You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2016/07/14 02:16:08 UTC

sentry git commit: SENTRY-1358: Implement Grant role_name To User user_name in V2 (Ke Jia via Dapeng Sun)

Repository: sentry
Updated Branches:
  refs/heads/master d6d4bf280 -> c6c9fabb4


SENTRY-1358: Implement Grant role_name To User user_name in V2 (Ke Jia via Dapeng Sun)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/c6c9fabb
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/c6c9fabb
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/c6c9fabb

Branch: refs/heads/master
Commit: c6c9fabb48ec896904bc0370e69540b7cb2bc3cb
Parents: d6d4bf2
Author: Sun Dapeng <sd...@apache.org>
Authored: Thu Jul 14 10:11:18 2016 +0800
Committer: Sun Dapeng <sd...@apache.org>
Committed: Thu Jul 14 10:11:18 2016 +0800

----------------------------------------------------------------------
 .../DefaultSentryAccessController.java          | 24 ++++++++++++++++----
 .../TestPrivilegeWithGrantOption.java           | 15 ++++++++++++
 2 files changed, 34 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/c6c9fabb/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
index 09e2a62..0d22cae 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
@@ -466,7 +466,6 @@ public class DefaultSentryAccessController extends SentryHiveAccessController {
       }
     }
   }
-
   /**
    * Grant(isGrant is true) or revoke(isGrant is false) role to/from group via sentryClient, which
    * is a instance of SentryPolicyServiceClientV2
@@ -483,21 +482,36 @@ public class DefaultSentryAccessController extends SentryHiveAccessController {
       sentryClient = getSentryClient();
       // get principals
       Set<String> groups = Sets.newHashSet();
+      Set<String> users = Sets.newHashSet();
       for (HivePrincipal principal : hivePrincipals) {
-        if (principal.getType() != HivePrincipalType.GROUP) {
+        if (principal.getType() == HivePrincipalType.GROUP) {
+          groups.add(principal.getName());
+        } else if (principal.getType() == HivePrincipalType.USER) {
+          users.add(principal.getName());
+        } else {
           String msg =
               SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType();
           throw new HiveAuthzPluginException(msg);
+
         }
-        groups.add(principal.getName());
       }
 
       // grant/revoke role to/from principals
       for (String roleName : roles) {
         if (isGrant) {
-          sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups);
+          if (groups.size() > 0) {
+            sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.grantRoleToUsers(grantorPrinc.getName(), roleName, users);
+          }
         } else {
-          sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups);
+          if (groups.size() > 0) {
+            sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.revokeRoleFromUsers(grantorPrinc.getName(), roleName, users);
+          }
         }
       }
 

http://git-wip-us.apache.org/repos/asf/sentry/blob/c6c9fabb/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
index 74a7ec7..284f54c 100644
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
+++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
@@ -131,6 +131,21 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithStaticConfigur
 
   }
 
+  @Test
+  public void testOnGrantOrRevokeRoleToUser() throws Exception {
+    // setup db objects needed by the test
+    Connection connection = context.createConnection(ADMIN1);
+    Statement statement = context.createStatement(connection);
+    statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
+    statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
+    statement.execute("CREATE DATABASE db_1");
+    statement.execute("CREATE ROLE group1_role");
+    statement.execute("GRANT ROLE group1_role TO USER " + USER1_1);
+    statement.execute("REVOKE ROLE group1_role FROM USER " + USER1_1);
+
+    connection.close();
+  }
+
   /*
    * Admin grant DB_1 user1 without grant option, grant user3 with grant option,
    * user1 tries to grant it to user2, but failed.