You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2016/07/14 02:16:08 UTC
sentry git commit: SENTRY-1358: Implement Grant role_name To User
user_name in V2 (Ke Jia via Dapeng Sun)
Repository: sentry
Updated Branches:
refs/heads/master d6d4bf280 -> c6c9fabb4
SENTRY-1358: Implement Grant role_name To User user_name in V2 (Ke Jia via Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/c6c9fabb
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/c6c9fabb
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/c6c9fabb
Branch: refs/heads/master
Commit: c6c9fabb48ec896904bc0370e69540b7cb2bc3cb
Parents: d6d4bf2
Author: Sun Dapeng <sd...@apache.org>
Authored: Thu Jul 14 10:11:18 2016 +0800
Committer: Sun Dapeng <sd...@apache.org>
Committed: Thu Jul 14 10:11:18 2016 +0800
----------------------------------------------------------------------
.../DefaultSentryAccessController.java | 24 ++++++++++++++++----
.../TestPrivilegeWithGrantOption.java | 15 ++++++++++++
2 files changed, 34 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/c6c9fabb/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
index 09e2a62..0d22cae 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
@@ -466,7 +466,6 @@ public class DefaultSentryAccessController extends SentryHiveAccessController {
}
}
}
-
/**
* Grant(isGrant is true) or revoke(isGrant is false) role to/from group via sentryClient, which
* is a instance of SentryPolicyServiceClientV2
@@ -483,21 +482,36 @@ public class DefaultSentryAccessController extends SentryHiveAccessController {
sentryClient = getSentryClient();
// get principals
Set<String> groups = Sets.newHashSet();
+ Set<String> users = Sets.newHashSet();
for (HivePrincipal principal : hivePrincipals) {
- if (principal.getType() != HivePrincipalType.GROUP) {
+ if (principal.getType() == HivePrincipalType.GROUP) {
+ groups.add(principal.getName());
+ } else if (principal.getType() == HivePrincipalType.USER) {
+ users.add(principal.getName());
+ } else {
String msg =
SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType();
throw new HiveAuthzPluginException(msg);
+
}
- groups.add(principal.getName());
}
// grant/revoke role to/from principals
for (String roleName : roles) {
if (isGrant) {
- sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups);
+ if (groups.size() > 0) {
+ sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups);
+ }
+ if (users.size() > 0) {
+ sentryClient.grantRoleToUsers(grantorPrinc.getName(), roleName, users);
+ }
} else {
- sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups);
+ if (groups.size() > 0) {
+ sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups);
+ }
+ if (users.size() > 0) {
+ sentryClient.revokeRoleFromUsers(grantorPrinc.getName(), roleName, users);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/c6c9fabb/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
index 74a7ec7..284f54c 100644
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
+++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
@@ -131,6 +131,21 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithStaticConfigur
}
+ @Test
+ public void testOnGrantOrRevokeRoleToUser() throws Exception {
+ // setup db objects needed by the test
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
+ statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
+ statement.execute("CREATE DATABASE db_1");
+ statement.execute("CREATE ROLE group1_role");
+ statement.execute("GRANT ROLE group1_role TO USER " + USER1_1);
+ statement.execute("REVOKE ROLE group1_role FROM USER " + USER1_1);
+
+ connection.close();
+ }
+
/*
* Admin grant DB_1 user1 without grant option, grant user3 with grant option,
* user1 tries to grant it to user2, but failed.