You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/07/21 05:55:19 UTC
[25/51] [partial] sentry git commit: SENTRY-1205: Refactor the code
for sentry-provider-db and create sentry-service module(Colin Ma,
reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
deleted file mode 100644
index d320d0f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
-import org.apache.thrift.TException;
-import org.apache.thrift.protocol.TProtocol;
-
-public class SentryGenericPolicyProcessorWrapper<I extends SentryGenericPolicyService.Iface>
- extends SentryGenericPolicyService.Processor<SentryGenericPolicyService.Iface> {
-
- public SentryGenericPolicyProcessorWrapper(I iface) {
- super(iface);
- }
-
- @Override
- public boolean process(TProtocol in, TProtocol out) throws TException {
- // set the ip and impersonator for audit log
- ThriftUtil.setIpAddress(in);
- ThriftUtil.setImpersonator(in);
- return super.process(in, out);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
deleted file mode 100644
index 11cdee7..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-
-public interface SentryGenericServiceClient {
-
- /**
- * Create a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- void createRole(String requestorUserName, String roleName,
- String component) throws SentryUserException;
-
- void createRoleIfNotExist(String requestorUserName,
- String roleName, String component) throws SentryUserException;
-
- /**
- * Drop a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- void dropRole(String requestorUserName, String roleName,
- String component) throws SentryUserException;
-
- void dropRoleIfExists(String requestorUserName, String roleName,
- String component) throws SentryUserException;
-
- /**
- * add a sentry role to groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- void addRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException;
-
- /**
- * delete a sentry role from groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- void deleteRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException;
-
- /**
- * grant privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- void grantPrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException;
-
- /**
- * revoke privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- void revokePrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException;
-
- /**
- * drop privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- void dropPrivilege(String requestorUserName,String component,
- TSentryPrivilege privilege) throws SentryUserException;
-
- /**
- * rename privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param serviceName: The Authorizable belongs to which service
- * @param oldAuthorizables
- * @param newAuthorizables
- * @throws SentryUserException
- */
- void renamePrivilege(String requestorUserName, String component,
- String serviceName, List<? extends Authorizable> oldAuthorizables,
- List<? extends Authorizable> newAuthorizables) throws SentryUserException;
-
- /**
- * Gets sentry role objects for a given groupName using the Sentry service
- * @param requestorUserName : user on whose behalf the request is issued
- * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName)
- * @param component: The request is issued to which component
- * @return Set of thrift sentry role objects
- * @throws SentryUserException
- */
- Set<TSentryRole> listRolesByGroupName(
- String requestorUserName,
- String groupName,
- String component)
- throws SentryUserException;
-
- Set<TSentryRole> listUserRoles(String requestorUserName, String component)
- throws SentryUserException;
-
- Set<TSentryRole> listAllRoles(String requestorUserName, String component)
- throws SentryUserException;
-
- /**
- * Gets sentry privileges for a given roleName and Authorizable Hierarchy using the Sentry service
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName:
- * @param component: The request is issued to which component
- * @param serviceName
- * @param authorizables
- * @return
- * @throws SentryUserException
- */
- Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName, List<? extends Authorizable> authorizables)
- throws SentryUserException;
-
- Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName) throws SentryUserException;
-
- /**
- * get sentry permissions from provider as followings:
- * @param: component: The request is issued to which component
- * @param: serviceName: The privilege belongs to which service
- * @param: roleSet
- * @param: groupNames
- * @param: the authorizables
- * @returns the set of permissions
- * @throws SentryUserException
- */
- Set<String> listPrivilegesForProvider(String component,
- String serviceName, ActiveRoleSet roleSet, Set<String> groups,
- List<? extends Authorizable> authorizables) throws SentryUserException;
-
- /**
- * Get sentry privileges based on valid active roles and the authorize objects. Note that
- * it is client responsibility to ensure the requestor username, etc. is not impersonated.
- *
- * @param component: The request respond to which component.
- * @param serviceName: The name of service.
- * @param requestorUserName: The requestor user name.
- * @param authorizablesSet: The set of authorize objects. One authorize object is represented
- * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3.
- * @param groups: The requested groups.
- * @param roleSet: The active roles set.
- *
- * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>).
- * @throws SentryUserException
- */
- Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component,
- String serviceName, String requestorUserName, Set<String> authorizablesSet,
- Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException;
-
- void close();
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
deleted file mode 100644
index ee6cdf7..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
+++ /dev/null
@@ -1,591 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.security.PrivilegedExceptionAction;
-import java.util.*;
-
-import javax.security.auth.callback.CallbackHandler;
-
-import org.apache.hadoop.conf.Configuration;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.SaslRpcServer;
-import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.Status;
-import org.apache.sentry.service.thrift.sentry_common_serviceConstants;
-import org.apache.thrift.TException;
-import org.apache.thrift.protocol.TBinaryProtocol;
-import org.apache.thrift.protocol.TMultiplexedProtocol;
-import org.apache.thrift.transport.TSaslClientTransport;
-import org.apache.thrift.transport.TSocket;
-import org.apache.thrift.transport.TTransport;
-import org.apache.thrift.transport.TTransportException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Lists;
-
-public class SentryGenericServiceClientDefaultImpl implements SentryGenericServiceClient {
- private final Configuration conf;
- private final InetSocketAddress serverAddress;
- private final boolean kerberos;
- private final String[] serverPrincipalParts;
- private SentryGenericPolicyService.Client client;
- private TTransport transport;
- private int connectionTimeout;
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SentryGenericServiceClientDefaultImpl.class);
- private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
-
- /**
- * This transport wraps the Sasl transports to set up the right UGI context for open().
- */
- public static class UgiSaslClientTransport extends TSaslClientTransport {
- protected UserGroupInformation ugi = null;
-
- public UgiSaslClientTransport(String mechanism, String authorizationId,
- String protocol, String serverName, Map<String, String> props,
- CallbackHandler cbh, TTransport transport, boolean wrapUgi, Configuration conf)
- throws IOException {
- super(mechanism, authorizationId, protocol, serverName, props, cbh,
- transport);
- if (wrapUgi) {
- // If we don't set the configuration, the UGI will be created based on
- // what's on the classpath, which may lack the kerberos changes we require
- UserGroupInformation.setConfiguration(conf);
- ugi = UserGroupInformation.getLoginUser();
- }
- }
-
- // open the SASL transport with using the current UserGroupInformation
- // This is needed to get the current login context stored
- @Override
- public void open() throws TTransportException {
- if (ugi == null) {
- baseOpen();
- } else {
- try {
- if (ugi.isFromKeytab()) {
- ugi.checkTGTAndReloginFromKeytab();
- }
- ugi.doAs(new PrivilegedExceptionAction<Void>() {
- public Void run() throws TTransportException {
- baseOpen();
- return null;
- }
- });
- } catch (IOException e) {
- throw new TTransportException("Failed to open SASL transport: " + e.getMessage(), e);
- } catch (InterruptedException e) {
- throw new TTransportException(
- "Interrupted while opening underlying transport: " + e.getMessage(), e);
- }
- }
- }
-
- private void baseOpen() throws TTransportException {
- super.open();
- }
- }
-
- public SentryGenericServiceClientDefaultImpl(Configuration conf) throws IOException {
- // copy the configuration because we may make modifications to it.
- this.conf = new Configuration(conf);
- Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
- this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
- conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
- + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(
- ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT));
- this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT,
- ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT);
- kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
- conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
- transport = new TSocket(serverAddress.getHostName(),
- serverAddress.getPort(), connectionTimeout);
- if (kerberos) {
- String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
- // since the client uses hadoop-auth, we need to set kerberos in
- // hadoop-auth if we plan to use kerberos
- conf.set(HADOOP_SECURITY_AUTHENTICATION, ServerConfig.SECURITY_MODE_KERBEROS);
-
- // Resolve server host in the same way as we are doing on server side
- serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
- LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
-
- serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
- Preconditions.checkArgument(serverPrincipalParts.length == 3,
- "Kerberos principal should have 3 parts: " + serverPrincipal);
- boolean wrapUgi = "true".equalsIgnoreCase(conf
- .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
- transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
- null, serverPrincipalParts[0], serverPrincipalParts[1],
- ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi, conf);
- } else {
- serverPrincipalParts = null;
- }
- try {
- transport.open();
- } catch (TTransportException e) {
- throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
- }
- LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress);
- long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE,
- ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
- TMultiplexedProtocol protocol = new TMultiplexedProtocol(
- new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
- SentryGenericPolicyProcessor.SENTRY_GENERIC_SERVICE_NAME);
- client = new SentryGenericPolicyService.Client(protocol);
- LOGGER.debug("Successfully created client");
- }
-
-
-
- /**
- * Create a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- public synchronized void createRole(String requestorUserName, String roleName, String component)
- throws SentryUserException {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setComponent(component);
- try {
- TCreateSentryRoleResponse response = client.create_sentry_role(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public void createRoleIfNotExist(String requestorUserName, String roleName, String component) throws SentryUserException {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setComponent(component);
- try {
- TCreateSentryRoleResponse response = client.create_sentry_role(request);
- Status status = Status.fromCode(response.getStatus().getValue());
- if (status == Status.ALREADY_EXISTS) {
- return;
- }
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Drop a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- public void dropRole(String requestorUserName,
- String roleName, String component)
- throws SentryUserException {
- dropRole(requestorUserName, roleName, component, false);
- }
-
- public void dropRoleIfExists(String requestorUserName,
- String roleName, String component)
- throws SentryUserException {
- dropRole(requestorUserName, roleName, component, true);
- }
-
- private void dropRole(String requestorUserName,
- String roleName, String component , boolean ifExists)
- throws SentryUserException {
- TDropSentryRoleRequest request = new TDropSentryRoleRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setComponent(component);
- try {
- TDropSentryRoleResponse response = client.drop_sentry_role(request);
- Status status = Status.fromCode(response.getStatus().getValue());
- if (ifExists && status == Status.NO_SUCH_OBJECT) {
- return;
- }
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * add a sentry role to groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- public void addRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setGroups(groups);
- request.setComponent(component);
-
- try {
- TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * delete a sentry role from groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- public void deleteRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setGroups(groups);
- request.setComponent(component);
-
- try {
- TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * grant privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- public void grantPrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException {
- TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRoleName(roleName);
- request.setRequestorUserName(requestorUserName);
- request.setPrivilege(privilege);
-
- try {
- TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * revoke privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- public void revokePrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException {
- TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setPrivilege(privilege);
-
- try {
- TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * drop privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- public void dropPrivilege(String requestorUserName,String component,
- TSentryPrivilege privilege) throws SentryUserException {
- TDropPrivilegesRequest request = new TDropPrivilegesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRequestorUserName(requestorUserName);
- request.setPrivilege(privilege);
-
- try {
- TDropPrivilegesResponse response = client.drop_sentry_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * rename privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param serviceName: The Authorizable belongs to which service
- * @param oldAuthorizables
- * @param newAuthorizables
- * @throws SentryUserException
- */
- public void renamePrivilege(String requestorUserName, String component,
- String serviceName, List<? extends Authorizable> oldAuthorizables,
- List<? extends Authorizable> newAuthorizables) throws SentryUserException {
- if (oldAuthorizables == null || oldAuthorizables.isEmpty()
- || newAuthorizables == null || newAuthorizables.isEmpty()) {
- throw new SentryUserException("oldAuthorizables or newAuthorizables can not be null or empty");
- }
-
- TRenamePrivilegesRequest request = new TRenamePrivilegesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRequestorUserName(requestorUserName);
- request.setServiceName(serviceName);
-
- List<TAuthorizable> oldTAuthorizables = Lists.newArrayList();
- List<TAuthorizable> newTAuthorizables = Lists.newArrayList();
- for (Authorizable authorizable : oldAuthorizables) {
- oldTAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- request.setOldAuthorizables(oldTAuthorizables);
- }
- for (Authorizable authorizable : newAuthorizables) {
- newTAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- request.setNewAuthorizables(newTAuthorizables);
- }
-
- try {
- TRenamePrivilegesResponse response = client.rename_sentry_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Gets sentry role objects for a given groupName using the Sentry service
- * @param requestorUserName : user on whose behalf the request is issued
- * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName)
- * @param component: The request is issued to which component
- * @return Set of thrift sentry role objects
- * @throws SentryUserException
- */
- public synchronized Set<TSentryRole> listRolesByGroupName(
- String requestorUserName,
- String groupName,
- String component)
- throws SentryUserException {
- TListSentryRolesRequest request = new TListSentryRolesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setGroupName(groupName);
- request.setComponent(component);
- TListSentryRolesResponse response;
- try {
- response = client.list_sentry_roles_by_group(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getRoles();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public Set<TSentryRole> listUserRoles(String requestorUserName, String component)
- throws SentryUserException {
- return listRolesByGroupName(requestorUserName, AccessConstants.ALL, component);
- }
-
- public Set<TSentryRole> listAllRoles(String requestorUserName, String component)
- throws SentryUserException {
- return listRolesByGroupName(requestorUserName, null, component);
- }
-
- /**
- * Gets sentry privileges for a given roleName and Authorizable Hirerchys using the Sentry service
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName:
- * @param component: The request is issued to which component
- * @param serviceName
- * @param authorizables
- * @return
- * @throws SentryUserException
- */
- public Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName, List<? extends Authorizable> authorizables)
- throws SentryUserException {
- TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setServiceName(serviceName);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- if (authorizables != null && !authorizables.isEmpty()) {
- List<TAuthorizable> tAuthorizables = Lists.newArrayList();
- for (Authorizable authorizable : authorizables) {
- tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- }
- request.setAuthorizables(tAuthorizables);
- }
-
- TListSentryPrivilegesResponse response;
- try {
- response = client.list_sentry_privileges_by_role(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- return response.getPrivileges();
- }
-
- public Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName) throws SentryUserException {
- return listPrivilegesByRoleName(requestorUserName, roleName, component, serviceName, null);
- }
-
- /**
- * get sentry permissions from provider as followings:
- * @param: component: The request is issued to which component
- * @param: serviceName: The privilege belongs to which service
- * @param: roleSet
- * @param: groupNames
- * @param: the authorizables
- * @returns the set of permissions
- * @throws SentryUserException
- */
- public Set<String> listPrivilegesForProvider(String component,
- String serviceName, ActiveRoleSet roleSet, Set<String> groups,
- List<? extends Authorizable> authorizables) throws SentryUserException {
- TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
- TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setServiceName(serviceName);
- request.setRoleSet(thriftRoleSet);
- if (groups == null) {
- request.setGroups(new HashSet<String>());
- } else {
- request.setGroups(groups);
- }
- List<TAuthorizable> tAuthoriables = Lists.newArrayList();
- if (authorizables != null && !authorizables.isEmpty()) {
- for (Authorizable authorizable : authorizables) {
- tAuthoriables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- }
- request.setAuthorizables(tAuthoriables);
- }
-
- try {
- TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivileges();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Get sentry privileges based on valid active roles and the authorize objects. Note that
- * it is client responsibility to ensure the requestor username, etc. is not impersonated.
- *
- * @param component: The request respond to which component.
- * @param serviceName: The name of service.
- * @param requestorUserName: The requestor user name.
- * @param authorizablesSet: The set of authorize objects. One authorize object is represented
- * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3.
- * @param groups: The requested groups.
- * @param roleSet: The active roles set.
- *
- * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>).
- * @throws SentryUserException
- */
- public Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component,
- String serviceName, String requestorUserName, Set<String> authorizablesSet,
- Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException {
-
- TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest();
-
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setServiceName(serviceName);
- request.setRequestorUserName(requestorUserName);
- request.setAuthorizablesSet(authorizablesSet);
-
- if (groups == null) {
- request.setGroups(new HashSet<String>());
- } else {
- request.setGroups(groups);
- }
-
- if (roleSet != null) {
- request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()));
- }
-
- try {
- TListSentryPrivilegesByAuthResponse response = client.list_sentry_privileges_by_authorizable(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivilegesMapByAuth();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- @Override
- public void close() {
- if (transport != null) {
- transport.close();
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
deleted file mode 100644
index 980d930..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import org.apache.hadoop.conf.Configuration;
-
-/**
- * SentryGenericServiceClientFactory is a public class for the components which using Generic Model to create sentry client.
- */
-public final class SentryGenericServiceClientFactory {
-
- private SentryGenericServiceClientFactory() {
- }
-
- public static SentryGenericServiceClient create(Configuration conf) throws Exception {
- return new SentryGenericServiceClientDefaultImpl(conf);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
deleted file mode 100644
index 688bc9e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
-import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
-import org.apache.sentry.core.model.kafka.validator.KafkaPrivilegeValidator;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
-
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
-import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE;
-
-public class KafkaTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
- private String component;
- private String service;
-
- public KafkaTSentryPrivilegeConverter(String component, String service) {
- this.component = component;
- this.service = service;
- }
-
- public TSentryPrivilege fromString(String privilegeStr) throws Exception {
- final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
- final String hostPrefixLowerCase = hostPrefix.toLowerCase();
- if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
- privilegeStr = hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
- }
- validatePrivilegeHierarchy(privilegeStr);
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue keyValue = new KeyValue(authorizable);
- String key = keyValue.getKey();
- String value = keyValue.getValue();
-
- // is it an authorizable?
- KafkaAuthorizable authz = KafkaModelAuthorizables.from(keyValue);
- if (authz != null) {
- authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName()));
-
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- }
- }
-
- if (tSentryPrivilege.getAction() == null) {
- throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
- }
- tSentryPrivilege.setComponent(component);
- tSentryPrivilege.setServiceName(service);
- tSentryPrivilege.setAuthorizables(authorizables);
- return tSentryPrivilege;
- }
-
- public String toString(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
-
- Iterator<TAuthorizable> it = authorizables.iterator();
- if (it != null) {
- while (it.hasNext()) {
- TAuthorizable tAuthorizable = it.next();
- privileges.add(SentryConstants.KV_JOINER.join(
- tAuthorizable.getType(), tAuthorizable.getName()));
- }
- }
-
- if (!authorizables.isEmpty()) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
-
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
- new KafkaPrivilegeValidator().validate(new PrivilegeValidatorContext(privilegeStr));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
deleted file mode 100644
index 013e824..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
+++ /dev/null
@@ -1,152 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.Parser;
-
-abstract public class SentryConfigToolCommon {
- private String policyFile;
- private boolean validate;
- private boolean importPolicy;
- private boolean checkCompat;
- private String confPath;
-
- /**
- * parse arguments
- * <pre>
- * -conf,--sentry_conf <filepath> sentry config file path
- * -p,--policy_ini <arg> policy file path
- * -v,--validate validate policy file
- * -c,--checkcompat check compatibility with service
- * -i,--import import policy file
- * -h,--help print usage
- * </pre>
- * @param args
- */
- protected boolean parseArgs(String [] args) {
- Options options = new Options();
-
- Option globalPolicyPath = new Option("p", "policy_ini", true,
- "Policy file path");
- globalPolicyPath.setRequired(true);
- options.addOption(globalPolicyPath);
-
- Option validateOpt = new Option("v", "validate", false,
- "Validate policy file");
- validateOpt.setRequired(false);
- options.addOption(validateOpt);
-
- Option checkCompatOpt = new Option("c","checkcompat",false,
- "Check compatibility with Sentry Service");
- checkCompatOpt.setRequired(false);
- options.addOption(checkCompatOpt);
-
- Option importOpt = new Option("i", "import", false,
- "Import policy file");
- importOpt.setRequired(false);
- options.addOption(importOpt);
-
- // file path of sentry-site
- Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, "sentry-site file path");
- sentrySitePathOpt.setRequired(true);
- options.addOption(sentrySitePathOpt);
-
- // help option
- Option helpOpt = new Option("h", "help", false, "Shell usage");
- helpOpt.setRequired(false);
- options.addOption(helpOpt);
-
- // this Options is parsed first for help option
- Options helpOptions = new Options();
- helpOptions.addOption(helpOpt);
-
- try {
- Parser parser = new GnuParser();
-
- // parse help option first
- CommandLine cmd = parser.parse(helpOptions, args, true);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("h")) {
- // get the help option, print the usage and exit
- usage(options);
- return false;
- }
- }
-
- // without help option
- cmd = parser.parse(options, args);
-
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("p")) {
- policyFile = opt.getValue();
- } else if (opt.getOpt().equals("v")) {
- validate = true;
- } else if (opt.getOpt().equals("i")) {
- importPolicy = true;
- } else if (opt.getOpt().equals("c")) {
- checkCompat = true;
- } else if (opt.getOpt().equals("conf")) {
- confPath = opt.getValue();
- }
- }
-
- if (!validate && !importPolicy) {
- throw new IllegalArgumentException("No action specified; at least one of action or import must be specified");
- }
- } catch (ParseException pe) {
- System.out.println(pe.getMessage());
- usage(options);
- return false;
- }
- return true;
- }
-
- // print usage
- private void usage(Options sentryOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("sentryConfigTool", sentryOptions);
- }
-
- public abstract void run() throws Exception;
-
- @VisibleForTesting
- public boolean executeConfigTool(String [] args) throws Exception {
- boolean result = true;
- if (parseArgs(args)) {
- run();
- } else {
- result = false;
- }
- return result;
- }
-
- public String getPolicyFile() { return policyFile; }
- public boolean getValidate() { return validate; }
- public boolean getImportPolicy() { return importPolicy; }
- public boolean getCheckCompat() { return checkCompat; }
- public String getConfPath() { return confPath; }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
deleted file mode 100644
index 404adb8..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
+++ /dev/null
@@ -1,262 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-import com.google.common.collect.Table;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.search.SearchPrivilegeModel;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Set;
-
-/**
- * SentryConfigToolSolr is an administrative tool used to parse a Solr policy file
- * and add the role, group mappings, and privileges therein to the Sentry service.
- */
-public class SentryConfigToolSolr extends SentryConfigToolCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolSolr.class);
- public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
-
- @Override
- public void run() throws Exception {
- String component = "SOLR";
- Configuration conf = getSentryConf();
-
- String service = conf.get(SOLR_SERVICE_NAME, "service1");
- // instantiate a solr client for sentry service. This sets the ugi, so must
- // be done before getting the ugi below.
- SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- convertINIToSentryServiceCmds(component, service, requestorName, conf, client,
- getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat());
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(getConfPath()));
- return conf;
- }
-
- /**
- * Convert policy file to solrctl commands -- based on SENTRY-480
- */
- private void convertINIToSentryServiceCmds(String component,
- String service, String requestorName,
- Configuration conf, SentryGenericServiceClient client,
- String policyFile, boolean validate, boolean importPolicy,
- boolean checkCompat) throws Exception {
-
- //instantiate a file providerBackend for parsing
- LOGGER.info("Reading policy file at: " + policyFile);
- SimpleFileProviderBackend policyFileBackend =
- new SimpleFileProviderBackend(conf, policyFile);
- ProviderBackendContext context = new ProviderBackendContext();
- context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators());
- policyFileBackend.initialize(context);
- if (validate) {
- validatePolicy(policyFileBackend);
- }
-
- if (checkCompat) {
- checkCompat(policyFileBackend);
- }
-
- //import the relations about group,role and privilege into the DB store
- Set<String> roles = Sets.newHashSet();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- policyFileBackend.getGroupRolePrivilegeTable();
- SolrTSentryPrivilegeConverter converter = new SolrTSentryPrivilegeConverter(component, service, false);
-
- for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- if (!roles.contains(roleName)) {
- LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.createRoleIfNotExist(requestorName, roleName, component);
- }
- roles.add(roleName);
- }
-
- Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
- if (privileges == null) {
- continue;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName);
- if (importPolicy) {
- client.addRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName));
- }
-
- for (String permission : privileges) {
- String action = null;
-
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.
- trimResults().split(permission)) {
- KeyValue kv = new KeyValue(authorizable);
- String key = kv.getKey();
- String value = kv.getValue();
- if ("action".equalsIgnoreCase(key)) {
- action = value;
- }
- }
-
- // Service doesn't support not specifying action
- if (action == null) {
- permission += "->action=" + Action.ALL;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission));
- }
- }
- }
- }
- }
-
- private void validatePolicy(ProviderBackend backend) throws Exception {
- try {
- backend.validatePolicy(true);
- } catch (SentryConfigurationException e) {
- printConfigErrorsWarnings(e);
- throw e;
- }
- }
-
- private void printConfigErrorsWarnings(SentryConfigurationException configException) {
- System.out.println(" *** Found configuration problems *** ");
- for (String errMsg : configException.getConfigErrors()) {
- System.out.println("ERROR: " + errMsg);
- }
- for (String warnMsg : configException.getConfigWarnings()) {
- System.out.println("Warning: " + warnMsg);
- }
- }
-
- private void checkCompat(SimpleFileProviderBackend backend) throws Exception {
- Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- backend.getGroupRolePrivilegeTable();
-
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- String roleNameLower = roleName.toLowerCase(Locale.US);
- if (!roleName.equals(roleNameLower)) {
- if (!rolesCaseMapping.containsKey(roleNameLower)) {
- rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName));
- } else {
- rolesCaseMapping.get(roleNameLower).add(roleName);
- }
- }
- }
-
- List<String> errors = new LinkedList<String>();
- StringBuilder warningString = new StringBuilder();
- if (!rolesCaseMapping.isEmpty()) {
- warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n");
- warningString.append("This will cause document-level security to fail to match the role tokens.\n");
- warningString.append("Role names: ");
- }
- boolean firstWarning = true;
-
- for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) {
- Set<String> caseMapping = entry.getValue();
- if (caseMapping.size() > 1) {
- StringBuilder errorString = new StringBuilder();
- errorString.append("The following (cased) roles map to the same role in the sentry service: ");
- boolean first = true;
- for (String casedRole : caseMapping) {
- errorString.append(first ? "" : ", ");
- errorString.append(casedRole);
- first = false;
- }
- errorString.append(". Role in service: ").append(entry.getKey());
- errors.add(errorString.toString());
- }
-
- for (String casedRole : caseMapping) {
- warningString.append(firstWarning? "" : ", ");
- warningString.append(casedRole);
- firstWarning = false;
- }
- }
-
- for (String error : errors) {
- System.out.println("ERROR: " + error);
- }
- System.out.println("\n");
-
- System.out.println("Warning: " + warningString.toString());
- if (errors.size() > 0) {
- SentryConfigurationException ex =
- new SentryConfigurationException("Compatibility check failure");
- ex.setConfigErrors(errors);
- ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0]));
- throw ex;
- }
- }
-
- private String dryRunMessage(boolean importPolicy) {
- if (importPolicy) {
- return "";
- } else {
- return "[Dry Run] ";
- }
- }
-
- public static void main(String[] args) throws Exception {
- SentryConfigToolSolr solrTool = new SentryConfigToolSolr();
- try {
- solrTool.executeConfigTool(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
deleted file mode 100644
index d6d9014..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
+++ /dev/null
@@ -1,113 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.common.AuthorizationComponent;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.tools.command.*;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * SentryShellKafka is an admin tool, and responsible for the management of repository.
- * The following commands are supported:
- * create role, drop role, add group to role, grant privilege to role,
- * revoke privilege from role, list roles, list privilege for role.
- */
-public class SentryShellKafka extends SentryShellCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellKafka.class);
- public static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name";
-
- @Override
- public void run() throws Exception {
- Command command = null;
- String component = AuthorizationComponent.KAFKA;
- Configuration conf = getSentryConf();
-
- String service = conf.get(KAFKA_SERVICE_NAME, "kafka1");
- SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- if (isCreateRole) {
- command = new CreateRoleCmd(roleName, component);
- } else if (isDropRole) {
- command = new DropRoleCmd(roleName, component);
- } else if (isAddRoleGroup) {
- command = new AddRoleToGroupCmd(roleName, groupName, component);
- } else if (isDeleteRoleGroup) {
- command = new DeleteRoleFromGroupCmd(roleName, groupName, component);
- } else if (isGrantPrivilegeRole) {
- command = new GrantPrivilegeToRoleCmd(roleName, component,
- privilegeStr, new KafkaTSentryPrivilegeConverter(component, service));
- } else if (isRevokePrivilegeRole) {
- command = new RevokePrivilegeFromRoleCmd(roleName, component,
- privilegeStr, new KafkaTSentryPrivilegeConverter(component, service));
- } else if (isListRole) {
- command = new ListRolesCmd(groupName, component);
- } else if (isListPrivilege) {
- command = new ListPrivilegesByRoleCmd(roleName, component,
- service, new KafkaTSentryPrivilegeConverter(component, service));
- }
-
- // check the requestor name
- if (StringUtils.isEmpty(requestorName)) {
- // The exception message will be recorded in log file.
- throw new Exception("The requestor name is empty.");
- }
-
- if (command != null) {
- command.execute(client, requestorName);
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(confPath));
- return conf;
- }
-
- public static void main(String[] args) throws Exception {
- SentryShellKafka sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
deleted file mode 100644
index 695c008..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
+++ /dev/null
@@ -1,112 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.tools.command.*;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * SentryShellSolr is an admin tool, and responsible for the management of repository.
- * The following commands are supported:
- * create role, drop role, add group to role, grant privilege to role,
- * revoke privilege from role, list roles, list privilege for role.
- */
-public class SentryShellSolr extends SentryShellCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellSolr.class);
- public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
-
- @Override
- public void run() throws Exception {
- Command command = null;
- String component = "SOLR";
- Configuration conf = getSentryConf();
-
- String service = conf.get(SOLR_SERVICE_NAME, "service1");
- SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- if (isCreateRole) {
- command = new CreateRoleCmd(roleName, component);
- } else if (isDropRole) {
- command = new DropRoleCmd(roleName, component);
- } else if (isAddRoleGroup) {
- command = new AddRoleToGroupCmd(roleName, groupName, component);
- } else if (isDeleteRoleGroup) {
- command = new DeleteRoleFromGroupCmd(roleName, groupName, component);
- } else if (isGrantPrivilegeRole) {
- command = new GrantPrivilegeToRoleCmd(roleName, component,
- privilegeStr, new SolrTSentryPrivilegeConverter(component, service));
- } else if (isRevokePrivilegeRole) {
- command = new RevokePrivilegeFromRoleCmd(roleName, component,
- privilegeStr, new SolrTSentryPrivilegeConverter(component, service));
- } else if (isListRole) {
- command = new ListRolesCmd(groupName, component);
- } else if (isListPrivilege) {
- command = new ListPrivilegesByRoleCmd(roleName, component,
- service, new SolrTSentryPrivilegeConverter(component, service));
- }
-
- // check the requestor name
- if (StringUtils.isEmpty(requestorName)) {
- // The exception message will be recorded in log file.
- throw new Exception("The requestor name is empty.");
- }
-
- if (command != null) {
- command.execute(client, requestorName);
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(confPath));
- return conf;
- }
-
- public static void main(String[] args) throws Exception {
- SentryShellSolr sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
deleted file mode 100644
index 92c6c59..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.SearchModelAuthorizable;
-import org.apache.sentry.core.common.validator.PrivilegeValidator;
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.search.SearchModelAuthorizables;
-import org.apache.sentry.core.model.search.SearchPrivilegeModel;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
-import org.apache.shiro.config.ConfigurationException;
-
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-
-public class SolrTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
- private String component;
- private String service;
- private boolean validate;
-
- public SolrTSentryPrivilegeConverter(String component, String service) {
- this(component, service, true);
- }
-
- public SolrTSentryPrivilegeConverter(String component, String service, boolean validate) {
- this.component = component;
- this.service = service;
- this.validate = validate;
- }
-
- public TSentryPrivilege fromString(String privilegeStr) throws Exception {
- if (validate) {
- validatePrivilegeHierarchy(privilegeStr);
- }
-
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue keyValue = new KeyValue(authorizable);
- String key = keyValue.getKey();
- String value = keyValue.getValue();
-
- // is it an authorizable?
- SearchModelAuthorizable authz = SearchModelAuthorizables.from(keyValue);
- if (authz != null) {
- if (authz instanceof Collection) {
- Collection coll = (Collection)authz;
- authorizables.add(new TAuthorizable(coll.getTypeName(), coll.getName()));
- } else {
- throw new IllegalArgumentException("Unknown authorizable type: " + authz.getTypeName());
- }
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- // Limitation: don't support grant at this time, since the existing solr use cases don't need it.
- } else {
- throw new IllegalArgumentException("Unknown key: " + key);
- }
- }
-
- if (tSentryPrivilege.getAction() == null) {
- throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
- }
- tSentryPrivilege.setComponent(component);
- tSentryPrivilege.setServiceName(service);
- tSentryPrivilege.setAuthorizables(authorizables);
- return tSentryPrivilege;
- }
-
- public String toString(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
-
- Iterator<TAuthorizable> it = authorizables.iterator();
- if (it != null) {
- while (it.hasNext()) {
- TAuthorizable tAuthorizable = it.next();
- privileges.add(SentryConstants.KV_JOINER.join(
- tAuthorizable.getType(), tAuthorizable.getName()));
- }
- }
-
- if (!authorizables.isEmpty()) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
-
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
- List<PrivilegeValidator> validators = SearchPrivilegeModel.getInstance().getPrivilegeValidators();
- PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
- for (PrivilegeValidator validator : validators) {
- try {
- validator.validate(context);
- } catch (ConfigurationException e) {
- throw new IllegalArgumentException(e);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
deleted file mode 100644
index a45d7e4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-
-import java.util.Set;
-
-/**
- * Command for adding groups to a role.
- */
-public class AddRoleToGroupCmd implements Command {
-
- private String roleName;
- private String groups;
- private String component;
-
- public AddRoleToGroupCmd(String roleName, String groups, String component) {
- this.roleName = roleName;
- this.groups = groups;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- Set<String> groupSet = Sets.newHashSet(groups.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- client.addRoleToGroups(requestorName, roleName, component, groupSet);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
deleted file mode 100644
index e824fb3..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-
-/**
- * The interface for all admin commands, eg, CreateRoleCmd.
- */
-public interface Command {
- void execute(SentryGenericServiceClient client, String requestorName) throws Exception;
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
deleted file mode 100644
index da60a64..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-
-/**
- * The class for admin command to create role.
- */
-public class CreateRoleCmd implements Command {
-
- private String roleName;
- private String component;
-
- public CreateRoleCmd(String roleName, String component) {
- this.roleName = roleName;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- client.createRole(requestorName, roleName, component);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
deleted file mode 100644
index 95f39ea..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-
-import java.util.Set;
-
-/**
- * Command for deleting groups from a role.
- */
-public class DeleteRoleFromGroupCmd implements Command {
-
- private String roleName;
- private String groups;
- private String component;
-
- public DeleteRoleFromGroupCmd(String roleName, String groups, String component) {
- this.groups = groups;
- this.roleName = roleName;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- Set<String> groupSet = Sets.newHashSet(groups.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- client.deleteRoleToGroups(requestorName, roleName, component, groupSet);
- }
-}