You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/04/13 08:37:20 UTC
sentry git commit: SENTRY-1177: Update SentryStore for export with
specific auth object(Colin Ma, reviewed by Dapeng Sun)
Repository: sentry
Updated Branches:
refs/heads/master e0ae5400b -> a3f7510bb
SENTRY-1177: Update SentryStore for export with specific auth object(Colin Ma, reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/a3f7510b
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/a3f7510b
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/a3f7510b
Branch: refs/heads/master
Commit: a3f7510bb57a85265ea1a6e829b857652ff95165
Parents: e0ae540
Author: Colin Ma <co...@apache.org>
Authored: Wed Apr 13 15:17:20 2016 +0800
Committer: Colin Ma <co...@apache.org>
Committed: Wed Apr 13 15:17:20 2016 +0800
----------------------------------------------------------------------
.../db/service/persistent/SentryStore.java | 113 +++++++++++----
.../persistent/TestSentryStoreImportExport.java | 143 +++++++++++++++++++
2 files changed, 227 insertions(+), 29 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/a3f7510b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index dbb5d8e..22162eb 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -2014,31 +2014,34 @@ public class SentryStore {
}
}
- // get all mapping data for [group,role]
+ // get mapping data for [group,role]
public Map<String, Set<String>> getGroupNameRoleNamesMap() {
+ return getGroupNameRoleNamesMap(null);
+ }
+
+ // get mapping data for [group,role] with the specific roles
+ public Map<String, Set<String>> getGroupNameRoleNamesMap(Set<String> roleNames) {
boolean rollbackTransaction = true;
PersistenceManager pm = null;
try {
pm = openTransaction();
- Query query = pm.newQuery(MSentryGroup.class);
- List<MSentryGroup> mSentryGroups = (List<MSentryGroup>) query.execute();
- Map<String, Set<String>> sentryGroupNameRoleNamesMap = Maps.newHashMap();
- if (mSentryGroups != null) {
- // change the List<MSentryGroup> -> Map<groupName, Set<roleName>>
- for (MSentryGroup mSentryGroup : mSentryGroups) {
- String groupName = mSentryGroup.getGroupName();
- Set<String> roleNames = Sets.newHashSet();
- for (MSentryRole mSentryRole : mSentryGroup.getRoles()) {
- roleNames.add(mSentryRole.getRoleName());
- }
- if (roleNames.size() > 0) {
- sentryGroupNameRoleNamesMap.put(groupName, roleNames);
- }
+ Query query = pm.newQuery(MSentryRole.class);
+
+ List<String> rolesFiler = new LinkedList<String>();
+ if (roleNames != null) {
+ for (String rName : roleNames) {
+ rolesFiler.add("(roleName == \"" + rName.trim().toLowerCase() + "\")");
}
}
+ if (rolesFiler.size() > 0) {
+ query.setFilter(Joiner.on(" || ").join(rolesFiler));
+ }
+
+ List<MSentryRole> mSentryRoles = (List<MSentryRole>) query.execute();
+ Map<String, Set<String>> groupRolesMap = getGroupRolesMap(mSentryRoles);
commitTransaction(pm);
rollbackTransaction = false;
- return sentryGroupNameRoleNamesMap;
+ return groupRolesMap;
} finally {
if (rollbackTransaction) {
rollbackTransaction(pm);
@@ -2046,28 +2049,58 @@ public class SentryStore {
}
}
+ private Map<String, Set<String>> getGroupRolesMap(List<MSentryRole> mSentryRoles) {
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ if (mSentryRoles == null) {
+ return groupRolesMap;
+ }
+ // change the List<MSentryRole> -> Map<groupName, Set<roleName>>
+ for (MSentryRole mSentryRole : mSentryRoles) {
+ Set<MSentryGroup> groups = mSentryRole.getGroups();
+ for (MSentryGroup group : groups) {
+ String groupName = group.getGroupName();
+ Set<String> rNames = groupRolesMap.get(groupName);
+ if (rNames == null) {
+ rNames = new HashSet<String>();
+ }
+ rNames.add(mSentryRole.getRoleName());
+ groupRolesMap.put(groupName, rNames);
+ }
+ }
+ return groupRolesMap;
+ }
+
// get all mapping data for [role,privilege]
public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap() throws Exception {
+ return getRoleNameTPrivilegesMap(null, null);
+ }
+
+ // get mapping data for [role,privilege] with the specific auth object
+ public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap(String dbName,
+ String tableName) throws Exception {
boolean rollbackTransaction = true;
PersistenceManager pm = null;
try {
pm = openTransaction();
- Query query = pm.newQuery(MSentryRole.class);
- List<MSentryRole> mSentryRoles = (List<MSentryRole>) query.execute();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
- if (mSentryRoles != null) {
- // change the List<MSentryRole> -> Map<roleName, Set<TSentryPrivilege>>
- for (MSentryRole mSentryRole : mSentryRoles) {
- Set<TSentryPrivilege> privilegeSet = convertToTSentryPrivileges(mSentryRole
- .getPrivileges());
- if (privilegeSet != null && !privilegeSet.isEmpty()) {
- sentryRolePrivilegesMap.put(mSentryRole.getRoleName(), privilegeSet);
- }
- }
+ Query query = pm.newQuery(MSentryPrivilege.class);
+
+ List<String> privilegeFiler = new LinkedList<String>();
+ if (!StringUtils.isEmpty(dbName)) {
+ privilegeFiler.add("(dbName == \"" + dbName.trim().toLowerCase() + "\") ");
}
+ if (!StringUtils.isEmpty(tableName)) {
+ privilegeFiler.add("(tableName == \"" + tableName.trim().toLowerCase() + "\") ");
+ }
+ if (privilegeFiler.size() > 0) {
+ query.setFilter(Joiner.on(" && ").join(privilegeFiler));
+ }
+
+ List<MSentryPrivilege> mSentryPrivileges = (List<MSentryPrivilege>) query.execute();
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMap =
+ getRolePrivilegesMap(mSentryPrivileges);
commitTransaction(pm);
rollbackTransaction = false;
- return sentryRolePrivilegesMap;
+ return rolePrivilegesMap;
} finally {
if (rollbackTransaction) {
rollbackTransaction(pm);
@@ -2075,6 +2108,28 @@ public class SentryStore {
}
}
+ private Map<String, Set<TSentryPrivilege>> getRolePrivilegesMap(
+ List<MSentryPrivilege> mSentryPrivileges) {
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = Maps.newHashMap();
+ if (mSentryPrivileges == null) {
+ return rolePrivilegesMap;
+ }
+ // change the List<MSentryPrivilege> -> Map<roleName, Set<TSentryPrivilege>>
+ for (MSentryPrivilege mSentryPrivilege : mSentryPrivileges) {
+ TSentryPrivilege privilege = convertToTSentryPrivilege(mSentryPrivilege);
+ for (MSentryRole mSentryRole : mSentryPrivilege.getRoles()) {
+ String roleName = mSentryRole.getRoleName();
+ Set<TSentryPrivilege> privileges = rolePrivilegesMap.get(roleName);
+ if (privileges == null) {
+ privileges = new HashSet<TSentryPrivilege>();
+ }
+ privileges.add(privilege);
+ rolePrivilegesMap.put(roleName, privileges);
+ }
+ }
+ return rolePrivilegesMap;
+ }
+
// Get the all exist role names, will return an empty set
// if no role names exist.
public Set<String> getAllRoleNames() {
http://git-wip-us.apache.org/repos/asf/sentry/blob/a3f7510b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
index a9e4ed6..8dadc2a 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
@@ -63,6 +63,7 @@ public class TestSentryStoreImportExport {
private TSentryPrivilege tSentryPrivilege6;
private TSentryPrivilege tSentryPrivilege7;
private TSentryPrivilege tSentryPrivilege8;
+ private TSentryPrivilege tSentryPrivilege9;
@BeforeClass
public static void setupEnv() throws Exception {
@@ -103,6 +104,7 @@ public class TestSentryStoreImportExport {
// privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true]
// privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true]
// privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false]
+ // privilege9=[server=server1, db=db2, table=tbl1, action=insert, grantOption=false]
private void preparePrivilege() {
tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
"", "", TSentryGrantOption.UNSET);
@@ -120,6 +122,8 @@ public class TestSentryStoreImportExport {
"tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "",
"hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ tSentryPrivilege9 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db2",
+ "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
}
@AfterClass
@@ -730,6 +734,145 @@ public class TestSentryStoreImportExport {
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
+ // The following data is imported:
+ // group1=role1
+ // group2=role1,role2
+ // group3=role2,role3
+ // group4=role1,role2,role3
+ // role1=privilege3,privilege4,privilege9
+ // role2=privilege3,privilege4,privilege5,privilege6,privilege7
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
+ @Test
+ public void testExportPolicyWithSpecificObject() throws Exception {
+ // import the data for test
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
+ sentryGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ sentryGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ sentryRolePrivilegesMap.put("role1", Sets.newHashSet(
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege9));
+ sentryRolePrivilegesMap.put("role2", Sets.newHashSet(
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7));
+ sentryRolePrivilegesMap.put("role3", Sets.newHashSet(
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
+ tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
+ sentryStore.importSentryMetaData(tSentryMappingData, false);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap =
+ sentryStore.getRoleNameTPrivilegesMap("db1", "");
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(
+ actualRolePrivilegesMap.keySet());
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db2
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db2", "");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(
+ actualRolePrivilegesMap.keySet());
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2"));
+ verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl1
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl1");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(
+ actualRolePrivilegesMap.keySet());
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl2
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl2");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege5));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(
+ actualRolePrivilegesMap.keySet());
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role2", "role3"));
+ verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for table=tbl1
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "tbl1");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(
+ actualRolePrivilegesMap.keySet());
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for empty parameter
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap(
+ actualRolePrivilegesMap.keySet());
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+ }
+
private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) {
assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size());
for (String roleName : actualRoleMap.keySet()) {