You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ka...@apache.org on 2018/05/31 16:22:10 UTC
sentry git commit: SENTRY-2246: Construct owner privilege
(TSentryPrivilege) (Kalyan Kumar kalvagadda, reviewed-by Na Li, Sergio Pena)
Repository: sentry
Updated Branches:
refs/heads/master 7db84b2fe -> e6703a580
SENTRY-2246: Construct owner privilege (TSentryPrivilege) (Kalyan Kumar kalvagadda, reviewed-by Na Li, Sergio Pena)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e6703a58
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e6703a58
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e6703a58
Branch: refs/heads/master
Commit: e6703a5802962689ef60dd8f952cb09b988dbced
Parents: 7db84b2
Author: Kalyan Kumar Kalvagadda <kk...@cloudera.com>
Authored: Thu May 31 11:20:38 2018 -0500
Committer: Kalyan Kumar Kalvagadda <kk...@cloudera.com>
Committed: Thu May 31 11:20:38 2018 -0500
----------------------------------------------------------------------
.../sentry/service/common/ServiceConstants.java | 13 +++
.../thrift/SentryPolicyStoreProcessor.java | 34 ++++++
.../thrift/TestSentryPolicyStoreProcessor.java | 112 ++++++++++++++++++-
3 files changed, 158 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/e6703a58/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java
index 53daae8..777c262 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java
@@ -244,6 +244,19 @@ public class ServiceConstants {
*/
public static final String SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT = "sentry.server.delta.keep.count";
public static final int SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT = 100;
+
+ /**
+ * Controls the owner privileges feature.
+ */
+ public static final String SENTRY_ENABLE_OWNER_PRIVILEGES = "sentry.enable.owner.privileges";
+ public static final Boolean SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT = false;
+
+ /**
+ * This value is used to decide if a owner privilege created by sentry server
+ * should have grant option.
+ */
+ public static final String SENTRY_OWNER_PRIVILEGE_WITH_GRANT = "sentry.grant.owner.privileges.with.grant";
+ public static final Boolean SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT = false;
}
public static final String SENTRY_ZK_JAAS_NAME = "Sentry";
http://git-wip-us.apache.org/repos/asf/sentry/blob/e6703a58/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
index c23683f..6886f10 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
@@ -72,6 +72,8 @@ import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
+import com.google.common.base.Strings;
+
import static org.apache.sentry.hdfs.Updateable.Update;
@@ -1236,4 +1238,36 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
}
return response;
}
+
+ /**
+ * This API constructs (@Link TSentryPrivilege} for authorizable provided
+ * based on the configurations.
+ *
+ * @param authorizable for which owner privilege should be constructed.
+ * @return null if owner privilege can not be constructed, else instance of {@Link TSentryPrivilege}
+ */
+ TSentryPrivilege constructOwnerPrivilege(TSentryAuthorizable authorizable) {
+ Boolean isOwnerPrivEnabled = conf.getBoolean(ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES,
+ ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT);
+ if(isOwnerPrivEnabled == false) {
+ return null;
+ }
+ if(Strings.isNullOrEmpty(authorizable.getDb())) {
+ LOGGER.error("Received authorizable with out DB Name");
+ return null;
+ }
+ Boolean privilegeWithGrantOption = conf.getBoolean(ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT,
+ ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT);
+
+ TSentryPrivilege ownerPrivilege = new TSentryPrivilege();
+ ownerPrivilege.setDbName(authorizable.getDb());
+ if(!Strings.isNullOrEmpty(authorizable.getTable())) {
+ ownerPrivilege.setTableName(authorizable.getTable());
+ }
+ if(privilegeWithGrantOption) {
+ ownerPrivilege.setGrantOption(TSentryGrantOption.TRUE);
+ }
+ ownerPrivilege.setAction(AccessConstants.OWNER);
+ return ownerPrivilege;
+ }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e6703a58/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
index efacf19..b028303 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -17,8 +17,13 @@
*/
package org.apache.sentry.api.service.thrift;
+import com.codahale.metrics.Gauge;
+import org.apache.sentry.api.common.ApiConstants;
import org.apache.sentry.api.common.ThriftConstants;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.service.common.ServiceConstants;
import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.junit.Assert;
import org.apache.hadoop.conf.Configuration;
@@ -26,14 +31,66 @@ import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
import org.apache.sentry.core.common.utils.PolicyStoreConstants.PolicyStoreServerConfig;
import org.junit.Before;
import org.junit.Test;
+import org.mockito.Mockito;
public class TestSentryPolicyStoreProcessor {
private Configuration conf;
-
+ private static final SentryStore sentryStore = Mockito.mock(SentryStore.class);
@Before
public void setup() {
conf = new Configuration(false);
+
+ Mockito.when(sentryStore.getRoleCountGauge()).thenReturn(new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return 0L;
+ }
+ });
+ Mockito.when(sentryStore.getPrivilegeCountGauge()).thenReturn(new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return 0L;
+ }
+ });
+ Mockito.when(sentryStore.getGroupCountGauge()).thenReturn(new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return 0L;
+ }
+ });
+ Mockito.when(sentryStore.getHMSWaitersCountGauge()).thenReturn(new Gauge<Integer>() {
+ @Override
+ public Integer getValue() {
+ return 0;
+ }
+ });
+ Mockito.when(sentryStore.getLastNotificationIdGauge()).thenReturn(new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return 0L;
+ }
+ }); Mockito.when(sentryStore.getLastPathsSnapshotIdGauge()).thenReturn(new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return 0L;
+ }
+ });
+ Mockito.when(sentryStore.getPermChangeIdGauge()).thenReturn(new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return 0L;
+ }
+ });
+ Mockito.when(sentryStore.getPathChangeIdGauge()).thenReturn(new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return 0L;
+ }
+ });
+
+
+
}
@Test(expected=SentrySiteConfigurationException.class)
public void testConfigNotNotificationHandler() throws Exception {
@@ -78,4 +135,57 @@ public class TestSentryPolicyStoreProcessor {
public void testSentryThriftAPIMatchVersion() throws Exception {
SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
}
+
+ @Test
+ public void testConstructOwnerPrivilege() throws Exception {
+ SentryPolicyStoreProcessor sentryServiceHandler =
+ new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
+ conf, sentryStore);
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ TSentryAuthorizable authorizable = new TSentryAuthorizable("");
+ authorizable.setDb("db1");
+ authorizable.setTable("tb1");
+
+ //Check the behaviour when owner privileges feature is not configured.
+ Assert.assertNull(sentryServiceHandler.constructOwnerPrivilege(authorizable));
+
+
+ //Check behaviour when DB name is not set
+ conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true);
+ sentryServiceHandler =
+ new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
+ conf, sentryStore);
+ authorizable = new TSentryAuthorizable("");
+ authorizable.setTable("tb1");
+ Assert.assertNull(sentryServiceHandler.constructOwnerPrivilege(authorizable));
+
+ //Check the behavior when DB name is set and table name is not set.
+ authorizable = new TSentryAuthorizable("");
+ authorizable.setDb("db1");
+ privilege.setDbName("db1");
+ privilege.setAction(AccessConstants.OWNER);
+ Assert.assertNotNull(sentryServiceHandler.constructOwnerPrivilege(authorizable));
+ Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable));
+
+ //check the behaviour when both DB name and table name are set
+ authorizable = new TSentryAuthorizable("");
+ authorizable.setDb("db1");
+ authorizable.setTable("tb1");
+ privilege.setTableName("tb1");
+ Assert.assertNotNull(sentryServiceHandler.constructOwnerPrivilege(authorizable));
+ Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable));
+
+ //Check the behavior when grant option is configured.
+ conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT,
+ true);
+ sentryServiceHandler =
+ new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
+ conf, sentryStore);
+ authorizable = new TSentryAuthorizable("");
+ authorizable.setDb("db1");
+ authorizable.setTable("tb1");
+ privilege.setGrantOption(TSentryGrantOption.TRUE);
+ Assert.assertNotNull(sentryServiceHandler.constructOwnerPrivilege(authorizable));
+ Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable));
+ }
}