462,7 @@ public class SentryConfigTool {
}
}
- if (isListPerms() && (getUser() == null)) {
+ if (isListPrivs() && (getUser() == null)) {
throw new ParseException("Can't use -l without -u ");
}
if ((getQuery() != null) && (getUser() == null)) {
@@ -473,38 +479,41 @@ public class SentryConfigTool {
}
}
- public static void main(String args[]) throws Exception {
- SentryConfigTool sentryTool = new SentryConfigTool();
+ public static class CommandImpl implements Command {
+ @Override
+ public void run(String[] args) throws Exception {
+ SentryConfigTool sentryTool = new SentryConfigTool();
- try {
- // parse arguments
- sentryTool.parseArgs(args);
+ try {
+ // parse arguments
+ sentryTool.parseArgs(args);
- // load configuration
- sentryTool.setupConfig();
+ // load configuration
+ sentryTool.setupConfig();
- // validate configuration
- if (sentryTool.isValidate()) {
- sentryTool.validatePolicy();
- }
+ // validate configuration
+ if (sentryTool.isValidate()) {
+ sentryTool.validatePolicy();
+ }
- // list permissions for give user
- if (sentryTool.isListPerms()) {
- sentryTool.listPerms();
- }
+ // list permissions for give user
+ if (sentryTool.isListPrivs()) {
+ sentryTool.listPrivs();
+ }
- // verify given query
- if (sentryTool.getQuery() != null) {
- if (sentryTool.getJdbcURL() != null) {
- sentryTool.verifyRemoteQuery(sentryTool.getQuery());
- } else {
- sentryTool.verifyLocalQuery(sentryTool.getQuery());
+ // verify given query
+ if (sentryTool.getQuery() != null) {
+ if (sentryTool.getJdbcURL() != null) {
+ sentryTool.verifyRemoteQuery(sentryTool.getQuery());
+ } else {
+ sentryTool.verifyLocalQuery(sentryTool.getQuery());
+ }
}
+ } catch (Exception e) {
+ System.out.println("Sentry tool reported Errors: " + e.getMessage());
+ e.printStackTrace(System.out);
+ System.exit(1);
}
- } catch (Exception e) {
- System.out.println("Sentry tool reported Errors: " + e.getMessage());
- System.exit(1);
}
-
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
index 83432ca..c095603 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
@@ -17,18 +17,18 @@
package org.apache.sentry.binding.hive;
-import java.util.List;
+import java.util.Set;
import org.apache.sentry.provider.common.GroupMappingService;
-import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
public class MockUserToGroupMapping implements GroupMappingService {
// User to group 1-to-1 map
@Override
- public List<String> getGroups(String user) {
- return Lists.newArrayList(user);
+ public Set<String> getGroups(String user) {
+ return Sets.newHashSet(user);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
index ea2c7ea..1942e03 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
@@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive;
import java.util.Arrays;
import java.util.List;
+
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
import org.junit.Assert;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
index 1853559..e99d37f 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
@@ -20,7 +20,6 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.sentry.binding.hive.HiveAuthzBindingHook;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
index 134eaeb..938dbfd 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
@@ -17,6 +17,8 @@
package org.apache.sentry.binding.solr.authz;
public class SentrySolrAuthorizationException extends Exception {
+ private static final long serialVersionUID = -263787088321897523L;
+
public SentrySolrAuthorizationException(String message) {
super(message);
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index c6ce53e..9a6e623 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -20,22 +20,21 @@ import java.io.File;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.util.Arrays;
-import java.util.List;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
+import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.search.Collection;
import org.apache.sentry.core.model.search.SearchModelAction;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.common.ProviderBackend;
-
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -120,7 +119,8 @@ public class SolrAuthzBinding {
LOG.debug("Actions: " + actions);
}
- if (!authProvider.hasAccess(subject, Arrays.asList(new Collection[] {collection}), actions)) {
+ if (!authProvider.hasAccess(subject, Arrays.asList(new Collection[] {collection}), actions,
+ ActiveRoleSet.ALL)) {
throw new SentrySolrAuthorizationException("User " + subject.getName() +
" does not have privileges for " + collection.getName());
}
@@ -131,7 +131,7 @@ public class SolrAuthzBinding {
* @param user
* @return list of groups the user belongs to
*/
- public List<String> getGroups(String user) {
+ public Set<String> getGroups(String user) {
return groupMapping.getGroups(user);
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
index c9ee8ba..70983c4 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
@@ -17,12 +17,8 @@
package org.apache.sentry.binding.solr.conf;
import java.net.URL;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Map.Entry;
import org.apache.hadoop.conf.Configuration;
-import org.mortbay.log.Log;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index b061eec..e2e3403 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -16,31 +16,32 @@
*/
package org.apache.sentry.binding.solr;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
import java.io.File;
import java.io.FileNotFoundException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.EnumSet;
-import java.util.List;
import java.lang.reflect.InvocationTargetException;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Set;
import junit.framework.Assert;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertTrue;
import org.apache.commons.io.FileUtils;
+import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
+import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.search.Collection;
import org.apache.sentry.core.model.search.SearchModelAction;
import org.apache.sentry.provider.file.PolicyFiles;
-import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
-import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import com.google.common.collect.Sets;
import com.google.common.io.Files;
import com.google.common.io.Resources;
@@ -59,11 +60,11 @@ public class TestSolrAuthzBinding {
private Subject sergeant1 = new Subject("sergeant1");
private Subject general1 = new Subject("general1");
- private EnumSet querySet = EnumSet.of(SearchModelAction.QUERY);
- private EnumSet updateSet = EnumSet.of(SearchModelAction.UPDATE);
- private EnumSet allSet = EnumSet.of(SearchModelAction.ALL);
- private EnumSet allOfSet = EnumSet.allOf(SearchModelAction.class);
- private EnumSet emptySet = EnumSet.noneOf(SearchModelAction.class);
+ private EnumSet<SearchModelAction> querySet = EnumSet.of(SearchModelAction.QUERY);
+ private EnumSet<SearchModelAction> updateSet = EnumSet.of(SearchModelAction.UPDATE);
+ private EnumSet<SearchModelAction> allSet = EnumSet.of(SearchModelAction.ALL);
+ private EnumSet<SearchModelAction> allOfSet = EnumSet.allOf(SearchModelAction.class);
+ private EnumSet<SearchModelAction> emptySet = EnumSet.noneOf(SearchModelAction.class);
@Before
public void setUp() throws Exception {
@@ -170,7 +171,7 @@ public class TestSolrAuthzBinding {
new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
setUsableAuthzConf(solrAuthzConf);
SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
- List<String> emptyList = Arrays.asList();
+ Set<String> emptyList = Collections.emptySet();
// check non-existant users
assertEquals(binding.getGroups(null), emptyList);
@@ -183,9 +184,9 @@ public class TestSolrAuthzBinding {
assertEquals(binding.getGroups("othergeneralgroup"), emptyList);
// check valid group names
- assertEquals(binding.getGroups("corporal1"), Arrays.asList("corporal"));
- assertEquals(binding.getGroups("sergeant1"), Arrays.asList("sergeant"));
- assertEquals(binding.getGroups("general1"), Arrays.asList("general", "othergeneralgroup"));
+ assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal"));
+ assertEquals(binding.getGroups("sergeant1"), Sets.newHashSet("sergeant"));
+ assertEquals(binding.getGroups("general1"), Sets.newHashSet("general", "othergeneralgroup"));
}
/**
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/pom.xml b/sentry-core/sentry-core-common/pom.xml
index d50963e..84ab359 100644
--- a/sentry-core/sentry-core-common/pom.xml
+++ b/sentry-core/sentry-core-common/pom.xml
@@ -29,6 +29,10 @@ limitations under the License.
<dependencies>
<dependency>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ </dependency>
+ <dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java
new file mode 100644
index 0000000..528f7d7
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java
@@ -0,0 +1,23 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry;
+
+
+public interface Command {
+ public void run(String[] args) throws Exception;
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java
new file mode 100644
index 0000000..eb3482b
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Options;
+
+import com.google.common.collect.ImmutableMap;
+
+public class SentryMain {
+ private static final String HELP_SHORT = "h";
+ private static final String HELP_LONG = "help";
+ private static final String COMMAND = "command";
+ private static final ImmutableMap<String, String> COMMANDS = ImmutableMap
+ .<String, String>builder()
+ .put("service", "org.apache.sentry.service.thrift.SentryService$CommandImpl")
+ .put("config-tool", "org.apache.sentry.binding.hive.authz.SentryConfigTool$CommandImpl")
+ .build();
+ public static void main(String[] args)
+ throws Exception {
+ CommandLineParser parser = new GnuParser();
+ Options options = new Options();
+ options.addOption(HELP_SHORT, HELP_LONG, false, "Print this help text");
+ options.addOption(null, COMMAND, true, "Command to run. Options: " + COMMANDS.keySet());
+ CommandLine commandLine = parser.parse(options, args);
+ String commandName = commandLine.getOptionValue(COMMAND);
+ if (commandName == null || commandLine.hasOption(HELP_SHORT) ||
+ commandLine.hasOption(HELP_LONG)) {
+ printHelp(options);
+ }
+ String commandClazz = COMMANDS.get(commandName);
+ if (commandClazz == null) {
+ String msg = "Unknown command '" + commandName + "', options are: " + COMMANDS.keySet();
+ throw new IllegalArgumentException(msg);
+ }
+ Object command;
+ try {
+ command = Class.forName(commandClazz.trim()).newInstance();
+ } catch (Exception e) {
+ String msg = "Could not create instance of " + commandClazz + " for command " + commandName;
+ throw new IllegalStateException(msg, e);
+ }
+ if (!(command instanceof Command)) {
+ String msg = "Command " + command.getClass().getName() + " is not an instance of "
+ + Command.class.getName();
+ throw new IllegalStateException(msg);
+ }
+ ((Command)command).run(commandLine.getArgs());
+ }
+ private static void printHelp(Options options) {
+ (new HelpFormatter()).printHelp("sentry --" + COMMAND + "=" + COMMANDS.keySet(),
+ options);
+ System.exit(1);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java
new file mode 100644
index 0000000..2b24703
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry;
+
+public class SentryUserException extends Exception{
+ private static final long serialVersionUID = 2329620558380655835L;
+ public SentryUserException(String msg) {
+ super(msg);
+ }
+ public SentryUserException(String msg, Throwable t) {
+ super(msg, t);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
new file mode 100644
index 0000000..c1f1f66
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.core.common;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * Some authorization schemes allow users to select a particular
+ * set of roles they want active at any give time. For example,
+ * SQL systems often all ALL, NONE, or a subset of roles.
+ */
+public class ActiveRoleSet {
+ public static final ActiveRoleSet ALL = new ActiveRoleSet(true);
+ private final boolean allRoles;
+ private final ImmutableSet<String> roles;
+
+ public ActiveRoleSet(boolean allRoles) {
+ this(allRoles, new HashSet<String>());
+ }
+
+ public ActiveRoleSet(Set<String> roles) {
+ this(false, ImmutableSet.copyOf(roles));
+ }
+
+ private ActiveRoleSet(boolean allRoles, Set<String> roles) {
+ this.allRoles = allRoles;
+ ImmutableSet.Builder<String> setBuilder = ImmutableSet.builder();
+ for (String role : roles) {
+ setBuilder.add(role.toLowerCase());
+ }
+ this.roles = setBuilder.build();
+ }
+
+ /**
+ * Returns true if this active role set contains role. This can be the result
+ * of either this role set implying all roles or containing role.
+ * @param role
+ * @return true if this active role set contains role
+ */
+ public boolean containsRole(String role) {
+ return allRoles || roles.contains(role.toLowerCase());
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder builder = new StringBuilder("ActiveRoleSet = [ roles = ");
+ if (allRoles) {
+ builder.append("ALL");
+ } else {
+ builder.append(roles);
+ }
+ return builder.append(" ").toString();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
index 516b2da..10d66f5 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
@@ -22,6 +22,7 @@ import java.util.List;
import org.apache.shiro.config.ConfigurationException;
public class SentryConfigurationException extends ConfigurationException {
+ private static final long serialVersionUID = -116202866086371884L;
private List<String> configErrors = new ArrayList<String>();
private List<String> configWarnings = new ArrayList<String>();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
index 1659450..962179f 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
@@ -43,8 +43,8 @@ public class PathUtils {
// request path does not contain relative parts /a/../b &&
// request path starts with privilege path &&
// authorities (nullable) are equal
- String requestPath = ensureEndsWithSeparator(requestURI.getPath());
- String privilegePath = ensureEndsWithSeparator(privilegeURI.getPath());
+ String requestPath = ensureEndsWithSeparator(requestURI.getPath()).replace("//", "/");
+ String privilegePath = ensureEndsWithSeparator(privilegeURI.getPath()).replace("//", "/");
if (requestURI.getPath().equals(requestURI.normalize().getPath()) &&
requestPath.startsWith(privilegePath) &&
Strings.nullToEmpty(privilegeURI.getAuthority()).equals(Strings.nullToEmpty(requestURI.getAuthority()))) {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
index 28818ba..d30305b 100644
--- a/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
+++ b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
@@ -21,6 +21,7 @@ import static junit.framework.Assert.assertFalse;
import static junit.framework.Assert.assertTrue;
import java.net.URI;
+
import org.junit.Test;
public class TestPathUtils {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java b/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
index bc00b62..1bf7069 100644
--- a/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
+++ b/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
@@ -16,9 +16,10 @@ package org.apache.sentry.core.search;
* limitations under the License.
*/
+import junit.framework.Assert;
+
import org.apache.sentry.core.model.search.Collection;
import org.junit.Test;
-import junit.framework.Assert;
public class TestCollection {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index e43bb7c..edac341 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -56,6 +56,10 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-db</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
<artifactId>sentry-policy-common</artifactId>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-dist/src/main/assembly/src.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/src/main/assembly/src.xml b/sentry-dist/src/main/assembly/src.xml
index fefe182..a06e521 100644
--- a/sentry-dist/src/main/assembly/src.xml
+++ b/sentry-dist/src/main/assembly/src.xml
@@ -65,4 +65,3 @@
</fileSets>
</assembly>
-
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java
deleted file mode 100644
index 45fd7bd..0000000
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.common;
-
-import org.apache.shiro.authz.Permission;
-
-/**
- * Factory for creating Shiro permissions
- */
-public interface PermissionFactory {
- Permission createPermission(String permission);
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
index c08d082..512e28e 100644
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
@@ -17,41 +17,38 @@
package org.apache.sentry.policy.common;
-import java.util.List;
+import java.util.Set;
-import org.apache.sentry.core.common.Authorizable;
+import javax.annotation.concurrent.ThreadSafe;
+
+import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.SentryConfigurationException;
import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-
+/**
+ * Implementations of this interface are expected to be thread safe
+ * after construction.
+ */
+@ThreadSafe
public interface PolicyEngine {
/**
- * The permission factory to use in order to compare permissions in {@link getPermission}.
- * This is typically a factory that returns a permission used to evaluate wildcards.
- * @return the permission factory
+ * The privilege factory to use in order to compare privileges in {@link getPermission}.
+ * This is typically a factory that returns a privilege used to evaluate wildcards.
+ * @return the privilege factory
*/
- public PermissionFactory getPermissionFactory();
+ public PrivilegeFactory getPrivilegeFactory();
/**
- * Get permissions associated with a group. Returns Strings which can be resolved
+ * Get privileges associated with a group. Returns Strings which can be resolved
* by the caller. Strings are returned to separate the PolicyFile class from the
- * type of permissions used in a policy file. Additionally it is possible further
- * processing of the permissions is needed before resolving to a permission object.
- * @param authorizeable object
+ * type of privileges used in a policy file. Additionally it is possible further
+ * processing of the privileges is needed before resolving to a privilege object.
* @param group name
- * @return non-null immutable set of permissions
+ * @return non-null immutable set of privileges
*/
- public ImmutableSetMultimap<String, String> getPermissions(
- List<? extends Authorizable> authorizables, List<String> groups)
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet)
throws SentryConfigurationException;
- public ImmutableSet<String> listPermissions(String groupName)
- throws SentryConfigurationException;
-
- public ImmutableSet<String> listPermissions(List<String> groupName)
- throws SentryConfigurationException;
-
public void validatePolicy(boolean strictValidation) throws SentryConfigurationException;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java
new file mode 100644
index 0000000..c7e1734
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java
@@ -0,0 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+public interface Privilege {
+ public boolean implies(Privilege p);
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java
new file mode 100644
index 0000000..2f8296b
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+/**
+ * Factory for creating Privilege
+ */
+public interface PrivilegeFactory {
+ Privilege createPrivilege(String permission);
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java
new file mode 100644
index 0000000..7387ad0
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java
@@ -0,0 +1,27 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+import java.util.Set;
+
+import org.apache.shiro.util.PermissionUtils;
+
+public class PrivilegeUtils {
+ public static Set<String> toPrivilegeStrings(String s) {
+ return PermissionUtils.toPermissionStrings(s);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java
new file mode 100644
index 0000000..5548f04
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+import org.apache.shiro.config.ConfigurationException;
+
+public interface PrivilegeValidator {
+
+ public void validate(PrivilegeValidatorContext context) throws ConfigurationException;
+}