You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/03/14 16:18:47 UTC
sentry git commit: SENTRY-2178: Sentry permissions for Solr are
deleted as part of migration process (Hrishikesh Gadre,
reviewed by Sergio Pena, Na Li)
Repository: sentry
Updated Branches:
refs/heads/master f557a0380 -> d3aef7c8a
SENTRY-2178: Sentry permissions for Solr are deleted as part of migration process (Hrishikesh Gadre, reviewed by Sergio Pena, Na Li)
Change-Id: Iab66bb3479e92b63cf97693bc88a1d143c870b18
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/d3aef7c8
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/d3aef7c8
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/d3aef7c8
Branch: refs/heads/master
Commit: d3aef7c8aae7403c637b0b146d32d656b608a20d
Parents: f557a03
Author: Sergio Pena <se...@cloudera.com>
Authored: Wed Mar 14 11:12:46 2018 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Wed Mar 14 11:12:46 2018 -0500
----------------------------------------------------------------------
.../tools/PermissionsMigrationToolCommon.java | 41 +++++++++++---------
1 file changed, 23 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/d3aef7c8/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
index 8c2ec32..ed28b73 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
@@ -17,7 +17,6 @@
*/
package org.apache.sentry.provider.db.generic.tools;
-import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Optional;
@@ -242,32 +241,38 @@ public abstract class PermissionsMigrationToolCommon {
for (TSentryPrivilege p : client.listAllPrivilegesByRoleName(requestorName,
r.getRoleName(), component, serviceName)) {
- Collection<String> privileges = Collections.singleton(converter.toString(p));
+ String privilegeStr = converter.toString(p);
+ Collection<String> privileges = Collections.singleton(privilegeStr);
Collection<String> migrated = transformPrivileges(privileges);
if (!migrated.isEmpty()) {
LOGGER.info("{} For role {} migrating privileges from {} to {}", getDryRunMessage(), r.getRoleName(),
privileges, migrated);
- if (!dryRun) {
- Collection<TSentryPrivilege> tmp = new ArrayList<>();
- for (String perm : migrated) {
- tmp.add(converter.fromString(perm));
+ /*
+ * Note that it is not possible to provide transactional (all-or-nothing) behavior for these configuration
+ * changes since the Sentry client/server protocol does not support. e.g. under certain failure conditions
+ * like crash of Sentry server or network disconnect between client/server, it is possible that the migration
+ * can not complete but can also not be rolled back. Hence this migration tool relies on the fact that privilege
+ * grant/revoke operations are idempotent and hence re-execution of the migration tool will fix any inconsistency
+ * due to such failures.
+ **/
+ boolean originalPermPresent = false;
+ for (String perm : migrated) {
+ if (perm.equalsIgnoreCase(privilegeStr)) {
+ originalPermPresent = true;
+ continue;
}
-
- /*
- * Note that it is not possible to provide transactional (all-or-nothing) behavior for these configuration
- * changes since the Sentry client/server protocol does not support. e.g. under certain failure conditions
- * like crash of Sentry server or network disconnect between client/server, it is possible that the migration
- * can not complete but can also not be rolled back. Hence this migration tool relies on the fact that privilege
- * grant/revoke operations are idempotent and hence re-execution of the migration tool will fix any inconsistency
- * due to such failures.
- **/
- for (TSentryPrivilege x : tmp) { // grant new permissions
+ TSentryPrivilege x = converter.fromString(perm);
+ LOGGER.info("{} GRANT permission {}", getDryRunMessage(), perm);
+ if (!dryRun) {
client.grantPrivilege(requestorName, r.getRoleName(), component, x);
}
+ }
- // Revoke old permission (only if not part of migrated permissions)
- if (!tmp.contains(p)) {
+ // Revoke old permission (only if not part of migrated permissions)
+ if (!originalPermPresent) {
+ LOGGER.info("{} REVOKE permission {}", getDryRunMessage(), privilegeStr);
+ if (!dryRun) {
client.revokePrivilege(requestorName, r.getRoleName(), component, p);
}
}