You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2015/09/29 09:57:25 UTC
[1/2] incubator-sentry git commit: SENTRY-812: Generate audit trail
for Sentry generic model when authorization metadata change (Colin Ma,
Reviewed by: Dapeng Sun)
Repository: incubator-sentry
Updated Branches:
refs/heads/master cedfc573c -> 66b7096cb
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
index 199f7f5..4e40038 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
@@ -24,7 +24,6 @@ import java.util.LinkedHashSet;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
-import org.apache.log4j.Logger;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
@@ -53,7 +52,6 @@ import com.google.common.collect.Sets;
public class TestJsonLogEntityFactory {
private static Configuration conf;
- private Logger sentryLogger = Logger.getRootLogger();
private static String TEST_IP = "localhost/127.0.0.1";
private static String TEST_IMPERSONATOR = "impersonator";
@@ -79,18 +77,16 @@ public class TestJsonLogEntityFactory {
request.setRequestorUserName(TEST_USER_NAME);
request.setRoleName(TEST_ROLE_NAME);
response.setStatus(Status.OK());
- AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
.getInstance().createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE,
"CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
response.setStatus(Status.InvalidInput("", null));
- amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
.createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE,
"CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
}
@Test
@@ -100,18 +96,16 @@ public class TestJsonLogEntityFactory {
request.setRequestorUserName(TEST_USER_NAME);
request.setRoleName(TEST_ROLE_NAME);
response.setStatus(Status.OK());
- AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
.getInstance().createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE,
"DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
response.setStatus(Status.InvalidInput("", null));
- amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
.createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE,
"DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
}
@Test
@@ -128,18 +122,17 @@ public class TestJsonLogEntityFactory {
privileges.add(privilege);
request.setPrivileges(privileges);
response.setStatus(Status.OK());
- AuditMetadataLogEntity amle = new AuditMetadataLogEntity();
+ DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity();
Set<JsonLogEntity> amles = JsonLogEntityFactory
.getInstance().createJsonLogEntitys(request, response, conf);
assertEquals(amles.size(),1);
for (JsonLogEntity amle1 : amles) {
- amle = (AuditMetadataLogEntity) amle1;
+ amle = (DBAuditMetadataLogEntity) amle1;
break;
}
assertCommon(amle, Constants.TRUE, Constants.OPERATION_GRANT_PRIVILEGE,
"GRANT ALL ON DATABASE testDB TO ROLE testRole", TEST_DATABASE_NAME,
null, null, Constants.OBJECT_TYPE_PRINCIPAL);
- sentryLogger.debug(amle.toJsonFormatLog());
privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
null, TEST_TABLE_NAME, null, null);
@@ -151,13 +144,12 @@ public class TestJsonLogEntityFactory {
.createJsonLogEntitys(request, response, conf);
assertEquals(amles.size(),1);
for (JsonLogEntity amle1 : amles) {
- amle = (AuditMetadataLogEntity) amle1;
+ amle = (DBAuditMetadataLogEntity) amle1;
break;
}
assertCommon(amle, Constants.FALSE, Constants.OPERATION_GRANT_PRIVILEGE,
"GRANT ALL ON TABLE testTable TO ROLE testRole", null, TEST_TABLE_NAME,
null, Constants.OBJECT_TYPE_PRINCIPAL);
- sentryLogger.debug(amle.toJsonFormatLog());
}
@Test
@@ -173,18 +165,17 @@ public class TestJsonLogEntityFactory {
privileges.add(privilege);
request.setPrivileges(privileges);
response.setStatus(Status.OK());
- AuditMetadataLogEntity amle = new AuditMetadataLogEntity();
+ DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity();
Set<JsonLogEntity> amles = JsonLogEntityFactory
.getInstance().createJsonLogEntitys(request, response, conf);
assertEquals(amles.size(),1);
for (JsonLogEntity amle1 : amles) {
- amle = (AuditMetadataLogEntity) amle1;
+ amle = (DBAuditMetadataLogEntity) amle1;
break;
}
assertCommon(amle, Constants.TRUE, Constants.OPERATION_REVOKE_PRIVILEGE,
"REVOKE ALL ON DATABASE testDB FROM ROLE testRole", TEST_DATABASE_NAME,
null, null, Constants.OBJECT_TYPE_PRINCIPAL);
- sentryLogger.debug(amle.toJsonFormatLog());
privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
null, TEST_TABLE_NAME, null, null);
@@ -196,13 +187,12 @@ public class TestJsonLogEntityFactory {
.createJsonLogEntitys(request, response, conf);
assertEquals(amles.size(),1);
for (JsonLogEntity amle1 : amles) {
- amle = (AuditMetadataLogEntity) amle1;
+ amle = (DBAuditMetadataLogEntity) amle1;
break;
}
assertCommon(amle, Constants.FALSE, Constants.OPERATION_REVOKE_PRIVILEGE,
"REVOKE ALL ON TABLE testTable FROM ROLE testRole", null,
TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL);
- sentryLogger.debug(amle.toJsonFormatLog());
}
@Test
@@ -213,20 +203,18 @@ public class TestJsonLogEntityFactory {
request.setRoleName(TEST_ROLE_NAME);
request.setGroups(getGroups());
response.setStatus(Status.OK());
- AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
.getInstance().createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
"GRANT ROLE testRole TO GROUP testGroup", null, null, null,
Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
response.setStatus(Status.InvalidInput("", null));
- amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
.createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
"GRANT ROLE testRole TO GROUP testGroup", null, null, null,
Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
}
@Test
@@ -237,23 +225,21 @@ public class TestJsonLogEntityFactory {
request.setRoleName(TEST_ROLE_NAME);
request.setGroups(getGroups());
response.setStatus(Status.OK());
- AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
.getInstance().createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
"REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
response.setStatus(Status.InvalidInput("", null));
- amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
.createJsonLogEntity(request, response, conf);
assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
"REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
Constants.OBJECT_TYPE_ROLE);
- sentryLogger.debug(amle.toJsonFormatLog());
}
- private void assertCommon(AuditMetadataLogEntity amle,
+ private void assertCommon(DBAuditMetadataLogEntity amle,
String allowedExcepted, String operationExcepted,
String operationTextExcepted, String databaseNameExcepted,
String tableNameExcepted, String resourcePathExcepted,
@@ -272,37 +258,6 @@ public class TestJsonLogEntityFactory {
assertEquals(objectTypeExcepted, amle.getObjectType());
}
- // private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
- // TAlterSentryRoleGrantPrivilegeRequest request = new
- // TAlterSentryRoleGrantPrivilegeRequest();
- // request.setRoleName(TEST_ROLE_NAME);
- // return request;
- // }
- //
- // private TAlterSentryRoleGrantPrivilegeResponse getGrantPrivilegeResponse(
- // TSentryResponseStatus status) {
- // TAlterSentryRoleGrantPrivilegeResponse response = new
- // TAlterSentryRoleGrantPrivilegeResponse();
- // response.setStatus(status);
- // return response;
- // }
-
- // private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest()
- // {
- // TAlterSentryRoleRevokePrivilegeRequest request = new
- // TAlterSentryRoleRevokePrivilegeRequest();
- // request.setRoleName(TEST_ROLE_NAME);
- // return request;
- // }
- //
- // private TAlterSentryRoleRevokePrivilegeResponse getRevokePrivilegeResponse(
- // TSentryResponseStatus status) {
- // TAlterSentryRoleRevokePrivilegeResponse response = new
- // TAlterSentryRoleRevokePrivilegeResponse();
- // response.setStatus(status);
- // return response;
- // }
-
private TSentryPrivilege getPrivilege(String action, String privilegeScope,
String dbName, String tableName, String serverName, String URI) {
TSentryPrivilege privilege = new TSentryPrivilege();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
new file mode 100644
index 0000000..a5aff35
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
@@ -0,0 +1,259 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import static junit.framework.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestJsonLogEntityFactoryGM {
+
+ private static Configuration conf;
+ private static String TEST_IP = "localhost/127.0.0.1";
+ private static String TEST_IMPERSONATOR = "impersonator";
+ private static String TEST_ROLE_NAME = "testRole";
+ private static String TEST_USER_NAME = "requestUser";
+ private static String TEST_GROUP = "testGroup";
+ private static String TEST_ACTION = "action";
+ private static String TEST_COMPONENT = "component";
+ private static Map<String, String> TEST_PRIVILEGES_MAP = new HashMap<String, String>();
+
+ @BeforeClass
+ public static void init() {
+ conf = new Configuration();
+ conf.set(ServerConfig.SENTRY_SERVICE_NAME, ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
+ ThriftUtil.setIpAddress(TEST_IP);
+ ThriftUtil.setImpersonator(TEST_IMPERSONATOR);
+ TEST_PRIVILEGES_MAP.put("resourceType1", "resourceName1");
+ TEST_PRIVILEGES_MAP.put("resourceType2", "resourceName2");
+ TEST_PRIVILEGES_MAP.put("resourceType3", "resourceName3");
+ }
+
+ @Test
+ public void testCreateRole() {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+ }
+
+ @Test
+ public void testDropRole() {
+ TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+ TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+ }
+
+ @Test
+ public void testGrantRole() {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
+
+ TSentryPrivilege privilege = getPrivilege();
+ request.setPrivilege(privilege);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(
+ request, response, conf);
+ assertCommon(
+ amle,
+ Constants.TRUE,
+ Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 TO ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(
+ amle,
+ Constants.FALSE,
+ Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 TO ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+ }
+
+ @Test
+ public void testRevokeRole() {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TSentryPrivilege privilege = getPrivilege();
+ request.setPrivilege(privilege);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(
+ amle,
+ Constants.TRUE,
+ Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 FROM ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+
+ assertCommon(
+ amle,
+ Constants.FALSE,
+ Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 FROM ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+ }
+
+ @Test
+ public void testAddRole() {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+ TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+ }
+
+ @Test
+ public void testDeleteRole() {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+ TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+ }
+
+ private void assertCommon(GMAuditMetadataLogEntity amle, String allowedExcepted,
+ String operationExcepted, String operationTextExcepted, String objectTypeExcepted,
+ Map<String, String> privilegesExcepted) {
+ assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT, amle.getServiceName());
+ assertEquals(TEST_IP, amle.getIpAddress());
+ assertEquals(TEST_USER_NAME, amle.getUserName());
+ assertEquals(TEST_IMPERSONATOR, amle.getImpersonator());
+ assertEquals(allowedExcepted, amle.getAllowed());
+ assertEquals(operationExcepted, amle.getOperation());
+ assertEquals(operationTextExcepted, amle.getOperationText());
+ assertEquals(objectTypeExcepted, amle.getObjectType());
+ assertPrivilegesMap(privilegesExcepted, amle.getPrivilegesMap());
+ }
+
+ private void assertPrivilegesMap(Map<String, String> privilegesExcepted,
+ Map<String, String> privilegesActual) {
+ assertEquals(privilegesExcepted.size(), privilegesActual.size());
+ for (Map.Entry<String, String> privilege : privilegesExcepted.entrySet()) {
+ assertEquals(privilege.getValue(), privilegesActual.get(privilege.getKey()));
+ }
+ }
+
+ private TSentryPrivilege getPrivilege() {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setAction(TEST_ACTION);
+ privilege.setComponent(TEST_COMPONENT);
+ List<TAuthorizable> authorizables = new ArrayList<TAuthorizable>();
+ authorizables.add(new TAuthorizable("resourceType1", "resourceName1"));
+ authorizables.add(new TAuthorizable("resourceType2", "resourceName2"));
+ authorizables.add(new TAuthorizable("resourceType3", "resourceName3"));
+ privilege.setAuthorizables(authorizables);
+ return privilege;
+ }
+
+ private Set<String> getGroups() {
+ Set<String> groups = new HashSet<String>();
+ groups.add(TEST_GROUP);
+ return groups;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
index 0a2b0b2..02a79ff 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
@@ -18,18 +18,17 @@
package org.apache.sentry.provider.db.log.util;
-import java.util.LinkedHashSet;
+import java.util.ArrayList;
+import java.util.List;
import java.util.Set;
import junit.framework.TestCase;
import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
import org.junit.Test;
@@ -56,18 +55,11 @@ public class TestCommandUtil extends TestCase {
@Test
public void testCreateCmdForRoleAddOrDeleteGroup1() {
- TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest();
- TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest();
-
- Set<TSentryGroup> groups = getGroups(1);
- requestAdd.setGroups(groups);
- requestDelete.setGroups(groups);
-
- String createRoleAddGroupCmdResult = CommandUtil
- .createCmdForRoleAddGroup(requestAdd);
+ String createRoleAddGroupCmdResult = CommandUtil.createCmdForRoleAddGroup("testRole",
+ getGroupStr(1));
String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1";
- String createRoleDeleteGroupCmdResult = CommandUtil
- .createCmdForRoleDeleteGroup(requestDelete);
+ String createRoleDeleteGroupCmdResult = CommandUtil.createCmdForRoleDeleteGroup("testRole",
+ getGroupStr(1));
String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1";
assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
@@ -77,19 +69,11 @@ public class TestCommandUtil extends TestCase {
@Test
public void testCreateCmdForRoleAddOrDeleteGroup2() {
-
- TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest();
- TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest();
-
- Set<TSentryGroup> groups = getGroups(3);
- requestAdd.setGroups(groups);
- requestDelete.setGroups(groups);
-
- String createRoleAddGroupCmdResult = CommandUtil
- .createCmdForRoleAddGroup(requestAdd);
+ String createRoleAddGroupCmdResult = CommandUtil.createCmdForRoleAddGroup("testRole",
+ getGroupStr(3));
String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1, testGroup2, testGroup3";
- String createRoleDeleteGroupCmdResult = CommandUtil
- .createCmdForRoleDeleteGroup(requestDelete);
+ String createRoleDeleteGroupCmdResult = CommandUtil.createCmdForRoleDeleteGroup("testRole",
+ getGroupStr(3));
String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1, testGroup2, testGroup3";
assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
@@ -294,26 +278,55 @@ public class TestCommandUtil extends TestCase {
assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
}
- private TAlterSentryRoleAddGroupsRequest getRoleAddGroupsRequest() {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
- request.setRoleName("testRole");
- return request;
+ // generate the command without grant option
+ @Test
+ public void testCreateCmdForGrantOrRevokeGMPrivilege1() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokeGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = getGMPrivilege();
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantGMPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokeGMPrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
}
- private TAlterSentryRoleDeleteGroupsRequest getRoleDeleteGroupsRequest() {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
- request.setRoleName("testRole");
- return request;
+ // generate the command with grant option
+ @Test
+ public void testCreateCmdForGrantOrRevokeGMPrivilege2() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokeGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = getGMPrivilege();
+ privilege
+ .setGrantOption(org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption.TRUE);
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantGMPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE testRole WITH GRANT OPTION";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokeGMPrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE testRole WITH GRANT OPTION";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
}
- private Set<TSentryGroup> getGroups(int num) {
- Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>();
+ private String getGroupStr(int num) {
+ StringBuilder sb = new StringBuilder();
for (int i = 0; i < num; i++) {
- TSentryGroup group = new TSentryGroup();
- group.setGroupName("testGroup" + (i + 1));
- groups.add(group);
+ if (i > 0) {
+ sb.append(", ");
+ }
+ sb.append("testGroup" + (i + 1));
}
- return groups;
+ return sb.toString();
}
private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
@@ -328,6 +341,18 @@ public class TestCommandUtil extends TestCase {
return request;
}
+ private org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest getGrantGMPrivilegeRequest() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request = new org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest getRevokeGMPrivilegeRequest() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request = new org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
private TSentryPrivilege getPrivilege(String action, String privilegeScope,
String dbName, String tableName, String serverName, String URI) {
TSentryPrivilege privilege = new TSentryPrivilege();
@@ -339,4 +364,15 @@ public class TestCommandUtil extends TestCase {
privilege.setURI(URI);
return privilege;
}
+
+ private org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege getGMPrivilege() {
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = new org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege();
+ privilege.setAction("ACTION");
+ privilege.setComponent("COMPONENT");
+ List<TAuthorizable> authorizables = new ArrayList<TAuthorizable>();
+ authorizables.add(new TAuthorizable("resourceType1", "resourceName1"));
+ authorizables.add(new TAuthorizable("resourceType2", "resourceName2"));
+ privilege.setAuthorizables(authorizables);
+ return privilege;
+ }
}
[2/2] incubator-sentry git commit: SENTRY-812: Generate audit trail
for Sentry generic model when authorization metadata change (Colin Ma,
Reviewed by: Dapeng Sun)
Posted by co...@apache.org.
SENTRY-812: Generate audit trail for Sentry generic model when authorization metadata change (Colin Ma, Reviewed by: Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/66b7096c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/66b7096c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/66b7096c
Branch: refs/heads/master
Commit: 66b7096cb14a6f52d16ea3e6efef1f1af65e35b2
Parents: cedfc57
Author: Colin Ma <co...@apache.org>
Authored: Tue Sep 29 15:30:34 2015 +0800
Committer: Colin Ma <co...@apache.org>
Committed: Tue Sep 29 15:30:34 2015 +0800
----------------------------------------------------------------------
.../thrift/SentryGenericPolicyProcessor.java | 60 +++-
.../SentryGenericPolicyProcessorFactory.java | 5 +-
.../SentryGenericPolicyProcessorWrapper.java | 39 +++
.../db/log/entity/AuditMetadataLogEntity.java | 137 ++-------
.../db/log/entity/DBAuditMetadataLogEntity.java | 122 ++++++++
.../db/log/entity/GMAuditMetadataLogEntity.java | 95 ++++++
.../provider/db/log/entity/JsonLogEntity.java | 2 +-
.../db/log/entity/JsonLogEntityFactory.java | 198 ++++++++++--
.../provider/db/log/util/CommandUtil.java | 89 ++++--
.../sentry/provider/db/log/util/Constants.java | 48 +++
.../thrift/SentryPolicyStoreProcessor.java | 68 ++++-
.../TestAuditLogForSentryGenericService.java | 299 +++++++++++++++++++
.../log/entity/TestAuditMetadataLogEntity.java | 69 -----
.../entity/TestDbAuditMetadataLogEntity.java | 69 +++++
.../entity/TestGMAuditMetadataLogEntity.java | 74 +++++
.../db/log/entity/TestJsonLogEntityFactory.java | 75 +----
.../log/entity/TestJsonLogEntityFactoryGM.java | 259 ++++++++++++++++
.../provider/db/log/util/TestCommandUtil.java | 118 +++++---
18 files changed, 1472 insertions(+), 354 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
index 94049d8..e7b6d17 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
@@ -36,8 +36,10 @@ import org.apache.sentry.provider.db.SentryInvalidInputException;
import org.apache.sentry.provider.db.SentryNoSuchObjectException;
import org.apache.sentry.provider.db.SentryThriftAPIMismatchException;
import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
-import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
+import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
+import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.provider.db.service.persistent.CommitContext;
import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants;
import org.apache.sentry.provider.db.service.thrift.SentryConfigurationException;
@@ -60,6 +62,8 @@ import com.google.common.collect.Sets;
public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.Iface {
private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericPolicyProcessor.class);
+ private static final Logger AUDIT_LOGGER = LoggerFactory
+ .getLogger(Constants.AUDIT_LOGGER_NAME_GENERIC);
private final Configuration conf;
private final ImmutableSet<String> adminGroups;
private final SentryStoreLayer store;
@@ -297,6 +301,15 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
if (Status.OK.getCode() == respose.status.getValue()) {
handerInvoker.create_sentry_role(respose.context, request, tResponse);
}
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for create role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return tResponse;
}
@@ -318,6 +331,15 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
if (Status.OK.getCode() == respose.status.getValue()) {
handerInvoker.drop_sentry_role(respose.context, request, tResponse);
}
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for drop role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return tResponse;
}
@@ -339,6 +361,15 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
if (Status.OK.getCode() == respose.status.getValue()) {
handerInvoker.alter_sentry_role_grant_privilege(respose.context, request, tResponse);
}
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for grant privilege to role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return tResponse;
}
@@ -360,6 +391,15 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
if (Status.OK.getCode() == respose.status.getValue()) {
handerInvoker.alter_sentry_role_revoke_privilege(respose.context, request, tResponse);
}
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for revoke privilege from role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return tResponse;
}
@@ -383,6 +423,15 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
if (Status.OK.getCode() == respose.status.getValue()) {
handerInvoker.alter_sentry_role_add_groups(respose.context, request, tResponse);
}
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for add role to group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return tResponse;
}
@@ -406,6 +455,15 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.
if (Status.OK.getCode() == respose.status.getValue()) {
handerInvoker.alter_sentry_role_delete_groups(respose.context, request, tResponse);
}
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for delete role from group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return tResponse;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
index 71ce579..1cce1fc 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
@@ -18,8 +18,6 @@
package org.apache.sentry.provider.db.generic.service.thrift;
import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService;
-import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
import org.apache.sentry.service.thrift.ProcessorFactory;
import org.apache.thrift.TMultiplexedProcessor;
import org.apache.thrift.TProcessor;
@@ -33,7 +31,8 @@ public class SentryGenericPolicyProcessorFactory extends ProcessorFactory {
@Override
public boolean register(TMultiplexedProcessor multiplexedProcessor) throws Exception {
SentryGenericPolicyProcessor processHandler = new SentryGenericPolicyProcessor(conf);
- TProcessor processor = new SentryGenericPolicyService.Processor<SentryGenericPolicyService.Iface>(processHandler);
+ TProcessor processor = new SentryGenericPolicyProcessorWrapper<SentryGenericPolicyService.Iface>(
+ processHandler);
multiplexedProcessor.registerProcessor(SentryGenericPolicyProcessor.SENTRY_GENERIC_SERVICE_NAME, processor);
return true;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
new file mode 100644
index 0000000..d320d0f
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
+import org.apache.thrift.TException;
+import org.apache.thrift.protocol.TProtocol;
+
+public class SentryGenericPolicyProcessorWrapper<I extends SentryGenericPolicyService.Iface>
+ extends SentryGenericPolicyService.Processor<SentryGenericPolicyService.Iface> {
+
+ public SentryGenericPolicyProcessorWrapper(I iface) {
+ super(iface);
+ }
+
+ @Override
+ public boolean process(TProtocol in, TProtocol out) throws TException {
+ // set the ip and impersonator for audit log
+ ThriftUtil.setIpAddress(in);
+ ThriftUtil.setImpersonator(in);
+ return super.process(in, out);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
index 6b63045..f3eb95b 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
@@ -19,45 +19,30 @@
package org.apache.sentry.provider.db.log.entity;
import java.io.IOException;
-import java.io.StringWriter;
-import org.apache.sentry.provider.db.log.util.Constants;
import org.codehaus.jackson.JsonFactory;
-import org.codehaus.jackson.JsonGenerator;
import org.codehaus.jackson.JsonNode;
import org.codehaus.jackson.map.MappingJsonFactory;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.node.ContainerNode;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class AuditMetadataLogEntity implements JsonLogEntity {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(AuditMetadataLogEntity.class);
- private static final JsonFactory factory = new MappingJsonFactory();
- private String serviceName;
- private String userName;
- private String impersonator;
- private String ipAddress;
- private String operation;
- private String eventTime;
- private String operationText;
- private String allowed;
- private String databaseName;
- private String tableName;
- private String columnName;
- private String resourcePath;
- private String objectType;
-
- public AuditMetadataLogEntity() {
- }
-
- public AuditMetadataLogEntity(String serviceName, String userName,
- String impersonator, String ipAddress, String operation,
- String eventTime, String operationText, String allowed,
- String databaseName, String tableName, String columnName,
- String resourcePath, String objectType) {
+
+abstract public class AuditMetadataLogEntity implements JsonLogEntity {
+
+ static final JsonFactory factory = new MappingJsonFactory();
+ String serviceName;
+ String userName;
+ String impersonator;
+ String ipAddress;
+ String operation;
+ String eventTime;
+ String operationText;
+ String allowed;
+ String objectType;
+ String component;
+
+ void setCommonAttr(String serviceName, String userName, String impersonator, String ipAddress,
+ String operation, String eventTime, String operationText, String allowed, String objectType,
+ String component) {
this.serviceName = serviceName;
this.userName = userName;
this.impersonator = impersonator;
@@ -66,52 +51,8 @@ public class AuditMetadataLogEntity implements JsonLogEntity {
this.eventTime = eventTime;
this.operationText = operationText;
this.allowed = allowed;
- this.databaseName = databaseName;
- this.tableName = tableName;
- this.columnName = columnName;
- this.resourcePath = resourcePath;
this.objectType = objectType;
- }
-
- @Override
- public String toJsonFormatLog() {
- StringWriter stringWriter = new StringWriter();
- JsonGenerator json = null;
- try {
- json = factory.createJsonGenerator(stringWriter);
- json.writeStartObject();
- json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, serviceName);
- json.writeStringField(Constants.LOG_FIELD_USER_NAME, userName);
- json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, impersonator);
- json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, ipAddress);
- json.writeStringField(Constants.LOG_FIELD_OPERATION, operation);
- json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, eventTime);
- json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, operationText);
- json.writeStringField(Constants.LOG_FIELD_ALLOWED, allowed);
- json.writeStringField(Constants.LOG_FIELD_DATABASE_NAME, databaseName);
- json.writeStringField(Constants.LOG_FIELD_TABLE_NAME, tableName);
- json.writeStringField(Constants.LOG_FIELD_COLUMN_NAME, columnName);
- json.writeStringField(Constants.LOG_FIELD_RESOURCE_PATH, resourcePath);
- json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, objectType);
- json.writeEndObject();
- json.flush();
- } catch (IOException e) {
- // if there has error when creating the audit log in json, set the audit
- // log to empty.
- stringWriter = new StringWriter();
- String msg = "Error creating audit log in json format: " + e.getMessage();
- LOGGER.error(msg, e);
- } finally {
- try {
- if (json != null) {
- json.close();
- }
- } catch (IOException e) {
- LOGGER.error("Error closing JsonGenerator", e);
- }
- }
-
- return stringWriter.toString();
+ this.component = component;
}
public String getServiceName() {
@@ -178,38 +119,6 @@ public class AuditMetadataLogEntity implements JsonLogEntity {
this.allowed = allowed;
}
- public String getDatabaseName() {
- return databaseName;
- }
-
- public void setDatabaseName(String databaseName) {
- this.databaseName = databaseName;
- }
-
- public String getTableName() {
- return tableName;
- }
-
- public void setTableName(String tableName) {
- this.tableName = tableName;
- }
-
- public String getColumnName() {
- return columnName;
- }
-
- public void setColumnName(String columnName) {
- this.columnName = columnName;
- }
-
- public String getResourcePath() {
- return resourcePath;
- }
-
- public void setResourcePath(String resourcePath) {
- this.resourcePath = resourcePath;
- }
-
public String getObjectType() {
return objectType;
}
@@ -218,6 +127,14 @@ public class AuditMetadataLogEntity implements JsonLogEntity {
this.objectType = objectType;
}
+ public String getComponent() {
+ return component;
+ }
+
+ public void setComponent(String component) {
+ this.component = component;
+ }
+
/**
* For use in tests
*
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
new file mode 100644
index 0000000..95afe52
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
@@ -0,0 +1,122 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonGenerator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class DBAuditMetadataLogEntity extends AuditMetadataLogEntity {
+ private static final Logger LOGGER = LoggerFactory.getLogger(DBAuditMetadataLogEntity.class);
+
+ private String databaseName;
+ private String tableName;
+ private String columnName;
+ private String resourcePath;
+
+ public DBAuditMetadataLogEntity() {
+ }
+
+ public DBAuditMetadataLogEntity(String serviceName, String userName, String impersonator,
+ String ipAddress, String operation, String eventTime, String operationText, String allowed,
+ String objectType, String component, String databaseName, String tableName,
+ String columnName, String resourcePath) {
+ setCommonAttr(serviceName, userName, impersonator, ipAddress, operation, eventTime,
+ operationText, allowed, objectType, component);
+ this.databaseName = databaseName;
+ this.tableName = tableName;
+ this.columnName = columnName;
+ this.resourcePath = resourcePath;
+ }
+
+ public String getDatabaseName() {
+ return databaseName;
+ }
+
+ public void setDatabaseName(String databaseName) {
+ this.databaseName = databaseName;
+ }
+
+ public String getTableName() {
+ return tableName;
+ }
+
+ public void setTableName(String tableName) {
+ this.tableName = tableName;
+ }
+
+ public String getColumnName() {
+ return columnName;
+ }
+
+ public void setColumnName(String columnName) {
+ this.columnName = columnName;
+ }
+
+ public String getResourcePath() {
+ return resourcePath;
+ }
+
+ public void setResourcePath(String resourcePath) {
+ this.resourcePath = resourcePath;
+ }
+
+ @Override
+ public String toJsonFormatLog() throws Exception {
+ StringWriter stringWriter = new StringWriter();
+ JsonGenerator json = null;
+ try {
+ json = factory.createJsonGenerator(stringWriter);
+ json.writeStartObject();
+ json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, serviceName);
+ json.writeStringField(Constants.LOG_FIELD_USER_NAME, userName);
+ json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, impersonator);
+ json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, ipAddress);
+ json.writeStringField(Constants.LOG_FIELD_OPERATION, operation);
+ json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, eventTime);
+ json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, operationText);
+ json.writeStringField(Constants.LOG_FIELD_ALLOWED, allowed);
+ json.writeStringField(Constants.LOG_FIELD_DATABASE_NAME, databaseName);
+ json.writeStringField(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ json.writeStringField(Constants.LOG_FIELD_COLUMN_NAME, columnName);
+ json.writeStringField(Constants.LOG_FIELD_RESOURCE_PATH, resourcePath);
+ json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, objectType);
+ json.writeEndObject();
+ json.flush();
+ } catch (IOException e) {
+ String msg = "Error creating audit log in json format: " + e.getMessage();
+ LOGGER.error(msg, e);
+ throw e;
+ } finally {
+ try {
+ if (json != null) {
+ json.close();
+ }
+ } catch (IOException e) {
+ throw e;
+ }
+ }
+
+ return stringWriter.toString();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
new file mode 100644
index 0000000..25d55e0
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonGenerator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class GMAuditMetadataLogEntity extends AuditMetadataLogEntity {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(GMAuditMetadataLogEntity.class);
+ private Map<String, String> privilegesMap;
+
+ public GMAuditMetadataLogEntity() {
+ privilegesMap = new LinkedHashMap<String, String>();
+ }
+
+ public GMAuditMetadataLogEntity(String serviceName, String userName, String impersonator,
+ String ipAddress, String operation, String eventTime, String operationText, String allowed,
+ String objectType, String component, Map<String, String> privilegesMap) {
+ setCommonAttr(serviceName, userName, impersonator, ipAddress, operation, eventTime,
+ operationText, allowed, objectType, component);
+ this.privilegesMap = privilegesMap;
+ }
+
+ @Override
+ public String toJsonFormatLog() throws Exception {
+ StringWriter stringWriter = new StringWriter();
+ JsonGenerator json = null;
+ try {
+ json = factory.createJsonGenerator(stringWriter);
+ json.writeStartObject();
+ json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, serviceName);
+ json.writeStringField(Constants.LOG_FIELD_USER_NAME, userName);
+ json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, impersonator);
+ json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, ipAddress);
+ json.writeStringField(Constants.LOG_FIELD_OPERATION, operation);
+ json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, eventTime);
+ json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, operationText);
+ json.writeStringField(Constants.LOG_FIELD_ALLOWED, allowed);
+ for (Map.Entry<String, String> entry : privilegesMap.entrySet()) {
+ json.writeStringField(entry.getKey(), entry.getValue());
+ }
+ json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, objectType);
+ json.writeStringField(Constants.LOG_FIELD_COMPONENT, component);
+ json.writeEndObject();
+ json.flush();
+ } catch (IOException e) {
+ String msg = "Error creating audit log in json format: " + e.getMessage();
+ LOGGER.error(msg, e);
+ throw e;
+ } finally {
+ try {
+ if (json != null) {
+ json.close();
+ }
+ } catch (IOException e) {
+ throw e;
+ }
+ }
+
+ return stringWriter.toString();
+ }
+
+ public Map<String, String> getPrivilegesMap() {
+ return privilegesMap;
+ }
+
+ public void setPrivilegesMap(Map<String, String> privilegesMap) {
+ this.privilegesMap = privilegesMap;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
index 7ad6966..f7edeb1 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
@@ -20,6 +20,6 @@ package org.apache.sentry.provider.db.log.entity;
public interface JsonLogEntity {
- public String toJsonFormatLog();
+ public String toJsonFormatLog() throws Exception;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
index 3ad46c4..c29b88e 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
@@ -18,9 +18,14 @@
package org.apache.sentry.provider.db.log.entity;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.log.util.CommandUtil;
import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
@@ -35,12 +40,14 @@ import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.apache.sentry.service.thrift.Status;
import org.apache.sentry.service.thrift.TSentryResponseStatus;
+import com.google.common.base.Joiner;
import com.google.common.collect.ImmutableSet;
public class JsonLogEntityFactory {
@@ -54,26 +61,29 @@ public class JsonLogEntityFactory {
return factory;
}
+ // log entity for hive/impala create role
public JsonLogEntity createJsonLogEntity(TCreateSentryRoleRequest request,
TCreateSentryRoleResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
request.getRequestorUserName(), request.getClass().getName());
- amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+ hamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
request.getRoleName(), true));
- return amle;
+ return hamle;
}
+ // log entity for hive/impala drop role
public JsonLogEntity createJsonLogEntity(TDropSentryRoleRequest request,
TDropSentryRoleResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
request.getRequestorUserName(), request.getClass().getName());
- amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+ hamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
request.getRoleName(), false));
- return amle;
+ return hamle;
}
+ // log entity for hive/impala grant privilege
public Set<JsonLogEntity> createJsonLogEntitys(
TAlterSentryRoleGrantPrivilegeRequest request,
TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
@@ -90,15 +100,16 @@ public class JsonLogEntityFactory {
private JsonLogEntity createJsonLogEntity(
TAlterSentryRoleGrantPrivilegeRequest request, TSentryPrivilege privilege,
TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
request.getRequestorUserName(), request.getClass().getName());
- amle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request));
- amle.setDatabaseName(privilege.getDbName());
- amle.setTableName(privilege.getTableName());
- amle.setResourcePath(privilege.getURI());
- return amle;
+ hamle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request));
+ hamle.setDatabaseName(privilege.getDbName());
+ hamle.setTableName(privilege.getTableName());
+ hamle.setResourcePath(privilege.getURI());
+ return hamle;
}
+ // log entity for hive/impala revoke privilege
public Set<JsonLogEntity> createJsonLogEntitys(
TAlterSentryRoleRevokePrivilegeRequest request,
TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
@@ -115,34 +126,54 @@ public class JsonLogEntityFactory {
private JsonLogEntity createJsonLogEntity(
TAlterSentryRoleRevokePrivilegeRequest request, TSentryPrivilege privilege,
TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
request.getRequestorUserName(), request.getClass().getName());
- amle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request));
- amle.setDatabaseName(privilege.getDbName());
- amle.setTableName(privilege.getTableName());
- amle.setResourcePath(privilege.getURI());
+ hamle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request));
+ hamle.setDatabaseName(privilege.getDbName());
+ hamle.setTableName(privilege.getTableName());
+ hamle.setResourcePath(privilege.getURI());
- return amle;
+ return hamle;
}
+ // log entity for hive/impala add role to group
public JsonLogEntity createJsonLogEntity(
TAlterSentryRoleAddGroupsRequest request,
TAlterSentryRoleAddGroupsResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
request.getRequestorUserName(), request.getClass().getName());
- amle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request));
+ String groups = getGroupsStr(request.getGroupsIterator());
+ hamle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request.getRoleName(), groups));
- return amle;
+ return hamle;
}
+ // log entity for hive/impala delete role from group
public JsonLogEntity createJsonLogEntity(
TAlterSentryRoleDeleteGroupsRequest request,
TAlterSentryRoleDeleteGroupsResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
request.getRequestorUserName(), request.getClass().getName());
- amle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request));
+ String groups = getGroupsStr(request.getGroupsIterator());
+ hamle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request.getRoleName(), groups));
- return amle;
+ return hamle;
+ }
+
+ private String getGroupsStr(Iterator<TSentryGroup> iter) {
+ StringBuilder groups = new StringBuilder("");
+ if (iter != null) {
+ boolean commaFlg = false;
+ while (iter.hasNext()) {
+ if (commaFlg) {
+ groups.append(", ");
+ } else {
+ commaFlg = true;
+ }
+ groups.append(iter.next().getGroupName());
+ }
+ }
+ return groups.toString();
}
public String isAllowed(TSentryResponseStatus status) {
@@ -152,10 +183,120 @@ public class JsonLogEntityFactory {
return Constants.FALSE;
}
- private AuditMetadataLogEntity createCommonAMLE(Configuration conf,
- TSentryResponseStatus responseStatus, String userName,
- String requestClassName) {
- AuditMetadataLogEntity amle = new AuditMetadataLogEntity();
+ // log entity for generic model create role
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ gmamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(request.getRoleName(), true));
+
+ return gmamle;
+ }
+
+ // log entity for generic model drop role
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ gmamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(request.getRoleName(), false));
+
+ return gmamle;
+ }
+
+ // log entity for generic model grant privilege
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ if (request.getPrivilege() != null) {
+ List<TAuthorizable> authorizables = request.getPrivilege().getAuthorizables();
+ Map<String, String> privilegesMap = new LinkedHashMap<String, String>();
+ if (authorizables != null) {
+ for (TAuthorizable authorizable : authorizables) {
+ privilegesMap.put(authorizable.getType(), authorizable.getName());
+ }
+ }
+ gmamle.setPrivilegesMap(privilegesMap);
+ }
+ gmamle.setOperationText(CommandUtil.createCmdForGrantGMPrivilege(request));
+
+ return gmamle;
+ }
+
+ // log entity for generic model revoke privilege
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ if (request.getPrivilege() != null) {
+ List<TAuthorizable> authorizables = request.getPrivilege().getAuthorizables();
+ Map<String, String> privilegesMap = new LinkedHashMap<String, String>();
+ if (authorizables != null) {
+ for (TAuthorizable authorizable : authorizables) {
+ privilegesMap.put(authorizable.getType(), authorizable.getName());
+ }
+ }
+ gmamle.setPrivilegesMap(privilegesMap);
+ }
+ gmamle.setOperationText(CommandUtil.createCmdForRevokeGMPrivilege(request));
+
+ return gmamle;
+ }
+
+ // log entity for generic model add role to group
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ Joiner joiner = Joiner.on(",");
+ String groups = joiner.join(request.getGroupsIterator());
+ gmamle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request.getRoleName(), groups));
+
+ return gmamle;
+ }
+
+ // log entity for hive delete role from group
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ Joiner joiner = Joiner.on(",");
+ String groups = joiner.join(request.getGroupsIterator());
+ gmamle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request.getRoleName(), groups));
+
+ return gmamle;
+ }
+
+ private DBAuditMetadataLogEntity createCommonHAMLE(Configuration conf,
+ TSentryResponseStatus responseStatus, String userName, String requestClassName) {
+ DBAuditMetadataLogEntity hamle = new DBAuditMetadataLogEntity();
+ setCommAttrForAMLE(hamle, conf, responseStatus, userName, requestClassName);
+ return hamle;
+ }
+
+ private GMAuditMetadataLogEntity createCommonGMAMLE(Configuration conf,
+ TSentryResponseStatus responseStatus, String userName, String requestClassName,
+ String component) {
+ GMAuditMetadataLogEntity gmamle = new GMAuditMetadataLogEntity();
+ setCommAttrForAMLE(gmamle, conf, responseStatus, userName, requestClassName);
+ gmamle.setComponent(component);
+ return gmamle;
+ }
+
+ private void setCommAttrForAMLE(AuditMetadataLogEntity amle, Configuration conf,
+ TSentryResponseStatus responseStatus, String userName, String requestClassName) {
amle.setUserName(userName);
amle.setServiceName(conf.get(ServerConfig.SENTRY_SERVICE_NAME,
ServerConfig.SENTRY_SERVICE_NAME_DEFAULT).trim());
@@ -166,6 +307,5 @@ public class JsonLogEntityFactory {
amle.setAllowed(isAllowed(responseStatus));
amle.setObjectType(Constants.requestTypeToObjectTypeMap
.get(requestClassName));
- return amle;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
index 741cfdc..d6aecd1 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
@@ -21,18 +21,17 @@ package org.apache.sentry.provider.db.log.util;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.util.Enumeration;
-import java.util.Iterator;
+import java.util.List;
import java.util.Set;
import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.datanucleus.util.StringUtils;
import com.google.common.annotations.VisibleForTesting;
@@ -46,20 +45,17 @@ public class CommandUtil {
return "DROP ROLE " + roleName;
}
- public static String createCmdForRoleAddGroup(
- TAlterSentryRoleAddGroupsRequest request) {
- return createCmdForRoleAddOrDeleteGroup(request.getRoleName(),
- request.getGroupsIterator(), true);
+ public static String createCmdForRoleAddGroup(String roleName, String groups) {
+ return createCmdForRoleAddOrDeleteGroup(roleName, groups, true);
}
- public static String createCmdForRoleDeleteGroup(
- TAlterSentryRoleDeleteGroupsRequest request) {
- return createCmdForRoleAddOrDeleteGroup(request.getRoleName(),
- request.getGroupsIterator(), false);
+ public static String createCmdForRoleDeleteGroup(String roleName, String groups) {
+ return createCmdForRoleAddOrDeleteGroup(roleName, groups, false);
}
private static String createCmdForRoleAddOrDeleteGroup(String roleName,
- Iterator<TSentryGroup> iter, boolean isAddGroup) {
+ String groups,
+ boolean isAddGroup) {
StringBuilder sb = new StringBuilder();
if (isAddGroup) {
sb.append("GRANT ROLE ");
@@ -73,17 +69,8 @@ public class CommandUtil {
sb.append(" FROM ");
}
- if (iter != null) {
- sb.append("GROUP ");
- boolean commaFlg = false;
- while (iter.hasNext()) {
- if (commaFlg) {
- sb.append(", ");
- } else {
- commaFlg = true;
- }
- sb.append(iter.next().getGroupName());
- }
+ if (!StringUtils.isEmpty(groups)) {
+ sb.append("GROUP ").append(groups);
} else {
sb = new StringBuilder("Missing group information.");
}
@@ -159,6 +146,60 @@ public class CommandUtil {
return sb.toString();
}
+ public static String createCmdForGrantGMPrivilege(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request) {
+ return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(), true);
+ }
+
+ public static String createCmdForRevokeGMPrivilege(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request) {
+ return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(),
+ false);
+ }
+
+ private static String createCmdForGrantOrRevokeGMPrivilege(String roleName,
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege,
+ boolean isGrant) {
+ StringBuilder sb = new StringBuilder();
+ if (isGrant) {
+ sb.append("GRANT ");
+ } else {
+ sb.append("REVOKE ");
+ }
+
+ String action = privilege.getAction();
+ if (AccessConstants.ALL.equalsIgnoreCase(action)) {
+ sb.append("ALL");
+ } else {
+ if (action != null) {
+ action = action.toUpperCase();
+ }
+ sb.append(action);
+ }
+
+ sb.append(" ON");
+
+ List<TAuthorizable> authorizables = privilege.getAuthorizables();
+ if (authorizables != null) {
+ for (TAuthorizable authorizable : authorizables) {
+ sb.append(" ").append(authorizable.getType()).append(" ").append(authorizable.getName());
+ }
+ }
+
+ if (isGrant) {
+ sb.append(" TO ROLE ");
+ } else {
+ sb.append(" FROM ROLE ");
+ }
+ sb.append(roleName);
+
+ if (privilege.getGrantOption() == org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption.TRUE) {
+ sb.append(" WITH GRANT OPTION");
+ }
+
+ return sb.toString();
+ }
+
// Check if the given IP is one of the local IP.
@VisibleForTesting
public static boolean assertIPInAuditLog(String ipInAuditLog) throws Exception {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
index 072a0e8..b0a87ae 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
@@ -30,6 +30,7 @@ import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
public class Constants {
public final static String AUDIT_LOGGER_NAME = "sentry.hive.authorization.ddl.logger";
+ public final static String AUDIT_LOGGER_NAME_GENERIC = "sentry.generic.authorization.ddl.logger";
public final static String LOG_FIELD_SERVICE_NAME = "serviceName";
public final static String LOG_FIELD_USER_NAME = "userName";
@@ -44,6 +45,7 @@ public class Constants {
public final static String LOG_FIELD_COLUMN_NAME = "column";
public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath";
public final static String LOG_FIELD_OBJECT_TYPE = "objectType";
+ public final static String LOG_FIELD_COMPONENT = "component";
public final static String OPERATION_CREATE_ROLE = "CREATE_ROLE";
public final static String OPERATION_DROP_ROLE = "DROP_ROLE";
@@ -62,6 +64,7 @@ public class Constants {
public static final Map<String, String> requestTypeToObjectTypeMap = new HashMap<String, String>();
static {
+ // for hive audit log
requestTypeToOperationMap.put(TCreateSentryRoleRequest.class.getName(),
Constants.OPERATION_CREATE_ROLE);
requestTypeToOperationMap.put(
@@ -78,7 +81,30 @@ public class Constants {
requestTypeToOperationMap.put(
TAlterSentryRoleDeleteGroupsRequest.class.getName(),
Constants.OPERATION_DELETE_ROLE);
+ // for generic model audit log
+ requestTypeToOperationMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
+ .getName(), Constants.OPERATION_CREATE_ROLE);
+ requestTypeToOperationMap
+ .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
+ .getName(), Constants.OPERATION_DROP_ROLE);
+ requestTypeToOperationMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
+ .getName(), Constants.OPERATION_GRANT_PRIVILEGE);
+ requestTypeToOperationMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
+ .getName(), Constants.OPERATION_REVOKE_PRIVILEGE);
+ requestTypeToOperationMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
+ .getName(), Constants.OPERATION_ADD_ROLE);
+ requestTypeToOperationMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
+ .getName(), Constants.OPERATION_DELETE_ROLE);
+ // for hive audit log
requestTypeToObjectTypeMap.put(TCreateSentryRoleRequest.class.getName(),
Constants.OBJECT_TYPE_ROLE);
requestTypeToObjectTypeMap.put(TDropSentryRoleRequest.class.getName(),
@@ -95,5 +121,27 @@ public class Constants {
requestTypeToObjectTypeMap.put(
TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
Constants.OBJECT_TYPE_PRINCIPAL);
+ // for generic model audit log
+ requestTypeToObjectTypeMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap
+ .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
+ .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
+ requestTypeToObjectTypeMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
+ .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index ea9fae9..4f8c834 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -249,8 +249,14 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
timerContext.stop();
}
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf).toJsonFormatLog());
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for create role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return response;
}
@@ -305,10 +311,16 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
timerContext.stop();
}
- Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
- request, response, conf);
- for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
- AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
+ try {
+ Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
+ request, response, conf);
+ for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
+ AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
+ }
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for grant privilege to role: " + e.getMessage();
+ LOGGER.error(msg, e);
}
return response;
}
@@ -374,10 +386,16 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
timerContext.stop();
}
- Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
- request, response, conf);
- for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
- AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
+ try {
+ Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
+ request, response, conf);
+ for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
+ AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
+ }
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for revoke privilege from role: " + e.getMessage();
+ LOGGER.error(msg, e);
}
return response;
}
@@ -417,8 +435,14 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
timerContext.stop();
}
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf).toJsonFormatLog());
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for drop role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return response;
}
@@ -457,8 +481,14 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
timerContext.stop();
}
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf).toJsonFormatLog());
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for add role to group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return response;
}
@@ -497,8 +527,14 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
timerContext.stop();
}
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf).toJsonFormatLog());
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for delete role from group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
return response;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
new file mode 100644
index 0000000..c3adacf
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
@@ -0,0 +1,299 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestAuditLogForSentryGenericService extends SentryServiceIntegrationBase {
+
+ private SentryGenericServiceClient client;
+ private static final String COMPONENT = "SQOOP";
+ private static final org.slf4j.Logger LOGGER = LoggerFactory
+ .getLogger(TestAuditLogForSentryGenericService.class);
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.setup();
+ Logger logger = Logger.getLogger("sentry.generic.authorization.ddl.logger");
+ AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
+ logger.addAppender(testAppender);
+ logger.setLevel(Level.INFO);
+ }
+
+ @Override
+ @After
+ public void after() {
+ try {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Set<TSentryRole> tRoles = client.listAllRoles(ADMIN_USER, COMPONENT);
+ for (TSentryRole tRole : tRoles) {
+ client.dropRole(ADMIN_USER, tRole.getRoleName(), COMPONENT);
+ }
+ if (client != null) {
+ client.close();
+ }
+ }
+ });
+ } catch (Exception e) {
+ // log the exception
+ LOGGER.warn("Exception happened after test case.", e);
+ } finally {
+ policyFilePath.delete();
+ }
+ }
+
+ /**
+ * use the generic client to connect sentry service
+ */
+ @Override
+ public void connectToSentryService() throws Exception {
+ if (kerberos) {
+ this.client = Subject.doAs(clientSubject,
+ new PrivilegedExceptionAction<SentryGenericServiceClient>() {
+ @Override
+ public SentryGenericServiceClient run() throws Exception {
+ return SentryGenericServiceClientFactory.create(conf);
+ }
+ });
+ } else {
+ this.client = SentryGenericServiceClientFactory.create(conf);
+ }
+ }
+
+ @Test
+ public void testAuditLogForGenericModel() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r";
+ String testGroupName = "g1";
+ String action = "all";
+ String service = "sentryService";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ // test the audit log for create role, success
+ client.createRole(requestorUserName, roleName, COMPONENT);
+ Map<String, String> fieldValueMap = new HashMap<String, String>();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for create role, failed
+ try {
+ client.createRole(requestorUserName, roleName, COMPONENT);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for add role to group, success
+ client.addRoleToGroups(requestorUserName, roleName, COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
+ + " TO GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for add role to group, failed
+ try {
+ client.addRoleToGroups(requestorUserName, "invalidRole", COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE invalidRole TO GROUP "
+ + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for grant privilege, success
+ TSentryPrivilege privilege = new TSentryPrivilege(COMPONENT, service, Lists.newArrayList(
+ new TAuthorizable("resourceType1", "resourceName1"), new TAuthorizable("resourceType2",
+ "resourceName2")), action);
+ client.grantPrivilege(requestorUserName, roleName, COMPONENT, privilege);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "GRANT ALL ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE "
+ + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ TSentryPrivilege invalidPrivilege = new TSentryPrivilege(COMPONENT, service,
+ Lists.newArrayList(new TAuthorizable("resourceType1", "resourceName1")),
+ "invalidAction");
+ // test the audit log for grant privilege, failed
+ try {
+ client.grantPrivilege(requestorUserName, roleName, COMPONENT, invalidPrivilege);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "GRANT INVALIDACTION ON resourceType1 resourceName1 TO ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for revoke privilege, success
+ client.revokePrivilege(requestorUserName, roleName, COMPONENT, privilege);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE ALL ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE "
+ + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for revoke privilege, failed
+ try {
+ client.revokePrivilege(requestorUserName, "invalidRole", COMPONENT, invalidPrivilege);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE INVALIDACTION ON resourceType1 resourceName1 FROM ROLE invalidRole");
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for delete role from group, success
+ client.deleteRoleToGroups(requestorUserName, roleName, COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+ + " FROM GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ // test the audit log for delete role from group, failed
+ try {
+ client.deleteRoleToGroups(requestorUserName, "invalidRole", COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE ROLE invalidRole FROM GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ // test the audit log for drop role, success
+ client.dropRole(requestorUserName, roleName, COMPONENT);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ // test the audit log for drop role, failed
+ try {
+ client.dropRole(requestorUserName, roleName, COMPONENT);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ }
+ });
+ }
+
+ private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
+ assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+ JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
+ if (fieldValueMap != null) {
+ for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
+ String entryKey = entry.getKey();
+ if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+ assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+ } else {
+ assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+ }
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
deleted file mode 100644
index 95b51e9..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import junit.framework.TestCase;
-
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.codehaus.jackson.JsonNode;
-import org.codehaus.jackson.node.ContainerNode;
-import org.junit.Test;
-
-public class TestAuditMetadataLogEntity extends TestCase {
-
- @Test
- public void testToJsonFormatLog() throws Throwable {
- AuditMetadataLogEntity amle = new AuditMetadataLogEntity("serviceName",
- "userName", "impersonator", "ipAddress", "operation", "eventTime",
- "operationText", "allowed", "databaseName", "tableName", "columnName",
- "resourcePath", "objectType");
- String jsonAuditLog = amle.toJsonFormatLog();
- ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
- assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR,
- "impersonator");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT,
- "operationText");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME,
- "databaseName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_COLUMN_NAME, "columnName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH,
- "resourcePath");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
- }
-
- void assertEntryEquals(ContainerNode rootNode, String key, String value) {
- JsonNode node = assertNodeContains(rootNode, key);
- assertEquals(value, node.getTextValue());
- }
-
- private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
- JsonNode node = rootNode.get(key);
- if (node == null) {
- fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
- }
- return node;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
new file mode 100644
index 0000000..e3ba541
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
@@ -0,0 +1,69 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.fail;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.node.ContainerNode;
+import org.junit.Test;
+
+public class TestDbAuditMetadataLogEntity {
+
+ @Test
+ public void testToJsonFormatLog() throws Throwable {
+ DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity("serviceName", "userName",
+ "impersonator", "ipAddress", "operation", "eventTime", "operationText", "allowed",
+ "objectType", "component", "databaseName", "tableName", "columnName", "resourcePath");
+ String jsonAuditLog = amle.toJsonFormatLog();
+ ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR,
+ "impersonator");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT,
+ "operationText");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME,
+ "databaseName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_COLUMN_NAME, "columnName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH,
+ "resourcePath");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
+ }
+
+ void assertEntryEquals(ContainerNode rootNode, String key, String value) {
+ JsonNode node = assertNodeContains(rootNode, key);
+ assertEquals(value, node.getTextValue());
+ }
+
+ private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
+ JsonNode node = rootNode.get(key);
+ if (node == null) {
+ fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
+ }
+ return node;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/66b7096c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
new file mode 100644
index 0000000..537edb4
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.fail;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.node.ContainerNode;
+import org.junit.Test;
+
+public class TestGMAuditMetadataLogEntity {
+ @Test
+ public void testToJsonFormatLog() throws Throwable {
+
+ Map<String, String> privilegesMap = new HashMap<String, String>();
+ privilegesMap.put("resourceType1", "resourceName1");
+ privilegesMap.put("resourceType2", "resourceName2");
+ privilegesMap.put("resourceType3", "resourceName3");
+ privilegesMap.put("resourceType4", "resourceName4");
+ GMAuditMetadataLogEntity gmamle = new GMAuditMetadataLogEntity("serviceName", "userName",
+ "impersonator", "ipAddress", "operation", "eventTime", "operationText", "allowed",
+ "objectType", "component", privilegesMap);
+ String jsonAuditLog = gmamle.toJsonFormatLog();
+ ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR, "impersonator");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT, "operationText");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_COMPONENT, "component");
+ assertEntryEquals(rootNode, "resourceType1", "resourceName1");
+ assertEntryEquals(rootNode, "resourceType2", "resourceName2");
+ assertEntryEquals(rootNode, "resourceType3", "resourceName3");
+ assertEntryEquals(rootNode, "resourceType4", "resourceName4");
+ }
+
+ void assertEntryEquals(ContainerNode rootNode, String key, String value) {
+ JsonNode node = assertNodeContains(rootNode, key);
+ assertEquals(value, node.getTextValue());
+ }
+
+ private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
+ JsonNode node = rootNode.get(key);
+ if (node == null) {
+ fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
+ }
+ return node;
+ }
+}