You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/03/14 16:18:47 UTC

sentry git commit: SENTRY-2178: Sentry permissions for Solr are deleted as part of migration process (Hrishikesh Gadre, reviewed by Sergio Pena, Na Li)

Repository: sentry
Updated Branches:
  refs/heads/master f557a0380 -> d3aef7c8a


SENTRY-2178: Sentry permissions for Solr are deleted as part of migration process (Hrishikesh Gadre, reviewed by Sergio Pena, Na Li)

Change-Id: Iab66bb3479e92b63cf97693bc88a1d143c870b18


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/d3aef7c8
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/d3aef7c8
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/d3aef7c8

Branch: refs/heads/master
Commit: d3aef7c8aae7403c637b0b146d32d656b608a20d
Parents: f557a03
Author: Sergio Pena <se...@cloudera.com>
Authored: Wed Mar 14 11:12:46 2018 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Wed Mar 14 11:12:46 2018 -0500

----------------------------------------------------------------------
 .../tools/PermissionsMigrationToolCommon.java   | 41 +++++++++++---------
 1 file changed, 23 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/d3aef7c8/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
index 8c2ec32..ed28b73 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
@@ -17,7 +17,6 @@
  */
 package org.apache.sentry.provider.db.generic.tools;
 
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Optional;
@@ -242,32 +241,38 @@ public abstract class PermissionsMigrationToolCommon {
         for (TSentryPrivilege p : client.listAllPrivilegesByRoleName(requestorName,
             r.getRoleName(), component, serviceName)) {
 
-          Collection<String> privileges = Collections.singleton(converter.toString(p));
+          String privilegeStr = converter.toString(p);
+          Collection<String> privileges = Collections.singleton(privilegeStr);
           Collection<String> migrated = transformPrivileges(privileges);
           if (!migrated.isEmpty()) {
             LOGGER.info("{} For role {} migrating privileges from {} to {}", getDryRunMessage(), r.getRoleName(),
                 privileges, migrated);
 
-            if (!dryRun) {
-              Collection<TSentryPrivilege> tmp = new ArrayList<>();
-              for (String perm : migrated) {
-                tmp.add(converter.fromString(perm));
+            /*
+             * Note that it is not possible to provide transactional (all-or-nothing) behavior for these configuration
+             * changes since the Sentry client/server protocol does not support. e.g. under certain failure conditions
+             * like crash of Sentry server or network disconnect between client/server, it is possible that the migration
+             * can not complete but can also not be rolled back. Hence this migration tool relies on the fact that privilege
+             * grant/revoke operations are idempotent and hence re-execution of the migration tool will fix any inconsistency
+             * due to such failures.
+             **/
+            boolean originalPermPresent = false;
+            for (String perm : migrated) {
+              if (perm.equalsIgnoreCase(privilegeStr)) {
+                originalPermPresent = true;
+                continue;
               }
-
-              /*
-               * Note that it is not possible to provide transactional (all-or-nothing) behavior for these configuration
-               * changes since the Sentry client/server protocol does not support. e.g. under certain failure conditions
-               * like crash of Sentry server or network disconnect between client/server, it is possible that the migration
-               * can not complete but can also not be rolled back. Hence this migration tool relies on the fact that privilege
-               * grant/revoke operations are idempotent and hence re-execution of the migration tool will fix any inconsistency
-               * due to such failures.
-               **/
-              for (TSentryPrivilege x : tmp) { // grant new permissions
+              TSentryPrivilege x = converter.fromString(perm);
+              LOGGER.info("{} GRANT permission {}", getDryRunMessage(), perm);
+              if (!dryRun) {
                 client.grantPrivilege(requestorName, r.getRoleName(), component, x);
               }
+            }
 
-              // Revoke old permission (only if not part of migrated permissions)
-              if (!tmp.contains(p)) {
+            // Revoke old permission (only if not part of migrated permissions)
+            if (!originalPermPresent) {
+              LOGGER.info("{} REVOKE permission {}", getDryRunMessage(), privilegeStr);
+              if (!dryRun) {
                 client.revokePrivilege(requestorName, r.getRoleName(), component, p);
               }
             }