You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/05/31 03:32:19 UTC
[41/86] sentry git commit: Revert "SENTRY-2208: Refactor out Sentry
service into own module from sentry-provider-db (Anthony Young-Garner,
reviewed by Sergio Pena, Steve Moist, Na Li)"
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java
new file mode 100644
index 0000000..befe6c3
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/api/service/thrift/SentryWebServer.java
@@ -0,0 +1,240 @@
+package org.apache.sentry.api.service.thrift;
+
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.codahale.metrics.servlets.AdminServlet;
+import com.google.common.base.Preconditions;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.EnumSet;
+import java.util.EventListener;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+import com.google.common.collect.Sets;
+import javax.servlet.DispatcherType;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.HttpConfiguration;
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.SecureRequestCustomizer;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
+import org.eclipse.jetty.server.handler.ContextHandler;
+import org.eclipse.jetty.server.handler.ContextHandlerCollection;
+import org.eclipse.jetty.server.handler.ResourceHandler;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.servlet.FilterHolder;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.util.resource.Resource;
+import org.eclipse.jetty.util.security.Constraint;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SentryWebServer {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryWebServer.class);
+ private static final String RESOURCE_DIR = "/webapp";
+ private static final String WELCOME_PAGE = "SentryService.html";
+
+ private Server server;
+
+ public SentryWebServer(List<EventListener> listeners, int port, Configuration conf) {
+ server = new Server();
+
+ // Create a channel connector for "http/https" requests
+ ServerConnector connector;
+ if (conf.getBoolean(ServerConfig.SENTRY_WEB_USE_SSL, false)) {
+ SslContextFactory sslContextFactory = new SslContextFactory();
+ sslContextFactory.setKeyStorePath(conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, ""));
+ sslContextFactory.setKeyStorePassword(
+ conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, ""));
+ // Exclude SSL blacklist protocols
+ sslContextFactory.setExcludeProtocols(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT);
+ Set<String> moreExcludedSSLProtocols =
+ Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings()
+ .split(Strings.nullToEmpty(conf.get(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST))));
+ sslContextFactory.addExcludeProtocols(moreExcludedSSLProtocols.toArray(
+ new String[moreExcludedSSLProtocols.size()]));
+
+ HttpConfiguration httpConfiguration = new HttpConfiguration();
+ httpConfiguration.setSecurePort(port);
+ httpConfiguration.setSecureScheme("https");
+ httpConfiguration.addCustomizer(new SecureRequestCustomizer());
+
+ connector = new ServerConnector(
+ server,
+ new SslConnectionFactory(sslContextFactory, "http/1.1"),
+ new HttpConnectionFactory(httpConfiguration));
+
+ LOGGER.info("Now using SSL mode.");
+ } else {
+ connector = new ServerConnector(server, new HttpConnectionFactory());
+ }
+
+ connector.setPort(port);
+ server.setConnectors(new Connector[] { connector });
+
+ ServletContextHandler servletContextHandler = new ServletContextHandler();
+ ServletHolder servletHolder = new ServletHolder(AdminServlet.class);
+ servletContextHandler.addServlet(servletHolder, "/*");
+
+ for(EventListener listener:listeners) {
+ servletContextHandler.addEventListener(listener);
+ }
+
+ servletContextHandler.addServlet(new ServletHolder(ConfServlet.class), "/conf");
+
+ if (conf.getBoolean(ServerConfig.SENTRY_WEB_ADMIN_SERVLET_ENABLED,
+ ServerConfig.SENTRY_WEB_ADMIN_SERVLET_ENABLED_DEFAULT)) {
+ servletContextHandler.addServlet(
+ new ServletHolder(SentryAdminServlet.class), "/admin/*");
+ }
+ servletContextHandler.getServletContext()
+ .setAttribute(ConfServlet.CONF_CONTEXT_ATTRIBUTE, conf);
+
+ servletContextHandler.addServlet(new ServletHolder(LogLevelServlet.class), "/admin/logLevel");
+
+ if (conf.getBoolean(ServerConfig.SENTRY_WEB_PUBSUB_SERVLET_ENABLED,
+ ServerConfig.SENTRY_WEB_PUBSUB_SERVLET_ENABLED_DEFAULT)) {
+ servletContextHandler.addServlet(new ServletHolder(PubSubServlet.class), "/admin/publishMessage");
+ }
+
+ ResourceHandler resourceHandler = new ResourceHandler();
+ resourceHandler.setDirectoriesListed(true);
+ URL url = this.getClass().getResource(RESOURCE_DIR);
+ try {
+ resourceHandler.setBaseResource(Resource.newResource(url.toString()));
+ } catch (IOException e) {
+ LOGGER.error("Got exception while setBaseResource for Sentry Service web UI", e);
+ }
+ resourceHandler.setWelcomeFiles(new String[]{WELCOME_PAGE});
+ ContextHandler contextHandler= new ContextHandler();
+ contextHandler.setHandler(resourceHandler);
+
+ ContextHandlerCollection contextHandlerCollection = new ContextHandlerCollection();
+ contextHandlerCollection.setHandlers(new Handler[]{contextHandler, servletContextHandler});
+
+ String authMethod = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE);
+ if (!ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE.equalsIgnoreCase(authMethod)) {
+ /**
+ * SentryAuthFilter is a subclass of AuthenticationFilter and
+ * AuthenticationFilter tagged as private and unstable interface:
+ * While there are not guarantees that this interface will not change,
+ * it is fairly stable and used by other projects (ie - Oozie)
+ */
+ FilterHolder filterHolder = servletContextHandler.addFilter(SentryAuthFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
+ filterHolder.setInitParameters(loadWebAuthenticationConf(conf));
+ }
+
+ server.setHandler(disableTraceMethod(contextHandlerCollection));
+ }
+
+ /**
+ * Disables the HTTP TRACE method request which leads to Cross-Site Tracking (XST) problems.
+ *
+ * To disable it, we need to wrap the Handler (which has the HTTP TRACE enabled) with
+ * a constraint that denies access to the HTTP TRACE method.
+ *
+ * @param handler The Handler which has the HTTP TRACE enabled.
+ * @return A new Handler wrapped with the HTTP TRACE constraint and the Handler passed as parameter.
+ */
+ private Handler disableTraceMethod(Handler handler) {
+ Constraint disableTraceConstraint = new Constraint();
+ disableTraceConstraint.setName("Disable TRACE");
+ disableTraceConstraint.setAuthenticate(true);
+
+ ConstraintMapping mapping = new ConstraintMapping();
+ mapping.setConstraint(disableTraceConstraint);
+ mapping.setMethod("TRACE");
+ mapping.setPathSpec("/");
+
+ ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
+ constraintSecurityHandler.addConstraintMapping(mapping);
+ constraintSecurityHandler.setHandler(handler);
+
+ return constraintSecurityHandler;
+ }
+
+ public void start() throws Exception{
+ server.start();
+ }
+ public void stop() throws Exception{
+ server.stop();
+ }
+ public boolean isAlive() {
+ return server != null && server.isStarted();
+ }
+ private static Map<String, String> loadWebAuthenticationConf(Configuration conf) {
+ Map<String,String> prop = new HashMap<String, String>();
+ prop.put(AuthenticationFilter.CONFIG_PREFIX, ServerConfig.SENTRY_WEB_SECURITY_PREFIX);
+ String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS);
+ if (allowUsers == null || allowUsers.equals("")) {
+ allowUsers = conf.get(ServerConfig.ALLOW_CONNECT);
+ conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowUsers);
+ }
+ validateConf(conf);
+ for (Map.Entry<String, String> entry : conf) {
+ String name = entry.getKey();
+ if (name.startsWith(ServerConfig.SENTRY_WEB_SECURITY_PREFIX)) {
+ String value = conf.get(name);
+ prop.put(name, value);
+ }
+ }
+ return prop;
+ }
+
+ private static void validateConf(Configuration conf) {
+ String authHandlerName = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE);
+ Preconditions.checkNotNull(authHandlerName, "Web authHandler should not be null.");
+ String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS);
+ Preconditions.checkNotNull(allowUsers, "Allow connect user(s) should not be null.");
+ if (ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS.equalsIgnoreCase(authHandlerName)) {
+ String principal = conf.get(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL);
+ Preconditions.checkNotNull(principal, "Kerberos principal should not be null.");
+ Preconditions.checkArgument(principal.length() != 0, "Kerberos principal is not right.");
+ String keytabFile = conf.get(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB);
+ Preconditions.checkNotNull(keytabFile, "Keytab File should not be null.");
+ Preconditions.checkArgument(keytabFile.length() != 0, "Keytab File is not right.");
+ try {
+ UserGroupInformation.setConfiguration(conf);
+ String hostPrincipal = SecurityUtil.getServerPrincipal(principal, ServerConfig.RPC_ADDRESS_DEFAULT);
+ UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytabFile);
+ } catch (IOException ex) {
+ throw new IllegalArgumentException("Can't use Kerberos authentication, principal ["
+ + principal + "] keytab [" + keytabFile + "]", ex);
+ }
+ LOGGER.info("Using Kerberos authentication, principal [{}] keytab [{}]", principal, keytabFile);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
new file mode 100644
index 0000000..52f25dc
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.api.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.api.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.api.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.api.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.api.service.thrift.TDropPrivilegesRequest;
+import org.apache.sentry.api.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.api.service.thrift.TRenamePrivilegesRequest;
+import org.apache.sentry.api.service.thrift.TSentryPrivilege;
+
+import java.util.Map;
+import java.util.Set;
+
+import static org.apache.sentry.hdfs.Updateable.Update;
+
+/**
+ * Interface for processing delta changes of Sentry permission and generate corresponding
+ * update. The updates will be persisted into Sentry store afterwards along with the actual
+ * operation.
+ *
+ * TODO: SENTRY-1588: add user level privilege change support. e.g. onAlterSentryRoleDeleteUsers,
+ * TODO: onAlterSentryRoleDeleteUsers.
+ */
+public interface SentryPolicyStorePlugin {
+
+ @SuppressWarnings("serial")
+ class SentryPluginException extends SentryUserException {
+ public SentryPluginException(String msg) {
+ super(msg);
+ }
+ public SentryPluginException(String msg, Throwable t) {
+ super(msg, t);
+ }
+ }
+
+ void initialize(Configuration conf, SentryStore sentryStore) throws SentryPluginException;
+
+ Update onAlterSentryRoleAddGroups(TAlterSentryRoleAddGroupsRequest tRequest) throws SentryPluginException;
+
+ Update onAlterSentryRoleDeleteGroups(TAlterSentryRoleDeleteGroupsRequest tRequest) throws SentryPluginException;
+
+ void onAlterSentryRoleGrantPrivilege(TAlterSentryRoleGrantPrivilegeRequest tRequest,
+ Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException;
+
+ void onAlterSentryRoleRevokePrivilege(TAlterSentryRoleRevokePrivilegeRequest tRequest,
+ Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException;
+
+ /**
+ * Used to create an update when privileges are granted to user.
+ * @param userName
+ * @param privileges
+ * @param privilegesUpdateMap
+ * @throws SentryPluginException
+ */
+ void onAlterSentryUserGrantPrivilege(String userName, Set<TSentryPrivilege> privileges,
+ Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException;
+
+ /**
+ * Used to create an update when privileges are revoked from user.
+ * @param userName
+ * @param privileges
+ * @param privilegesUpdateMap
+ * @throws SentryPluginException
+ */
+ void onAlterSentryUserRevokePrivilege(String userName, Set<TSentryPrivilege> privileges,
+ Map<TSentryPrivilege, Update> privilegesUpdateMap) throws SentryPluginException;
+
+ Update onDropSentryRole(TDropSentryRoleRequest tRequest) throws SentryPluginException;
+
+ Update onRenameSentryPrivilege(TRenamePrivilegesRequest request)
+ throws SentryPluginException, SentryInvalidInputException;
+
+ Update onDropSentryPrivilege(TDropPrivilegesRequest request) throws SentryPluginException;
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
new file mode 100644
index 0000000..3026a62
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
@@ -0,0 +1,422 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryGroup;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor;
+import org.apache.sentry.api.service.thrift.TSentryGroup;
+import org.apache.sentry.api.service.thrift.TSentryRole;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+
+import javax.jdo.PersistenceManager;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * The DelegateSentryStore will supports the generic authorizable model. It stores the authorizables
+ * into separated column. Take the authorizables:[DATABASE=db1,TABLE=tb1,COLUMN=cl1] for example,
+ * The DATABASE,db1,TABLE,tb1,COLUMN and cl1 will be stored into the six columns(resourceName0=db1,resourceType0=DATABASE,
+ * resourceName1=tb1,resourceType1=TABLE,
+ * resourceName2=cl1,resourceType2=COLUMN ) of generic privilege table
+ */
+public class DelegateSentryStore implements SentryStoreLayer {
+ private SentryStore delegate;
+ private Configuration conf;
+ private Set<String> adminGroups;
+ private PrivilegeOperatePersistence privilegeOperator;
+
+ public DelegateSentryStore(Configuration conf) throws Exception {
+ this.privilegeOperator = new PrivilegeOperatePersistence(conf);
+ this.conf = conf;
+ //delegated old sentryStore
+ this.delegate = new SentryStore(conf);
+ adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings(
+ ServerConfig.ADMIN_GROUPS, new String[]{}))));
+ }
+
+ private MSentryRole getRole(String roleName, PersistenceManager pm) {
+ return delegate.getRole(pm, roleName);
+ }
+
+ @Override
+ public Object createRole(String component, String role,
+ String requestor) throws Exception {
+ delegate.createSentryRole(role);
+ return null;
+ }
+
+ /**
+ * The role is global in the generic model, such as the role may be has more than one component
+ * privileges, so delete role will remove all privileges related to it.
+ */
+ @Override
+ public Object dropRole(final String component, final String role, final String requestor)
+ throws Exception {
+ delegate.dropSentryRole(toTrimmedLower(role));
+ return null;
+ }
+
+ @Override
+ public Set<String> getAllRoleNames() throws Exception {
+ return delegate.getAllRoleNames();
+ }
+
+ @Override
+ public Object alterRoleAddGroups(String component, String role,
+ Set<String> groups, String requestor) throws Exception {
+ delegate.alterSentryRoleAddGroups(requestor, role, toTSentryGroups(groups));
+ return null;
+ }
+
+ @Override
+ public Object alterRoleDeleteGroups(String component, String role,
+ Set<String> groups, String requestor) throws Exception {
+ delegate.alterSentryRoleDeleteGroups(role, toTSentryGroups(groups));
+ return null;
+ }
+
+ @Override
+ public Object alterRoleGrantPrivilege(final String component, final String role,
+ final PrivilegeObject privilege, final String grantorPrincipal)
+ throws Exception {
+ delegate.getTransactionManager().executeTransactionWithRetry(
+ pm -> {
+ pm.setDetachAllOnCommit(false); // No need to detach objects
+ String trimmedRole = toTrimmedLower(role);
+ MSentryRole mRole = getRole(trimmedRole, pm);
+ if (mRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRole);
+ }
+
+ // check with grant option
+ grantOptionCheck(privilege, grantorPrincipal, pm);
+
+ privilegeOperator.grantPrivilege(privilege, mRole, pm);
+ return null;
+ });
+ return null;
+ }
+
+ @Override
+ public Object alterRoleRevokePrivilege(final String component,
+ final String role, final PrivilegeObject privilege, final String grantorPrincipal)
+ throws Exception {
+ delegate.getTransactionManager().executeTransactionWithRetry(
+ pm -> {
+ pm.setDetachAllOnCommit(false); // No need to detach objects
+ String trimmedRole = toTrimmedLower(role);
+ MSentryRole mRole = getRole(trimmedRole, pm);
+ if (mRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRole);
+ }
+
+ // check with grant option
+ grantOptionCheck(privilege, grantorPrincipal, pm);
+
+ privilegeOperator.revokePrivilege(privilege, mRole, pm);
+ return null;
+ });
+ return null;
+ }
+
+ @Override
+ public Object renamePrivilege(final String component, final String service,
+ final List<? extends Authorizable> oldAuthorizables,
+ final List<? extends Authorizable> newAuthorizables, final String requestor)
+ throws Exception {
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+ Preconditions.checkNotNull(oldAuthorizables);
+ Preconditions.checkNotNull(newAuthorizables);
+
+ if (oldAuthorizables.size() != newAuthorizables.size()) {
+ throw new SentryAccessDeniedException(
+ "rename privilege denied: the size of oldAuthorizables must equals the newAuthorizables "
+ + "oldAuthorizables:" + Arrays.toString(oldAuthorizables.toArray()) + " "
+ + "newAuthorizables:" + Arrays.toString(newAuthorizables.toArray()));
+ }
+
+ delegate.getTransactionManager().executeTransactionWithRetry(
+ pm -> {
+ pm.setDetachAllOnCommit(false); // No need to detach objects
+ privilegeOperator.renamePrivilege(toTrimmedLower(component), toTrimmedLower(service),
+ oldAuthorizables, newAuthorizables, requestor, pm);
+ return null;
+ });
+ return null;
+ }
+
+ @Override
+ public Object dropPrivilege(final String component,
+ final PrivilegeObject privilege, final String requestor) throws Exception {
+ Preconditions.checkNotNull(requestor);
+
+ delegate.getTransactionManager().executeTransactionWithRetry(
+ pm -> {
+ pm.setDetachAllOnCommit(false); // No need to detach objects
+ privilegeOperator.dropPrivilege(privilege, pm);
+ return null;
+ });
+ return null;
+ }
+
+ /**
+ * Grant option check
+ * @throws SentryUserException
+ */
+ private void grantOptionCheck(PrivilegeObject requestPrivilege,
+ String grantorPrincipal,PersistenceManager pm)
+ throws SentryUserException {
+
+ if (Strings.isNullOrEmpty(grantorPrincipal)) {
+ throw new SentryInvalidInputException("grantorPrincipal should not be null or empty");
+ }
+
+ Set<String> groups = getRequestorGroups(grantorPrincipal);
+ if (groups == null || groups.isEmpty()) {
+ throw new SentryGrantDeniedException(grantorPrincipal
+ + " has no grant!");
+ }
+ //admin group check
+ if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) {
+ return;
+ }
+ //privilege grant option check
+ Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups);
+ if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) {
+ throw new SentryGrantDeniedException(grantorPrincipal
+ + " has no grant!");
+ }
+ }
+
+ @Override
+ public Set<String> getRolesByGroups(String component, Set<String> groups)
+ throws Exception {
+ if (groups == null || groups.isEmpty()) {
+ return Collections.emptySet();
+ }
+
+ Set<String> roles = Sets.newHashSet();
+ for (TSentryRole tSentryRole : delegate.getTSentryRolesByGroupName(groups,
+ true)) {
+ roles.add(tSentryRole.getRoleName());
+ }
+ return roles;
+ }
+
+ @Override
+ public Set<String> getGroupsByRoles(final String component, final Set<String> roles)
+ throws Exception {
+ // In all calls roles contain exactly one group
+ if (roles.isEmpty()) {
+ return Collections.emptySet();
+ }
+
+ // Collect resulting group names in a set
+ Set<String> groupNames = new HashSet<>();
+ for (String role : roles) {
+ MSentryRole sentryRole = null;
+ try {
+ sentryRole = delegate.getMSentryRoleByName(role);
+ }
+ catch (SentryNoSuchObjectException e) {
+ // Role disappeared - not a big deal, just ognore it
+ continue;
+ }
+ // Collect all group names for this role.
+ // Since we use a set, a group can appear multiple times and will only
+ // show up once in a set
+ for (MSentryGroup group : sentryRole.getGroups()) {
+ groupNames.add(group.getGroupName());
+ }
+ }
+
+ return groupNames;
+ }
+
+ @Override
+ public Set<PrivilegeObject> getPrivilegesByRole(final String component,
+ final Set<String> roles) throws Exception {
+ Preconditions.checkNotNull(roles);
+ if (roles.isEmpty()) {
+ return Collections.emptySet();
+ }
+ return delegate.getTransactionManager().executeTransaction(
+ pm -> {
+ pm.setDetachAllOnCommit(false); // No need to detach objects
+ Set<MSentryRole> mRoles = new HashSet<>();
+ for (String role : roles) {
+ MSentryRole mRole = getRole(toTrimmedLower(role), pm);
+ if (mRole != null) {
+ mRoles.add(mRole);
+ }
+ }
+ return new HashSet<>(privilegeOperator.getPrivilegesByRole(mRoles, pm));
+ });
+ }
+
+ @Override
+ public Set<PrivilegeObject> getPrivilegesByProvider(final String component,
+ final String service, final Set<String> roles, final Set<String> groups,
+ final List<? extends Authorizable> authorizables) throws Exception {
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+
+ return delegate.getTransactionManager().executeTransaction(
+ pm -> {
+ pm.setDetachAllOnCommit(false); // No need to detach objects
+ String trimmedComponent = toTrimmedLower(component);
+ String trimmedService = toTrimmedLower(service);
+
+ //CaseInsensitive roleNames
+ Set<String> trimmedRoles = SentryStore.toTrimedLower(roles);
+
+ if (groups != null) {
+ trimmedRoles.addAll(delegate.getRoleNamesForGroups(groups));
+ }
+
+ if (trimmedRoles.isEmpty()) {
+ return Collections.emptySet();
+ }
+
+ Set<MSentryRole> mRoles = new HashSet<>(trimmedRoles.size());
+ for (String role : trimmedRoles) {
+ MSentryRole mRole = getRole(role, pm);
+ if (mRole != null) {
+ mRoles.add(mRole);
+ }
+ }
+ //get the privileges
+ Set<PrivilegeObject> privileges = new HashSet<>();
+ privileges.addAll(privilegeOperator.
+ getPrivilegesByProvider(trimmedComponent,
+ trimmedService, mRoles, authorizables, pm));
+ return privileges;
+ });
+ }
+
+ @Override
+ public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(final String component,
+ final String service, final Set<String> validActiveRoles,
+ final List<? extends Authorizable> authorizables) throws Exception {
+ if (validActiveRoles == null || validActiveRoles.isEmpty()) {
+ return Collections.emptySet();
+ }
+
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+
+ return delegate.getTransactionManager().executeTransaction(
+ pm -> {
+ String lComponent = toTrimmedLower(component);
+ String lService = toTrimmedLower(service);
+ Set<MSentryRole> mRoles = new HashSet<>(validActiveRoles.size());
+ for (String role : validActiveRoles) {
+ MSentryRole mRole = getRole(role, pm);
+ if (mRole != null) {
+ mRoles.add(mRole);
+ }
+ }
+
+ //get the privileges
+ Set<MSentryGMPrivilege> mSentryGMPrivileges =
+ privilegeOperator.getPrivilegesByAuthorizable(lComponent, lService,
+ mRoles, authorizables, pm);
+
+ final Set<MSentryGMPrivilege> privileges =
+ new HashSet<>(mSentryGMPrivileges.size());
+ for (MSentryGMPrivilege mSentryGMPrivilege : mSentryGMPrivileges) {
+ /*
+ * force to load all roles related this privilege
+ * avoid the lazy-loading
+ */
+ pm.retrieve(mSentryGMPrivilege);
+ privileges.add(mSentryGMPrivilege);
+ }
+ return privileges;
+ });
+ }
+
+ @Override
+ public void close() {
+ delegate.stop();
+ }
+
+ private Set<TSentryGroup> toTSentryGroups(Set<String> groups) {
+ if (groups.isEmpty()) {
+ return Collections.emptySet();
+ }
+ Set<TSentryGroup> tSentryGroups = new HashSet<>(groups.size());
+ for (String group : groups) {
+ tSentryGroups.add(new TSentryGroup(group));
+ }
+ return tSentryGroups;
+ }
+
+ private static Set<String> toTrimmed(Set<String> s) {
+ if (s.isEmpty()) {
+ return Collections.emptySet();
+ }
+ Set<String> result = new HashSet<>(s.size());
+ for (String v : s) {
+ result.add(v.trim());
+ }
+ return result;
+ }
+
+ private static String toTrimmedLower(String s) {
+ if (s == null) {
+ return "";
+ }
+ return s.trim().toLowerCase();
+ }
+
+ private Set<String> getRequestorGroups(String userName)
+ throws SentryUserException {
+ return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, userName);
+ }
+
+ @VisibleForTesting
+ void clearAllTables() throws Exception {
+ delegate.getTransactionManager().executeTransaction(
+ pm -> {
+ pm.newQuery(MSentryRole.class).deletePersistentAll();
+ pm.newQuery(MSentryGroup.class).deletePersistentAll();
+ pm.newQuery(MSentryGMPrivilege.class).deletePersistentAll();
+ return null;
+ });
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
new file mode 100644
index 0000000..feab1e9
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
@@ -0,0 +1,231 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+
+import java.util.List;
+import org.apache.sentry.core.common.Authorizable;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Lists;
+
+public final class PrivilegeObject {
+ private final String component;
+ private final String service;
+ private final String action;
+ private final Boolean grantOption;
+ private List<? extends Authorizable> authorizables;
+
+ private PrivilegeObject(String component, String service, String action,
+ Boolean grantOption,
+ List<? extends Authorizable> authorizables) {
+ this.component = component;
+ this.service = service;
+ this.action = action;
+ this.grantOption = grantOption;
+ this.authorizables = authorizables;
+ }
+
+ public List<? extends Authorizable> getAuthorizables() {
+ return authorizables;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public String getComponent() {
+ return component;
+ }
+
+ public String getService() {
+ return service;
+ }
+
+ public Boolean getGrantOption() {
+ return grantOption;
+ }
+
+ @Override
+ public String toString() {
+ List<String> authorizable = Lists.newArrayList();
+ for (Authorizable az : authorizables) {
+ authorizable.add(KV_JOINER.join(az.getTypeName(),az.getName()));
+ }
+ return "PrivilegeObject [" + ", service=" + service + ", component="
+ + component + ", authorizables=" + AUTHORIZABLE_JOINER.join(authorizable)
+ + ", action=" + action + ", grantOption=" + grantOption + "]";
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((action == null) ? 0 : action.hashCode());
+ result = prime * result + ((component == null) ? 0 : component.hashCode());
+ result = prime * result + ((service == null) ? 0 : service.hashCode());
+ result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
+ for (Authorizable authorizable : authorizables) {
+ result = prime * result + authorizable.getTypeName().hashCode();
+ result = prime * result + authorizable.getName().hashCode();
+ }
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ PrivilegeObject other = (PrivilegeObject) obj;
+ if (action == null) {
+ if (other.action != null) {
+ return false;
+ }
+ } else if (!action.equals(other.action)) {
+ return false;
+ }
+ if (service == null) {
+ if (other.service != null) {
+ return false;
+ }
+ } else if (!service.equals(other.service)) {
+ return false;
+ }
+ if (component == null) {
+ if (other.component != null) {
+ return false;
+ }
+ } else if (!component.equals(other.component)) {
+ return false;
+ }
+ if (grantOption == null) {
+ if (other.grantOption != null) {
+ return false;
+ }
+ } else if (!grantOption.equals(other.grantOption)) {
+ return false;
+ }
+
+ if (authorizables.size() != other.authorizables.size()) {
+ return false;
+ }
+ for (int i = 0; i < authorizables.size(); i++) {
+ String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
+ authorizables.get(i).getName());
+ String o2 = KV_JOINER.join(other.authorizables.get(i).getTypeName(),
+ other.authorizables.get(i).getName());
+ if (!o1.equalsIgnoreCase(o2)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ public static class Builder {
+ private String component;
+ private String service;
+ private String action;
+ private Boolean grantOption;
+ private List<? extends Authorizable> authorizables;
+
+ public Builder() {
+
+ }
+
+ public Builder(PrivilegeObject privilege) {
+ this.component = privilege.component;
+ this.service = privilege.service;
+ this.action = privilege.action;
+ this.grantOption = privilege.grantOption;
+ this.authorizables = privilege.authorizables;
+ }
+
+ public Builder setComponent(String component) {
+ this.component = component;
+ return this;
+ }
+
+ public Builder setService(String service) {
+ this.service = service;
+ return this;
+ }
+
+ public Builder setAction(String action) {
+ this.action = action;
+ return this;
+ }
+
+ public Builder withGrantOption(Boolean grantOption) {
+ this.grantOption = grantOption;
+ return this;
+ }
+
+ public Builder setAuthorizables(List<? extends Authorizable> authorizables) {
+ this.authorizables = authorizables;
+ return this;
+ }
+
+ /**
+ * TolowerCase the authorizable name, the authorizable type is define when it was created.
+ * Take the Solr for example, it has two Authorizable objects. They have the type Collection
+ * and Field, they are can't be changed. So we should unified the authorizable name tolowercase.
+ * @return new authorizable lists
+ */
+ private List<? extends Authorizable> toLowerAuthorizableName(List<? extends Authorizable> authorizables) {
+ List<Authorizable> newAuthorizable = Lists.newArrayList();
+ if (authorizables == null || authorizables.size() == 0) {
+ return newAuthorizable;
+ }
+ for (final Authorizable authorizable : authorizables) {
+ newAuthorizable.add(new Authorizable() {
+ @Override
+ public String getTypeName() {
+ return authorizable.getTypeName();
+ }
+ @Override
+ public String getName() {
+ return authorizable.getName();
+ }
+ });
+ }
+ return newAuthorizable;
+ }
+
+ public PrivilegeObject build() {
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+ Preconditions.checkNotNull(action);
+ //CaseInsensitive authorizable name
+ List<? extends Authorizable> newAuthorizable = toLowerAuthorizableName(authorizables);
+
+ return new PrivilegeObject(component.toLowerCase(),
+ service.toLowerCase(),
+ action.toLowerCase(),
+ grantOption,
+ newAuthorizable);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
new file mode 100644
index 0000000..876ee14
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
@@ -0,0 +1,568 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.lang.reflect.Constructor;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jdo.PersistenceManager;
+import javax.jdo.Query;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.BitFieldAction;
+import org.apache.sentry.core.common.BitFieldActionFactory;
+import org.apache.sentry.core.model.indexer.IndexerActionFactory;
+import org.apache.sentry.core.model.kafka.KafkaActionFactory;
+import org.apache.sentry.core.model.solr.SolrActionFactory;
+import org.apache.sentry.core.model.sqoop.SqoopActionFactory;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+
+import com.google.common.base.Strings;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.service.persistent.QueryParamBuilder;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.service.common.ServiceConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static org.apache.sentry.provider.db.service.persistent.SentryStore.toNULLCol;
+
+/**
+ * Sentry Generic model privilege persistence support.
+ * <p>
+ * This class is similar to {@link SentryStore} but operates on generic
+ * privileges.
+ */
+public class PrivilegeOperatePersistence {
+ private static final String SERVICE_NAME = "serviceName";
+ private static final String COMPONENT_NAME = "componentName";
+ private static final String SCOPE = "scope";
+ private static final String ACTION = "action";
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(PrivilegeOperatePersistence.class);
+ private static final Map<String, BitFieldActionFactory> actionFactories = Maps.newHashMap();
+ static{
+ actionFactories.put("solr", new SolrActionFactory());
+ actionFactories.put("sqoop", new SqoopActionFactory());
+ actionFactories.put("kafka", KafkaActionFactory.getInstance());
+ actionFactories.put("hbaseindexer", new IndexerActionFactory());
+ }
+
+ private final Configuration conf;
+
+ PrivilegeOperatePersistence(Configuration conf) {
+ this.conf = conf;
+ }
+
+ /**
+ * Return query builder to execute in JDO for search the given privilege
+ * @param privilege Privilege to extract
+ * @return query builder suitable for executing the query
+ */
+ private static QueryParamBuilder toQueryParam(MSentryGMPrivilege privilege) {
+ QueryParamBuilder paramBuilder = QueryParamBuilder.newQueryParamBuilder();
+ paramBuilder.add(SERVICE_NAME, toNULLCol(privilege.getServiceName()), true)
+ .add(COMPONENT_NAME, toNULLCol(privilege.getComponentName()), true)
+ .add(SCOPE, toNULLCol(privilege.getScope()), true)
+ .add(ACTION, toNULLCol(privilege.getAction()), true);
+
+ Boolean grantOption = privilege.getGrantOption();
+ paramBuilder.addObject(SentryStore.GRANT_OPTION, grantOption);
+
+ List<? extends Authorizable> authorizables = privilege.getAuthorizables();
+ int nAuthorizables = authorizables.size();
+ for (int i = 0; i < MSentryGMPrivilege.AUTHORIZABLE_LEVEL; i++) {
+ String resourceName = MSentryGMPrivilege.PREFIX_RESOURCE_NAME + String.valueOf(i);
+ String resourceType = MSentryGMPrivilege.PREFIX_RESOURCE_TYPE + String.valueOf(i);
+
+ if (i >= nAuthorizables) {
+ paramBuilder.addNull(resourceName);
+ paramBuilder.addNull(resourceType);
+ } else {
+ paramBuilder.add(resourceName, authorizables.get(i).getName(), true);
+ paramBuilder.add(resourceType, authorizables.get(i).getTypeName(), true);
+ }
+ }
+ return paramBuilder;
+ }
+
+ /**
+ * Create a query template tha includes information from the input privilege:
+ * <ul>
+ * <li>Service name</li>
+ * <li>Component name</li>
+ * <li>Name and type for each authorizable present</li>
+ * </ul>
+ * For exmaple, for Solr may configure the following privileges:
+ * <ul>
+ * <li>{@code p1:Collection=c1->action=query}</li>
+ * <li>{@code p2:Collection=c1->Field=f1->action=query}</li>
+ * <li>{@code p3:Collection=c1->Field=f2->action=query}</li>
+ * </ul>
+ * When the request for privilege revoke has
+ * {@code p4:Collection=c1->action=query}
+ * all privileges matching {@code Collection=c1} should be revoke which means that p1, p2 and p3
+ * should all be revoked.
+ *
+ * @param privilege Source privilege
+ * @return ParamBuilder suitable for executing the query
+ */
+ private static QueryParamBuilder populateIncludePrivilegesParams(MSentryGMPrivilege privilege) {
+ QueryParamBuilder paramBuilder = QueryParamBuilder.newQueryParamBuilder();
+ paramBuilder.add(SERVICE_NAME, toNULLCol(privilege.getServiceName()), true);
+ paramBuilder.add(COMPONENT_NAME, toNULLCol(privilege.getComponentName()), true);
+
+ List<? extends Authorizable> authorizables = privilege.getAuthorizables();
+ int i = 0;
+ for(Authorizable auth: authorizables) {
+ String resourceName = MSentryGMPrivilege.PREFIX_RESOURCE_NAME + String.valueOf(i);
+ String resourceType = MSentryGMPrivilege.PREFIX_RESOURCE_TYPE + String.valueOf(i);
+ paramBuilder.add(resourceName, auth.getName(), true);
+ paramBuilder.add(resourceType, auth.getTypeName(), true);
+ i++;
+ }
+ return paramBuilder;
+ }
+
+ /**
+ * Verify whether specified privilege can be granted
+ * @param roles set of roles for the privilege
+ * @param privilege privilege being checked
+ * @param pm Persistentence manager instance
+ * @return true iff at least one privilege within the role allows for the
+ * requested privilege
+ */
+ boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) {
+ MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
+ if (roles.isEmpty()) {
+ return false;
+ }
+ // get persistent privileges by roles
+ // Find all GM privileges for all the input roles
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ QueryParamBuilder paramBuilder = QueryParamBuilder.addRolesFilter(query, null,
+ SentryStore.rolesToRoleNames(roles));
+ query.setFilter(paramBuilder.toString());
+ List<MSentryGMPrivilege> tPrivileges =
+ (List<MSentryGMPrivilege>)query.executeWithMap(paramBuilder.getArguments());
+
+ for (MSentryGMPrivilege tPrivilege : tPrivileges) {
+ if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
+ MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege);
+ grantRolePartial(mPrivilege, role, pm);
+ }
+
+ private void grantRolePartial(MSentryGMPrivilege grantPrivilege,
+ MSentryRole role,PersistenceManager pm) throws SentryUserException {
+ /*
+ * If Grant is for ALL action and other actions belongs to ALL action already exists..
+ * need to remove it and GRANT ALL action
+ */
+ String component = grantPrivilege.getComponentName();
+ BitFieldAction action = getAction(component, grantPrivilege.getAction());
+ BitFieldAction allAction = getAction(component, Action.ALL);
+
+ if (action.implies(allAction)) {
+ /*
+ * ALL action is a multi-bit set action that includes some actions such as INSERT,SELECT and CREATE.
+ */
+ List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
+ for (BitFieldAction ac : actions) {
+ grantPrivilege.setAction(ac.getValue());
+ MSentryGMPrivilege existPriv = getPrivilege(grantPrivilege, pm);
+ if (existPriv != null && role.getGmPrivileges().contains(existPriv)) {
+ /*
+ * force to load all roles related this privilege
+ * avoid the lazy-loading risk,such as:
+ * if the roles field of privilege aren't loaded, then the roles is a empty set
+ * privilege.removeRole(role) and pm.makePersistent(privilege)
+ * will remove other roles that shouldn't been removed
+ */
+ pm.retrieve(existPriv);
+ existPriv.removeRole(role);
+ pm.makePersistent(existPriv);
+ }
+ }
+ } else {
+ /*
+ * If ALL Action already exists..
+ * do nothing.
+ */
+ grantPrivilege.setAction(allAction.getValue());
+ MSentryGMPrivilege allPrivilege = getPrivilege(grantPrivilege, pm);
+ if (allPrivilege != null && role.getGmPrivileges().contains(allPrivilege)) {
+ return;
+ }
+ }
+
+ /*
+ * restore the action
+ */
+ grantPrivilege.setAction(action.getValue());
+ /*
+ * check the privilege is exist or not
+ */
+ MSentryGMPrivilege mPrivilege = getPrivilege(grantPrivilege, pm);
+ if (mPrivilege == null) {
+ mPrivilege = grantPrivilege;
+ }
+ mPrivilege.appendRole(role);
+ pm.makePersistent(mPrivilege);
+ }
+
+
+ public void revokePrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
+ MSentryGMPrivilege mPrivilege = getPrivilege(convertToPrivilege(privilege), pm);
+ if (mPrivilege == null) {
+ mPrivilege = convertToPrivilege(privilege);
+ } else {
+ mPrivilege = pm.detachCopy(mPrivilege);
+ }
+
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(Sets.newHashSet(role), mPrivilege, pm));
+
+ /*
+ * Get the privilege graph
+ * populateIncludePrivileges will get the privileges that needed revoke
+ */
+ for (MSentryGMPrivilege persistedPriv : privilegeGraph) {
+ /*
+ * force to load all roles related this privilege
+ * avoid the lazy-loading risk,such as:
+ * if the roles field of privilege aren't loaded, then the roles is a empty set
+ * privilege.removeRole(role) and pm.makePersistent(privilege)
+ * will remove other roles that shouldn't been removed
+ */
+ revokeRolePartial(mPrivilege, persistedPriv, role, pm);
+ }
+ pm.makePersistent(role);
+ }
+
+ private Set<MSentryGMPrivilege> populateIncludePrivileges(Set<MSentryRole> roles,
+ MSentryGMPrivilege parent, PersistenceManager pm) {
+ Set<MSentryGMPrivilege> childrens = Sets.newHashSet();
+
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ QueryParamBuilder paramBuilder = populateIncludePrivilegesParams(parent);
+
+ // add filter for role names
+ if ((roles != null) && !roles.isEmpty()) {
+ QueryParamBuilder.addRolesFilter(query, paramBuilder, SentryStore.rolesToRoleNames(roles));
+ }
+ query.setFilter(paramBuilder.toString());
+
+ List<MSentryGMPrivilege> privileges =
+ (List<MSentryGMPrivilege>)query.executeWithMap(paramBuilder.getArguments());
+ childrens.addAll(privileges);
+ return childrens;
+ }
+
+ /**
+ * Roles can be granted multi-bit set action like ALL action on resource object.
+ * Take solr component for example, When a role has been granted ALL action but
+ * QUERY or UPDATE or CREATE are revoked, we need to remove the ALL
+ * privilege and add left privileges like UPDATE and CREATE(QUERY was revoked) or
+ * QUERY and UPDATE(CREATEE was revoked).
+ */
+ private void revokeRolePartial(MSentryGMPrivilege revokePrivilege,
+ MSentryGMPrivilege persistedPriv, MSentryRole role,
+ PersistenceManager pm) throws SentryUserException {
+ String component = revokePrivilege.getComponentName();
+ BitFieldAction revokeaction = getAction(component, revokePrivilege.getAction());
+ BitFieldAction persistedAction = getAction(component, persistedPriv.getAction());
+ BitFieldAction allAction = getAction(component, Action.ALL);
+
+ if (revokeaction.implies(allAction)) {
+ /*
+ * if revoke action is ALL, directly revoke its children privileges and itself
+ */
+ persistedPriv.removeRole(role);
+ pm.makePersistent(persistedPriv);
+ } else {
+ /*
+ * if persisted action is ALL, it only revoke the requested action and left partial actions
+ * like the requested action is SELECT, the UPDATE and CREATE action are left
+ */
+ if (persistedAction.implies(allAction)) {
+ /*
+ * revoke the ALL privilege
+ */
+ persistedPriv.removeRole(role);
+ pm.makePersistent(persistedPriv);
+
+ List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
+ for (BitFieldAction ac: actions) {
+ if (ac.getActionCode() != revokeaction.getActionCode()) {
+ /*
+ * grant the left privileges to role
+ */
+ MSentryGMPrivilege tmpPriv = new MSentryGMPrivilege(persistedPriv);
+ tmpPriv.setAction(ac.getValue());
+ MSentryGMPrivilege leftPersistedPriv = getPrivilege(tmpPriv, pm);
+ if (leftPersistedPriv == null) {
+ //leftPersistedPriv isn't exist
+ leftPersistedPriv = tmpPriv;
+ role.appendGMPrivilege(leftPersistedPriv);
+ }
+ leftPersistedPriv.appendRole(role);
+ pm.makePersistent(leftPersistedPriv);
+ }
+ }
+ } else if (revokeaction.implies(persistedAction)) {
+ /*
+ * if the revoke action is equal to the persisted action and they aren't ALL action
+ * directly remove the role from privilege
+ */
+ persistedPriv.removeRole(role);
+ pm.makePersistent(persistedPriv);
+ }
+ /*
+ * if the revoke action is not equal to the persisted action,
+ * do nothing
+ */
+ }
+ }
+
+ /**
+ * Drop any role related to the requested privilege and its children privileges
+ */
+ public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) throws SentryUserException {
+ MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
+
+ if (Strings.isNullOrEmpty(privilege.getAction())) {
+ requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue());
+ }
+ /*
+ * Get the privilege graph
+ * populateIncludePrivileges will get the privileges that need dropped,
+ */
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm));
+
+ for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
+ /*
+ * force to load all roles related this privilege
+ * avoid the lazy-loading
+ */
+ pm.retrieve(mPrivilege);
+ Set<MSentryRole> roles = mPrivilege.getRoles();
+ for (MSentryRole role : roles) {
+ revokeRolePartial(requestPrivilege, mPrivilege, role, pm);
+ }
+ }
+ }
+
+ private MSentryGMPrivilege convertToPrivilege(PrivilegeObject privilege) {
+ return new MSentryGMPrivilege(privilege.getComponent(),
+ privilege.getService(), privilege.getAuthorizables(),
+ privilege.getAction(), privilege.getGrantOption());
+ }
+
+ private MSentryGMPrivilege getPrivilege(MSentryGMPrivilege privilege, PersistenceManager pm) {
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ QueryParamBuilder paramBuilder = toQueryParam(privilege);
+ query.setFilter(paramBuilder.toString());
+ query.setUnique(true);
+ MSentryGMPrivilege result = (MSentryGMPrivilege)query.executeWithMap(paramBuilder.getArguments());
+ return result;
+ }
+
+ /**
+ * Get all privileges associated with a given roles
+ * @param roles Set of roles
+ * @param pm Persistence manager instance
+ * @return Set (potentially empty) of privileges associated with roles
+ */
+ Set<PrivilegeObject> getPrivilegesByRole(Set<MSentryRole> roles, PersistenceManager pm) {
+ if (roles == null || roles.isEmpty()) {
+ return Collections.emptySet();
+ }
+
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ // Find privileges matching all roles
+ QueryParamBuilder paramBuilder = QueryParamBuilder.addRolesFilter(query, null,
+ SentryStore.rolesToRoleNames(roles));
+ query.setFilter(paramBuilder.toString());
+ List<MSentryGMPrivilege> mPrivileges =
+ (List<MSentryGMPrivilege>)query.executeWithMap(paramBuilder.getArguments());
+ if (mPrivileges.isEmpty()) {
+ return Collections.emptySet();
+ }
+
+ Set<PrivilegeObject> privileges = new HashSet<>(mPrivileges.size());
+ for (MSentryGMPrivilege mPrivilege : mPrivileges) {
+ privileges.add(new Builder()
+ .setComponent(mPrivilege.getComponentName())
+ .setService(mPrivilege.getServiceName())
+ .setAction(mPrivilege.getAction())
+ .setAuthorizables(mPrivilege.getAuthorizables())
+ .withGrantOption(mPrivilege.getGrantOption())
+ .build());
+ }
+ return privileges;
+ }
+
+ Set<PrivilegeObject> getPrivilegesByProvider(String component,
+ String service, Set<MSentryRole> roles,
+ List<? extends Authorizable> authorizables, PersistenceManager pm) {
+ Set<PrivilegeObject> privileges = Sets.newHashSet();
+ if (roles == null || roles.isEmpty()) {
+ return privileges;
+ }
+
+ MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
+
+ for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
+ privileges.add(new Builder()
+ .setComponent(mPrivilege.getComponentName())
+ .setService(mPrivilege.getServiceName())
+ .setAction(mPrivilege.getAction())
+ .setAuthorizables(mPrivilege.getAuthorizables())
+ .withGrantOption(mPrivilege.getGrantOption())
+ .build());
+ }
+ return privileges;
+ }
+
+ Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component,
+ String service, Set<MSentryRole> roles,
+ List<? extends Authorizable> authorizables, PersistenceManager pm) {
+
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+
+ if (roles == null || roles.isEmpty()) {
+ return privilegeGraph;
+ }
+
+ MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
+ privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
+ return privilegeGraph;
+ }
+
+ public void renamePrivilege(String component, String service,
+ List<? extends Authorizable> oldAuthorizables, List<? extends Authorizable> newAuthorizables,
+ String grantorPrincipal, PersistenceManager pm)
+ throws SentryUserException {
+ MSentryGMPrivilege oldPrivilege = new MSentryGMPrivilege(component, service, oldAuthorizables, null, null);
+ oldPrivilege.setAction(getAction(component,Action.ALL).getValue());
+ /*
+ * Get the privilege graph
+ * populateIncludePrivileges will get the old privileges that need dropped
+ */
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(null, oldPrivilege, pm));
+
+ for (MSentryGMPrivilege dropPrivilege : privilegeGraph) {
+ /*
+ * construct the new privilege needed to add
+ */
+ List<Authorizable> authorizables = new ArrayList<Authorizable>(
+ dropPrivilege.getAuthorizables());
+ for (int i = 0; i < newAuthorizables.size(); i++) {
+ authorizables.set(i, newAuthorizables.get(i));
+ }
+ MSentryGMPrivilege newPrivilge = new MSentryGMPrivilege(
+ component,service, authorizables, dropPrivilege.getAction(),
+ dropPrivilege.getGrantOption());
+
+ /*
+ * force to load all roles related this privilege
+ * avoid the lazy-loading
+ */
+ pm.retrieve(dropPrivilege);
+
+ Set<MSentryRole> roles = dropPrivilege.getRoles();
+ for (MSentryRole role : roles) {
+ revokeRolePartial(oldPrivilege, dropPrivilege, role, pm);
+ grantRolePartial(newPrivilge, role, pm);
+ }
+ }
+ }
+
+ private BitFieldAction getAction(String component, String name) throws SentryUserException {
+ BitFieldActionFactory actionFactory = getActionFactory(component);
+ BitFieldAction action = actionFactory.getActionByName(name);
+ if (action == null) {
+ throw new SentryUserException("Can not get BitFieldAction for name: " + name);
+ }
+ return action;
+ }
+
+ private BitFieldActionFactory getActionFactory(String component) throws SentryUserException {
+ String caseInsensitiveComponent = component.toLowerCase();
+ if (actionFactories.containsKey(caseInsensitiveComponent)) {
+ return actionFactories.get(caseInsensitiveComponent);
+ }
+ BitFieldActionFactory actionFactory = createActionFactory(caseInsensitiveComponent);
+ actionFactories.put(caseInsensitiveComponent, actionFactory);
+ LOGGER.info("Action factory for component {} is not found in cache. Loaded it from configuration as {}.",
+ component, actionFactory.getClass().getName());
+ return actionFactory;
+ }
+
+ private BitFieldActionFactory createActionFactory(String component) throws SentryUserException {
+ String actionFactoryClassName =
+ conf.get(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, component));
+ if (actionFactoryClassName == null) {
+ throw new SentryUserException("ActionFactory not defined for component " + component +
+ ". Please define the parameter " +
+ "sentry." + component + ".action.factory in configuration");
+ }
+ Class<?> actionFactoryClass;
+ try {
+ actionFactoryClass = Class.forName(actionFactoryClassName);
+ } catch (ClassNotFoundException e) {
+ throw new SentryUserException("ActionFactory class " + actionFactoryClassName + " not found.");
+ }
+ if (!BitFieldActionFactory.class.isAssignableFrom(actionFactoryClass)) {
+ throw new SentryUserException("ActionFactory class " + actionFactoryClassName + " must extend "
+ + BitFieldActionFactory.class.getName());
+ }
+ BitFieldActionFactory actionFactory;
+ try {
+ Constructor<?> actionFactoryConstructor = actionFactoryClass.getDeclaredConstructor();
+ actionFactoryConstructor.setAccessible(true);
+ actionFactory = (BitFieldActionFactory) actionFactoryClass.newInstance();
+ } catch (NoSuchMethodException | InstantiationException | IllegalAccessException e) {
+ throw new SentryUserException("Could not instantiate actionFactory " + actionFactoryClassName +
+ " for component: " + component, e);
+ }
+ return actionFactory;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
new file mode 100644
index 0000000..eec2757
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
@@ -0,0 +1,186 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+
+/**
+ * Sentry store for persistent the authorize object to database
+ */
+public interface SentryStoreLayer {
+ /**
+ * Create a role
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param requestor: User on whose behalf the request is launched
+ * @throws Exception
+ */
+ Object createRole(String component, String role,
+ String requestor) throws Exception;
+
+ /**
+ * Drop a role
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param requestor: user on whose behalf the request is launched
+ * @throws Exception
+ */
+ Object dropRole(String component, String role,
+ String requestor) throws Exception;
+
+ /**
+ * Add a role to groups.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param groups: The name of groups
+ * @param requestor: User on whose behalf the request is issued
+ * @throws Exception
+ */
+ Object alterRoleAddGroups(String component, String role,
+ Set<String> groups, String requestor) throws Exception;
+
+ /**
+ * Delete a role from groups.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param groups: The name of groups
+ * @param requestor: User on whose behalf the request is launched
+ * @throws Exception
+ */
+ Object alterRoleDeleteGroups(String component, String role,
+ Set<String> groups, String requestor) throws Exception;
+
+ /**
+ * Grant a privilege to role.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param privilege: The privilege object will be granted
+ * @param grantorPrincipal: User on whose behalf the request is launched
+ * @throws Exception
+ */
+ Object alterRoleGrantPrivilege(String component, String role,
+ PrivilegeObject privilege, String grantorPrincipal) throws Exception;
+
+ /**
+ * Revoke a privilege from role.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param privilege: The privilege object will revoked
+ * @param grantorPrincipal: User on whose behalf the request is launched
+ * @throws Exception
+ */
+ Object alterRoleRevokePrivilege(String component, String role,
+ PrivilegeObject privilege, String grantorPrincipal) throws Exception;
+
+ /**
+ * Rename privilege
+ *
+ * @param component: The request respond to which component
+ * @param service: The name of service
+ * @param oldAuthorizables: The old list of authorize objects
+ * @param newAuthorizables: The new list of authorize objects
+ * @param requestor: User on whose behalf the request is launched
+ * @throws Exception
+ */
+ Object renamePrivilege(
+ String component, String service, List<? extends Authorizable> oldAuthorizables,
+ List<? extends Authorizable> newAuthorizables, String requestor) throws Exception;
+
+ /**
+ * Drop privilege
+ * @param component: The request respond to which component
+ * @param privilege: The privilege will be dropped
+ * @param requestor: User on whose behalf the request is launched
+ * @throws Exception
+ */
+ Object dropPrivilege(String component, PrivilegeObject privilege,
+ String requestor) throws Exception;
+
+ /**
+ * Get roles
+ * @param component: The request respond to which component
+ * @param groups: The name of groups
+ * @returns the set of roles
+ * @throws Exception
+ */
+ Set<String> getRolesByGroups(String component, Set<String> groups) throws Exception;
+
+ /**
+ * Get groups
+ * @param component: The request respond to which component
+ * @param roles: The name of roles
+ * @returns the set of groups
+ * @throws Exception
+ */
+ Set<String> getGroupsByRoles(String component, Set<String> roles) throws Exception;
+
+ /**
+ * Get privileges
+ * @param component: The request respond to which component
+ * @param roles: The name of roles
+ * @returns the set of privileges
+ * @throws Exception
+ */
+ Set<PrivilegeObject> getPrivilegesByRole(String component, Set<String> roles) throws Exception;
+
+ /**
+ * get sentry privileges from provider as followings:
+ * @param component: The request respond to which component
+ * @param service: The name of service
+ * @param roles: The name of roles
+ * @param groups: The name of groups
+ * @param authorizables: The list of authorize objects
+ * @returns the set of privileges
+ * @throws Exception
+ */
+
+ Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<String> roles,
+ Set<String> groups, List<? extends Authorizable> authorizables)
+ throws Exception;
+
+ /**
+ * Get all roles name.
+ *
+ * @returns The set of roles name,
+ */
+ Set<String> getAllRoleNames() throws Exception;
+
+ /**
+ * Get sentry privileges based on valid active roles and the authorize objects.
+ *
+ * @param component: The request respond to which component
+ * @param service: The name of service
+ * @param validActiveRoles: The valid active roles
+ * @param authorizables: The list of authorize objects
+ * @returns The set of MSentryGMPrivilege
+ * @throws Exception
+ */
+ Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service,
+ Set<String> validActiveRoles, List<? extends Authorizable> authorizables)
+ throws Exception;
+
+ /**
+ * close sentryStore
+ */
+ void close();
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
new file mode 100644
index 0000000..6a2c77f
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
@@ -0,0 +1,191 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE;
+
+import com.google.common.collect.Lists;
+
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.apache.sentry.api.generic.thrift.TAuthorizable;
+import org.apache.sentry.api.generic.thrift.TSentryGrantOption;
+import org.apache.sentry.api.generic.thrift.TSentryPrivilege;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.validator.PrivilegeValidator;
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.indexer.IndexerModelAuthorizables;
+import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel;
+import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
+import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
+import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel;
+import org.apache.sentry.core.model.solr.SolrModelAuthorizables;
+import org.apache.sentry.core.model.solr.SolrPrivilegeModel;
+import org.apache.sentry.core.model.sqoop.SqoopModelAuthorizables;
+import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
+import org.apache.sentry.provider.common.AuthorizationComponent;
+import org.apache.shiro.config.ConfigurationException;
+
+/**
+ * A TSentryPrivilegeConverter implementation for "Generic" privileges, covering Apache Kafka, Apache Solr and Apache Sqoop.
+ * It converts privilege Strings to TSentryPrivilege Objects, and vice versa, for Generic clients.
+ *
+ * When a privilege String is converted to a TSentryPrivilege in "fromString", the validators associated with the
+ * given privilege model are also called on the privilege String.
+ */
+public class GenericPrivilegeConverter implements TSentryPrivilegeConverter {
+ private String component;
+ private String service;
+ private boolean validate;
+
+ public GenericPrivilegeConverter(String component, String service) {
+ this(component, service, true);
+ }
+
+ public GenericPrivilegeConverter(String component, String service, boolean validate) {
+ this.component = component;
+ this.service = service;
+ this.validate = validate;
+ }
+
+ public TSentryPrivilege fromString(String privilegeStr) throws SentryUserException {
+ privilegeStr = parsePrivilegeString(privilegeStr);
+ if (validate) {
+ validatePrivilegeHierarchy(privilegeStr);
+ }
+
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue keyValue = new KeyValue(authorizable);
+ String key = keyValue.getKey();
+ String value = keyValue.getValue();
+
+ Authorizable authz = getAuthorizable(keyValue);
+ if (authz != null) {
+ authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName()));
+ } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setAction(value);
+ } else {
+ throw new IllegalArgumentException("Unknown key: " + key);
+ }
+ }
+
+ if (tSentryPrivilege.getAction() == null) {
+ throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
+ }
+ tSentryPrivilege.setComponent(component);
+ tSentryPrivilege.setServiceName(service);
+ tSentryPrivilege.setAuthorizables(authorizables);
+ return tSentryPrivilege;
+ }
+
+ public String toString(TSentryPrivilege tSentryPrivilege) {
+ List<String> privileges = Lists.newArrayList();
+ if (tSentryPrivilege != null) {
+ List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
+ String action = tSentryPrivilege.getAction();
+ String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+ : "false");
+
+ Iterator<TAuthorizable> it = authorizables.iterator();
+ if (it != null) {
+ while (it.hasNext()) {
+ TAuthorizable tAuthorizable = it.next();
+ privileges.add(SentryConstants.KV_JOINER.join(
+ tAuthorizable.getType(), tAuthorizable.getName()));
+ }
+ }
+
+ if (!authorizables.isEmpty()) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ }
+
+ // only append the grant option to privilege string if it's true
+ if ("true".equals(grantOption)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ }
+ }
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ }
+
+ private String parsePrivilegeString(String privilegeStr) {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
+ final String hostPrefixLowerCase = hostPrefix.toLowerCase();
+ if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
+ return hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
+ }
+ }
+
+ return privilegeStr;
+ }
+
+ private void validatePrivilegeHierarchy(String privilegeStr) throws SentryUserException {
+ List<PrivilegeValidator> validators = getPrivilegeValidators();
+ PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
+ for (PrivilegeValidator validator : validators) {
+ try {
+ validator.validate(context);
+ } catch (ConfigurationException e) {
+ throw new IllegalArgumentException(e);
+ }
+ }
+ }
+
+ protected List<PrivilegeValidator> getPrivilegeValidators() throws SentryUserException {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ return KafkaPrivilegeModel.getInstance().getPrivilegeValidators();
+ } else if ("SOLR".equals(component)) {
+ return SolrPrivilegeModel.getInstance().getPrivilegeValidators();
+ } else if (AuthorizationComponent.SQOOP.equals(component)) {
+ return SqoopPrivilegeModel.getInstance().getPrivilegeValidators(service);
+ } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) {
+ return IndexerPrivilegeModel.getInstance().getPrivilegeValidators();
+ }
+
+ throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component);
+ }
+
+ protected Authorizable getAuthorizable(KeyValue keyValue) throws SentryUserException {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ return KafkaModelAuthorizables.from(keyValue);
+ } else if ("SOLR".equals(component)) {
+ return SolrModelAuthorizables.from(keyValue);
+ } else if (AuthorizationComponent.SQOOP.equals(component)) {
+ return SqoopModelAuthorizables.from(keyValue);
+ } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) {
+ return IndexerModelAuthorizables.from(keyValue);
+ }
+
+ throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java
new file mode 100644
index 0000000..fc55575
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java
@@ -0,0 +1,35 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools;
+
+import org.apache.sentry.api.generic.thrift.TSentryPrivilege;
+import org.apache.sentry.core.common.exception.SentryUserException;
+
+public interface TSentryPrivilegeConverter {
+
+ /**
+ * Convert string to privilege
+ */
+ TSentryPrivilege fromString(String privilegeStr) throws SentryUserException;
+
+ /**
+ * Convert privilege to string
+ */
+ String toString(TSentryPrivilege tSentryPrivilege);
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
new file mode 100644
index 0000000..8000ebd
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.appender;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.log4j.AppenderSkeleton;
+import org.apache.log4j.Level;
+import org.apache.log4j.spi.LoggingEvent;
+
+import com.google.common.annotations.VisibleForTesting;
+
+@VisibleForTesting
+public class AuditLoggerTestAppender extends AppenderSkeleton {
+ public static final List<LoggingEvent> events = new ArrayList<LoggingEvent>();
+
+ public void close() {
+ }
+
+ public boolean requiresLayout() {
+ return false;
+ }
+
+ @Override
+ protected void append(LoggingEvent event) {
+ events.add(event);
+ }
+
+ public static String getLastLogEvent() {
+ return events.get(events.size() - 1).getMessage().toString();
+ }
+
+ public static Level getLastLogLevel() {
+ return events.get(events.size() - 1).getLevel();
+ }
+}